What is pupdate.exe?
pupdate.exe is part of Internet Explorer and developed by Microsoft Corporation according to the pupdate.exe version information.
pupdate.exe's description is "Win32 Cabinet Self-Extractor "
pupdate.exe is digitally signed by TERSER TUDE LTD.
pupdate.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected pupdate.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on pupdate.exe:
| Property | Value |
|---|---|
| Product name | Internet Explorer |
| Company name | Microsoft Corporation |
| File description | Win32 Cabinet Self-Extractor |
| Internal name | Wextract |
| Original filename | WEXTRACT.EXE .MUI |
| Legal copyright | © Microsoft Corporation. All rights reserved. |
| Product version | 11.00.15063.0 |
| File version | 11.00.15063.0 (WinBuild.160101.0800) |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | Internet Explorer |
| Company name | Microsoft Corporation |
| File description | Win32 Cabinet Self-Extractor .. |
| Internal name | Wextract |
| Original filename | WEXTRACT.EXE .MUI |
| Legal copyright | © Microsoft Corporation. All rights.. |
| Product version | 11.00.15063.0 |
| File version | 11.00.15063.0 (WinBuild.160101.0800) |
Digital signatures [?]
pupdate.exe has a valid digital signature.
| Property | Value |
|---|---|
| Signer name | TERSER TUDE LTD |
| Certificate issuer name | DigiCert EV Code Signing CA (SHA2) |
| Certificate serial number | 0dca26c9a2db5e5edd0e49f9790612cf |
VirusTotal report
10 of the 72 anti-virus programs at VirusTotal detected the pupdate.exe file. That's a 14% detection rate.
| Scanner | Detection Name |
|---|---|
| CAT-QuickHeal | Trojan.Agent |
| Comodo | ApplicUnwnt@#14jdu3q053jzt |
| Cyren | W32/Trojan.ARRO-0864 |
| ESET-NOD32 | MSIL/Somoto.A potentially unwanted |
| Ikarus | PUA.MSIL.Somoto |
| K7AntiVirus | Adware ( 00549ceb1 ) |
| K7GW | Adware ( 00549ceb1 ) |
| Malwarebytes | PUP.Optional.AppSync.TskLnk |
| Microsoft | PUA:Win32/Somoto |
| Sophos | Generic PUA MG (PUA) |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"\\Device\\KsecDD"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe"
],
"dll_loaded": [
"imagehlp.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"DNSAPI.dll",
"SHELL32.dll",
"dwmapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\system32\\advpack.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll",
"ncrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"crypt32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"advapi32.dll",
"psapi.dll",
"SHLWAPI.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"USER32.dll",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\System32\\wship6.dll",
"feclient.dll",
"setupapi.dll",
"iphlpapi.dll",
"CFGMGR32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"urlmon.dll",
"ntdll",
"apphelp.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll",
"kernel32.dll",
"oleaut32.dll",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IPHLPAPI.DLL",
"RichEd20.dll",
"uxtheme.dll",
"winhttp.dll",
"profapi.dll",
"comctl32.dll",
"RpcRtRemote.dll",
"WINTRUST.DLL",
"C:\\Windows\\system32\\cryptnet.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"DEVRTL.dll",
"Cabinet.dll",
"user32.dll",
"WINHTTP.dll",
"gdi32.dll",
"ws2_32.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"CRYPTSP.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"ole32.dll",
"NSI.dll",
"mscorsec.dll",
"SXS.DLL",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll",
"ADVAPI32.dll",
"WS2_32.dll",
"gdiplus.dll",
"C:\\Windows\\system32\\advapi32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"imm32.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Runtime.Seri#\\4a984a9ad59d14063bc6ae64a0c8f62a\\System.Runtime.Serialization.ni.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"version.dll",
"shell32.dll",
"OLEAUT32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"RPCRT4.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"sxs.dll",
"mscoree.dll",
"C:\\Windows\\system32\\mswsock.dll",
"AdvApi32.dll"
],
"file_opened": [
"C:\\Windows\\Fonts\\msyh.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\Fonts\\tahoma.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Fonts\\msjh.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Windows\\Fonts\\malgun.ttf",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config",
"C:\\Windows\\Fonts\\micross.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Windows\\Fonts\\segoeui.ttf",
"C:\\Windows",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\UrlDllGetObjectUrl",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllPutSignedDataMsg",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\00000005",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\UrlDllGetObjectUrl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllEncodeObjectEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{06C9E010-38CE-11D4-A2A3-00104BD35090}",
"HKEY_CLASSES_ROOT\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InprocServer32",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllVerifyEncodedSignature",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_CLASSES_ROOT\\AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Fonts",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_CURRENT_USER\\EUDC\\1252",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllConvertPublicKeyInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\TVO",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Runtime.Serialization__b77a5c561934e089",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_CLASSES_ROOT\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.1.1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\33abb01d\\69ef69c7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllConvertPublicKeyInfo",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyRevocation",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.SMDiagnostics__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\do\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_CLASSES_ROOT\\do",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\SchemeDllRetrieveEncodedObjectW",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\TimeValidDllGetObject",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy",
"HKEY_CLASSES_ROOT\\AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1A610570-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\ChainEngine\\Config",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{846EE342-7039-11DE-9D20-806E6F6E6963}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllGetSignedDataMsg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\do",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{000C10F1-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\ContextDllCreateObjectContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\TimeValidDllGetObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx2",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllVerifyEncodedSignature",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\SchemeDllRetrieveEncodedObjectW",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.12",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\ContextDllCreateObjectContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v4.0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllVerifyIndirectData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.4",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.5.System.Core__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation\\DEFAULT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Advanced INF Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
],
"resolves_host": [
"ocsp.digicert.com",
"crl4.digicert.com",
"crl3.digicert.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
"C:\\Windows\\Fonts\\ahronbd.ttf",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Windows\\inf\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.PDB",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"mutex": [
"Global\\.net clr networking"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\2659C1A560AB92C9C29D4B2B25815AE8",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_3F584A3392BB586FC541F0F81FC9D443",
"C:\\Windows\\symbols\\dll\\mscorlib.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0270780F846F08BEFE0DD8112D932FEF",
"C:\\Windows\\symbols\\exe\\AppSync.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.pdb",
"C:\\Windows\\exe\\AppSync.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Windows\\dll\\mscorlib.pdb",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_DD7CBED22FCB4DBB59011DF9ECBBC293",
"C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\config.txt",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6E47DC54834F661FE77B461D2DF73D9D",
"C:\\Windows\\AppSync.pdb",
"C:\\Windows\\mscorlib.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\ToUnzip\\pref.txt",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_943A1DFFA777580B483765AB2C11CA95",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\782AC1F7D5B160B0F71F6F92B0912799",
"C:\\Users\\cuck\\AppData\\Roaming\\AppMaster\\pref.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.pdb"
],
"wmi_query": [
"select * from Win32_OperatingSystem",
"SELECT * FROM Win32_PhysicalMedia",
"Select ProcessorId From Win32_processor"
],
"guid": [
"{00000000-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8856f961-340a-11d0-a96b-00c04fd705a2}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\409ACDAA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\\1.1\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\SMDiagnostics,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Advanced INF Setup\\AdvpackLogFile",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\NavigationDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InProcServer32\\Class",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\svcVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Core,3.5.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0\\mscorwks.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_*",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Serialization\\3.0.0.0__b77a5c561934e089\\System.Runtime.Serialization.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.INI",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.INI",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP"
]
}Dropped
[
{
"yara": [],
"sha1": "ac9fce1ca9c8688ad9e2719d71e5aefc3e5571bd",
"name": "74f81af2f738bb99_retake.css",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"type": "ASCII text, with CRLF line terminators",
"sha256": "74f81af2f738bb995aadc325b7ba48c14587c767e9c12256e10fe7434343ae26",
"urls": [],
"crc32": "C84B849D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/74f81af2f738bb99_retake.css",
"ssdeep": null,
"size": 1996,
"sha512": "0ab07f5d6b6d587f6a84d5e0b0bd3759607618e864df43abbfcb2c831e0ed98be2fe9e093b7546c5c451b5fae647a0ea4a07b3ee3faf7195eda8c344430f15be",
"pids": [
2816
],
"md5": "586303d7a26f62bc73e3d5b2fc855c54"
},
{
"yara": [],
"sha1": "cf925fc512b936fe7d44ceb6e999e4a020ed6ff0",
"name": "4c9c4d831d61c8c3_CabA6D3.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"type": "Microsoft Cabinet archive data, 56952 bytes, 1 file",
"sha256": "4c9c4d831d61c8c38b2513f9b431ef4f4cf6af9fb18a2317cd2178d6e0997822",
"urls": [],
"crc32": "5168F337",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/4c9c4d831d61c8c3_CabA6D3.tmp",
"ssdeep": null,
"size": 56952,
"sha512": "65dc435f6d3e1afd347ba1617a3eee59c6660f221faa36456a09e307d434d7276e8095e8aa34d59933e685a9f84564ec783e59ae9658791f7ebdbbc2eda32f7a",
"pids": [
1676
],
"md5": "04d79a0dc77a8f449cbff6252862d398"
},
{
"yara": [],
"sha1": "6f93267f1ec87b812f84943239a86b7b885fe7ae",
"name": "87908dc75d88431a_brand.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"type": "ASCII text",
"sha256": "87908dc75d88431abeabe25cb26e98db2c5d84db22346aaa03fb85d434045f9e",
"urls": [
"http:\/\/pdfpro100.com\/",
"http:\/\/www.",
"http:\/\/pdfpro100.com\/eula.html"
],
"crc32": "2C26EE5E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/87908dc75d88431a_brand.js",
"ssdeep": null,
"size": 2165,
"sha512": "9eed2018b3bc095a4cb3371a0b017c64390e19a4cb1f7d140818d0baa4eae6812828852ab3ebe518bc07d79a40628e5fcbbf22c271873489f7cff34779fa330e",
"pids": [
2816
],
"md5": "420c83217cadf93d566f46c0e85c22a0"
},
{
"yara": [],
"sha1": "b6c3783716a43f0294e8fca008acddd22a169150",
"name": "c7f6d5516f4d81e5_install.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"type": "ASCII text, with CRLF line terminators",
"sha256": "c7f6d5516f4d81e53542c0ea635fa636f5e267ea12cd62574cb44a2d0ee54cf7",
"urls": [],
"crc32": "3A80011F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/c7f6d5516f4d81e5_install.js",
"ssdeep": null,
"size": 5146,
"sha512": "b5d367b6f9254ee1b0ed82d06e1212b7bd698e0dc8a0d006bcbbc9cad37be2e6e7ef25cd579cab0b692a977d43aa81b42da484b50247a8dfc0a45e00d940c4d4",
"pids": [
2816
],
"md5": "bdcf87e9314d51510eaccba2be09e727"
},
{
"yara": [],
"sha1": "305ee32875bbcceed33b60a77ea509ed22f16379",
"name": "71c0c7cc191a2cbf_bg.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"type": "JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 1500x844, frames 3",
"sha256": "71c0c7cc191a2cbf3ddf033ca7ba97adb46a04284f014c667574c1bf1fb0f1f3",
"urls": [
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"http:\/\/ns.adobe.com\/xap\/1.0\/"
],
"crc32": "C6264637",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/71c0c7cc191a2cbf_bg.jpg",
"ssdeep": null,
"size": 72441,
"sha512": "4d0a4ab42423592b431534a9ad8991e139c09c9f501fe67867773ea07ef63e8719e4105b9d154fae467a3b65be07cedd1ce869a00b7fdd815059ff0044b2e0de",
"pids": [
2816
],
"md5": "410e67276b4c3a0ad73bc3eecdcd0d6d"
},
{
"yara": [],
"sha1": "d9aa9f95d97737ba627f9d68971366feb8ea247b",
"name": "bc19898e37cd9ab7_win10_install.css",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"type": "ASCII text, with CRLF line terminators",
"sha256": "bc19898e37cd9ab71dfc81ea24cabc571ae5d00766c21b384919df3c30b85bc2",
"urls": [
"https:\/\/fonts.googleapis.com\/css?family=Open"
],
"crc32": "502DC31A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/bc19898e37cd9ab7_win10_install.css",
"ssdeep": null,
"size": 8928,
"sha512": "da1a239a927426650e11976ebd0c0861ae09f9552cd4046f3f4ce91df8b6a63f9f1775c98402312877889630f9492312708239932313b52c78b4b741c57d245d",
"pids": [
2816
],
"md5": "f42cd9b3a68fe9aea276eee4708473f9"
},
{
"yara": [],
"sha1": "c64ad224b877cd5bbdcdb1799b71f3682602d231",
"name": "b0a39e28d93f7822_TarA6D4.tmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"type": "data",
"sha256": "b0a39e28d93f7822fe6cac1e082c7adc581dcd2b61eb9f536e74bd14a75b27bc",
"urls": [
"http:\/\/www.microsoft.com\/pkiops\/certs\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicRooCerAut_2010-06-23.crt07",
"http:\/\/www.microsoft.com\/pki\/certs\/MicCerLisCA2011_2011-03-29.crt0",
"http:\/\/www.microsoft.com\/pki\/certs\/MicrosoftRootCert.crt0",
"http:\/\/www.microsoft.com\/pkiops\/crl\/Microsoft%20Certificate%20Trust%20List%20PCA(3).crl0u"
],
"crc32": "B495BE07",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/b0a39e28d93f7822_TarA6D4.tmp",
"ssdeep": null,
"size": 138525,
"sha512": "0663fb22bcefd0ac5f090104322a8c0dc1ceb77a168b589d7dbb9a74d109daf38beac97dab715220abab08c355496f5719159e17995248caa19eff45bc2a5d46",
"pids": [
1676
],
"md5": "0e34ebf89b843b303f0fb5f194be9d28"
},
{
"yara": [],
"sha1": "928937c244180ebd616ecdd726fbdcc48ad2079f",
"name": "4037a85bf6224a74_logo.png",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"type": "PNG image data, 128 x 128, 8-bit\/color RGBA, non-interlaced",
"sha256": "4037a85bf6224a74a837a2e7ecced0c71816f3ea49d116476a1f0ede963db40d",
"urls": [],
"crc32": "33AEF962",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/4037a85bf6224a74_logo.png",
"ssdeep": null,
"size": 9002,
"sha512": "a6160a5e53d395a843262b3c05cfccb1fc9d6bd34076854bb92466f073f322bfe040fbb4d4947ebc5d14d4345408df60eb6869073c7851329178dda9e2f2b56c",
"pids": [
2816
],
"md5": "eb4c64430e6d9d564cb61bbfc97f26f5"
},
{
"yara": [],
"sha1": "0bff0b9678cf53d4f19bc4f00e1a736f97f6a2a3",
"name": "1be86474e1b66764_loader.gif",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"type": "GIF image data, version 89a, 90 x 90",
"sha256": "1be86474e1b66764f38a8362dcb98ca55237d749515114ee6cdfdb6f0903f148",
"urls": [
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"http:\/\/ns.adobe.com\/xap\/1.0\/"
],
"crc32": "DCD44B2E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/1be86474e1b66764_loader.gif",
"ssdeep": null,
"size": 64825,
"sha512": "4c49c3885679de638ffcfe29a658d37cd0e422774f94c90e54e1c5a1b70bf2f5c24262e5212ad3a9060f9cd2ba0d84c008b5beeb867d07ca8518781e00249f34",
"pids": [
2816
],
"md5": "72e5f3e5e94851d1091e6703d9a63550"
},
{
"yara": [],
"sha1": "91af479a1ca2888b1f63e8d459020161fcd89fde",
"name": "fda69691d16ff902_1517143390278_1512482433840_logo.png",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"type": "PNG image data, 260 x 174, 8-bit\/color RGBA, non-interlaced",
"sha256": "fda69691d16ff902c54db60cab6b765b1026170527162483dcb5be38c918d79e",
"urls": [
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"http:\/\/ns.adobe.com\/xap\/1.0\/"
],
"crc32": "50E664C7",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/fda69691d16ff902_1517143390278_1512482433840_logo.png",
"ssdeep": null,
"size": 22733,
"sha512": "ba459609ac3029df56eb7b2a630ebbb9e7dda1df9a4277f0568342d5bafb530f3d28b612d94ef37ed89d2a9070e4928eb498d7513810b93fedcac53a224d4e0f",
"pids": [
2816
],
"md5": "1b3b1b185013a718549ad7ecef41aa46"
},
{
"yara": [],
"sha1": "9614e4c1cfa4d67187fc7de313f63100c9428c02",
"name": "741aab644ed45961_install.html",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"type": "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators",
"sha256": "741aab644ed45961879774546c9b87c3a2e25283e489221469cb6d0dcd39d623",
"urls": [],
"crc32": "26500F3E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/741aab644ed45961_install.html",
"ssdeep": null,
"size": 15770,
"sha512": "6ff7114ae0522cd843cd3bf8d0bbfdc8ce19f0ce8a339b84940011b5a0f0ded97863f7e005df1819977df4806e125d671d1d0ad2ed235485c9ba4d6cb2da9189",
"pids": [
2816
],
"md5": "5df42d9dd9fe8b3c98fe3feabad67cf7"
},
{
"yara": [],
"sha1": "7eb2161d66d1bd1bb105fb6089d4c3622493d93b",
"name": "e87b23079eff1ca2_appsync.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"type": "PE32 executable (GUI) Intel 80386 Mono\/.Net assembly, for MS Windows",
"sha256": "e87b23079eff1ca296159506531ea8b02f18efc347fc7dea68c6acfdd30e3bf8",
"urls": [
"http:\/\/crl3.digicert.com\/DigiCertHighAssuranceEVRootCA.crl0",
"http:\/\/www.apache.org\/licenses\/LICENSE-2.0",
"http:\/\/crl4.digicert.com\/EVCodeSigningSHA2-g1.crl0K",
"http:\/\/cacerts.digicert.com\/DigiCertAssuredIDRootCA.crt0",
"http:\/\/dev.search.strtpoint.com\/results.html?c=1",
"http:\/\/cacerts.digicert.com\/DigiCertHighAssuranceEVRootCA.crt0",
"http:\/\/crl3.digicert.com\/EVCodeSigningSHA2-g1.crl07",
"http:\/\/www.apache.org\/).",
"http:\/\/www.mozilla.org\/2004\/em-rdf",
"http:\/\/cacerts.digicert.com\/DigiCertSHA2AssuredIDTimestampingCA.crt0",
"http:\/\/ocsp.digicert.com0C",
"http:\/\/ocsp.digicert.com0O",
"http:\/\/crl3.digicert.com\/DigiCertAssuredIDRootCA.crl0P",
"http:\/\/ocsp.digicert.com0I",
"http:\/\/ocsp.digicert.com0H",
"http:\/\/crl4.digicert.com\/DigiCertHighAssuranceEVRootCA.crl0",
"http:\/\/crl3.digicert.com\/sha2-assured-ts.crl02",
"http:\/\/crl4.digicert.com\/sha2-assured-ts.crl0",
"https:\/\/www.nuget.org\/packages\/Newtonsoft.Json.Bson",
"http:\/\/www.apache.org\/licenses\/",
"http:\/\/cacerts.digicert.com\/DigiCertEVCodeSigningCA-SHA2.crt0",
"http:\/\/crl4.digicert.com\/DigiCertAssuredIDRootCA.crl0:",
"https:\/\/www.digicert.com\/CPS0",
"http:\/\/www.digicert.com\/ssl-cps-repository.htm0",
"http:\/\/www.newtonsoft.com\/jsonschema"
],
"crc32": "5F5A36FE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/e87b23079eff1ca2_appsync.exe",
"ssdeep": null,
"size": 4139992,
"sha512": "0ddf20c7b54d6c60fdcc7680b881a8c7df5cee5f69cd986197f22a1e8443f6ab09e6d83b45e16dbdd8ace43e84b3302cbb1baef39ecaf232607c744c2a815ec8",
"pids": [
2816
],
"md5": "7ac9ce6a69f0448ec8bd0ebbff3fbb09"
},
{
"yara": [],
"sha1": "339802872d30316fc62bebc0ff83247d885d2a67",
"name": "1fbfd07ee6638e19_win10_install.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"type": "ASCII text, with CRLF line terminators",
"sha256": "1fbfd07ee6638e19f0297ba310a239adf0b5750930753267a0d5f381209f7992",
"urls": [],
"crc32": "2D5977CA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/1fbfd07ee6638e19_win10_install.js",
"ssdeep": null,
"size": 5146,
"sha512": "64d6a642864892ebdca267d58a94a1812f4079692fb5802ae7c8c4acd7a7440691b40783235dd404361ffe16acbaa55843fe71850e7cffabdd46e36ef1c12edf",
"pids": [
2816
],
"md5": "aea0f51c10a958068049db2e6dda6898"
},
{
"yara": [],
"sha1": "584b5011c80f1acc9a54392720d047152eb8d2a8",
"name": "3cd3fc529dd87021_config.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"type": "ASCII text, with very long lines",
"sha256": "3cd3fc529dd87021b78fe84e5f9135ddb012ce246cd88c5e54f5d08c75713842",
"urls": [
"http:\/\/suggestqueries.google.com\/complete\/search?output=firefox",
"http:\/\/pdfpro100.com\/uninstall.html",
"http:\/\/pdfpro100.com\/",
"http:\/\/www.mozilla.org\/2006\/browser\/search\/",
"http:\/\/pdfpro100.com\/eula.html",
"http:\/\/pdfpro100.com\/thankyou.html"
],
"crc32": "CB60BF44",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/3cd3fc529dd87021_config.txt",
"ssdeep": null,
"size": 3714,
"sha512": "f5244c1eb5dfec5db1826ab5438aa0564f16722d510d87c3e4720cba14d4d87a2bbb95af645bfd6eedcb96587b8767c3de28e148511fd8245fb8ef1d946218cf",
"pids": [
2816
],
"md5": "82cf36f79f23dfe18bf41f8c32947a89"
},
{
"yara": [],
"sha1": "98951a27c49c751f23bd80978af5cd802a9d6eaf",
"name": "dc969c1bba33448b_retake.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"type": "ASCII text, with CRLF line terminators",
"sha256": "dc969c1bba33448b36ab95d00e974151b5c5b2c27037c0b52a7280671375aed5",
"urls": [],
"crc32": "B750D54C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/dc969c1bba33448b_retake.js",
"ssdeep": null,
"size": 1264,
"sha512": "3b65a0eb00c635d80384108c5018395502a65ba0ea4df1eae9b2f6e8c2cc97b895d146dc4024312a2f32c0d860ce61777d0d39a202d7580fd86039f3809db009",
"pids": [
2816
],
"md5": "916f6cbef42b826dc557fdb34e1cc1dd"
},
{
"yara": [],
"sha1": "bd6f6d08919c801ca943e1dc27bcb99c54da53f4",
"name": "64e1417b6762ec16_1517130957005_490x60.png",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"type": "PNG image data, 490 x 60, 8-bit\/color RGB, non-interlaced",
"sha256": "64e1417b6762ec16151ad20e629c5a1368325f3470cf5ae1fea86489977076fa",
"urls": [
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef"
],
"crc32": "C4B21B52",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/64e1417b6762ec16_1517130957005_490x60.png",
"ssdeep": null,
"size": 8674,
"sha512": "d8c63ab2a87e7a449536ef0c14239597bd9eac4a5aa76605cf8abac99c611755875488ce9a63efb097446f8ef061116f80c78d20438ea2f8d489b6ed3cf687a3",
"pids": [
2816
],
"md5": "c983548175b1c8e5e374e18343358d9b"
},
{
"yara": [],
"sha1": "48083f62696ac80bdf01e0bb7129ef31744cbc9b",
"name": "2017751dc60014c0_win10_install.html",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"type": "HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators",
"sha256": "2017751dc60014c0f53f2ed6aa2a4458fe0bccc8f8142fbdd85250d4cf5b2883",
"urls": [],
"crc32": "0D3CAE21",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/2017751dc60014c0_win10_install.html",
"ssdeep": null,
"size": 15739,
"sha512": "b534001c7a3b8f0d1daba556282495643d8f3a197988289853b52bcac7ae8833ca75355503397ae152a2071cbdc1d40a605b665f411b232cf9a86664ed8ae8ed",
"pids": [
2816
],
"md5": "5c27c2c2ca5b0df190283a7423e75f04"
},
{
"yara": [],
"sha1": "e096bbcd97fd1790e31458e2bc253fdfc4ab1375",
"name": "8e6d6b21b7bf81b7_uninstall.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"type": "ASCII text, with CRLF line terminators",
"sha256": "8e6d6b21b7bf81b7be3388dba2f85726c66fa622cc2d5e45d1bed8fe12e440fb",
"urls": [],
"crc32": "02C6C7EB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/8e6d6b21b7bf81b7_uninstall.js",
"ssdeep": null,
"size": 4324,
"sha512": "1eb8180e5d2b777d191432143857437e0d6965edac98a8d63d2393ed884b8aac9858c792777be8279620a4cb2a0b9235fdb79f87a32ef1056a0e84bb12cca771",
"pids": [
2816
],
"md5": "863bd26ad590de3826d2e4e8a3e069f6"
},
{
"yara": [],
"sha1": "f53c9b07c52e3223aadff9382c00e41d1916e839",
"name": "177d7c8e26a11358_uninstall.html",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"type": "HTML document, ASCII text, with CRLF line terminators",
"sha256": "177d7c8e26a11358c654f9b8b3e59f8f0c9f6e895fb4a506492ad2d1f636ff50",
"urls": [],
"crc32": "CF1B1E75",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/177d7c8e26a11358_uninstall.html",
"ssdeep": null,
"size": 3743,
"sha512": "46bdb3017dae8b61b1528d371e3df11beaa0af49867a7ffd34e69bcb08c59e2214dd2d058324b21b4b1363dad4b9efeba3a323d59ddc47216ee8101eb5e2cb23",
"pids": [
2816
],
"md5": "e22832f34b41681ddd94ef4a3f4d2987"
},
{
"yara": [],
"sha1": "ecd7e702be234a01bd321b8349714372f6502a49",
"name": "f59273ab63d15f3e_pref.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"type": "ASCII text, with very long lines, with no line terminators",
"sha256": "f59273ab63d15f3e82d62244c4a3048ef0969582f675121c48da1898a5413d47",
"urls": [
"http:\/\/baseapp.pdfpro100.com",
"http:\/\/current.pdfpro100.com\/pronto\/application\/pdfpro100.com\/pref.json",
"http:\/\/inf.pdfpro100.com\/api\/report\/?",
"http:\/\/chkapp.pdfpro100.com\/api\/tech\/pc\/update\/check",
"http:\/\/rest.pdfpro100.com",
"http:\/\/current.pdfpro100.com\/pronto\/application\/pdfpro100.com\/favicon.ico",
"http:\/\/lgc.pdfpro100.com\/task-for?"
],
"crc32": "51FB78E5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/f59273ab63d15f3e_pref.txt",
"ssdeep": null,
"size": 606,
"sha512": "6c06ab89c5180cfd748bdeccdee2b40632f4cc2125eee341e6945f152e650c505b1f35a46c6facd0f7397785f70638ae4e58a9bfebe1deba8ed7eee7a465983e",
"pids": [
2816
],
"md5": "c694fdaa959c44d01a155dfeeeb3bd6b"
},
{
"yara": [],
"sha1": "849b3031586708baf855f51f7f57b1286d621a37",
"name": "a6b4b5e7745fdf24_alert-icon.png",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"type": "PNG image data, 34 x 34, 8-bit\/color RGBA, non-interlaced",
"sha256": "a6b4b5e7745fdf240edbad76e248ca52f21539b678971adedcef3cd9bcfd29f7",
"urls": [
"http:\/\/ns.adobe.com\/xap\/1.0\/mm\/",
"http:\/\/ns.adobe.com\/xap\/1.0\/sType\/ResourceRef",
"http:\/\/ns.adobe.com\/xap\/1.0\/"
],
"crc32": "A7C69B64",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/a6b4b5e7745fdf24_alert-icon.png",
"ssdeep": null,
"size": 2892,
"sha512": "2fc26858caa16c9fc17288d4f8357487905c62a3f158ca6ca2b17660c43b3686f1e64061c4c161fc3a32559215ea664c939969d75744cc881c10e671ee1019fc",
"pids": [
2816
],
"md5": "205df663a373feac8bbd39c72faded95"
},
{
"yara": [],
"sha1": "9e89d1515bc4c371b86f4cb1002fd8e377c1829f",
"name": "9365920887b11b33_jquery-3.2.1.slim.min.js",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"type": "ASCII text, with very long lines",
"sha256": "9365920887b11b33a3dc4ba28a0f93951f200341263e3b9cefd384798e4be398",
"urls": [],
"crc32": "7EA11C46",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/9365920887b11b33_jquery-3.2.1.slim.min.js",
"ssdeep": null,
"size": 69597,
"sha512": "cab8c4afa1d8e3a8b7856ee29ae92566d44ceead70c8d533f2c98a976d77d0e1d314719b5c6a473789d8c6b21ebb4b89a6b0ec2e1c9c618fb1437ebc77d3a269",
"pids": [
2816
],
"md5": "5f48fc77cac90c4778fa24ec9c57f37d"
},
{
"yara": [],
"sha1": "1e003e627b9d8b0033f2b890053925a795c3660d",
"name": "d6ca195e9e1531ae_appsync.exe.config",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"type": "XML 1.0 document, ASCII text, with CRLF line terminators",
"sha256": "d6ca195e9e1531ae1c2016147530e2803bde68f8ce19b88506e1bda9f4a272b8",
"urls": [],
"crc32": "6C802FCC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/d6ca195e9e1531ae_appsync.exe.config",
"ssdeep": null,
"size": 239,
"sha512": "7a3f81c8e5df56c29f1706589d70bbb8709087ff23ccc0cc85ba653f0e591585496b02afda7360abbaced20d7145996e813334093e2850079a4937da5e8ed6cb",
"pids": [
2816
],
"md5": "2d3d9edf445c408dd56576d039630fbf"
},
{
"yara": [],
"sha1": "4311d8f17ce94fcffbb9601e18410e80463d072b",
"name": "beefc7696051c720_spinner.gif",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"type": "GIF image data, version 89a, 38 x 40",
"sha256": "beefc7696051c720e15736a3b62d8f66a1dd955adb43a5653e94d9bb3bfe5aa3",
"urls": [],
"crc32": "3C2A20BE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/beefc7696051c720_spinner.gif",
"ssdeep": null,
"size": 4640,
"sha512": "6e3fd3f4f8682a48602dd4d5c4bd3a6769314139f1aad1f626c77ba696e57d5be72a679dc20f6c57f66c48d8a235468de4589e80d052339fed149f1c6fe6132b",
"pids": [
2816
],
"md5": "6f346e7f3244264676a2e3a286ad9509"
},
{
"yara": [],
"sha1": "89a323725dc7fb9aea9ea67b397ae041295b6d36",
"name": "4e257e9221ea5c80_uninstall.css",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"type": "ASCII text, with CRLF line terminators",
"sha256": "4e257e9221ea5c80e98ea0e172e8e29f7af8ae74c10e16b3e359ef799610aebf",
"urls": [],
"crc32": "81A61906",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/4e257e9221ea5c80_uninstall.css",
"ssdeep": null,
"size": 5523,
"sha512": "89839431b5270e839a6add220525dbb97ab3c06f648fa6aa55c1703dc624fa4abbf78a35b8fa91d4b944871c76216f1f1ad1678e8c4c4911950fd2972e3d6e15",
"pids": [
2816
],
"md5": "b137f09fc5a86e204181a9ab991a6fac"
},
{
"yara": [],
"sha1": "93aaf6c4f65ea9d27b8c0d86832926f2e16f596d",
"name": "2fa4044bc6ea21c1_pdfpro100.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"type": "MS Windows icon resource - 6 icons, 256x256",
"sha256": "2fa4044bc6ea21c14b87d7e35b865a60046d329f9881baf13ddd435ac0657063",
"urls": [],
"crc32": "83BDE31C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/2fa4044bc6ea21c1_pdfpro100.ico",
"ssdeep": null,
"size": 370070,
"sha512": "3dbda40f5e343eccd0ed8cf24abea1633bae5d06e052b10833728638330bce4f07aeaecbc557f5d0bb94c815db94ae26146639183c3918a303188414e269b3c8",
"pids": [
2816
],
"md5": "ddfad33d3b32f121bbd103237057325d"
},
{
"yara": [
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"virtualbox_mac_1c": [
[
5027,
0
],
[
5138,
0
],
[
5420,
0
]
]
},
"strings": [
"MDgwMDI3"
]
}
],
"sha1": "8a58821ce6206f5a852b28c486c1deb9b16256ab",
"name": "5dec3071bd7b6c43_all.log",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log",
"type": "ASCII text, with CRLF line terminators",
"sha256": "5dec3071bd7b6c4394c9b0fc0186cd44ae2bc2aafe526eb0731a33d26df8fee0",
"urls": [],
"crc32": "38CF69B3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/5dec3071bd7b6c43_all.log",
"ssdeep": null,
"size": 6675,
"sha512": "8d0469d371c8bc7e53e7ed57aea18fbca2ba182c72beaa0e07683aff037ac6326a12e88afd23a3a9e3d2c5b6faf02b66e8aab477c2715388d44832acb9594278",
"pids": [
1676
],
"md5": "d87efe498be876e6b63dc3b6137fa7ea"
},
{
"yara": [],
"sha1": "02b2d1365afa504c8298404c6491935f49278b54",
"name": "9b59c4be219676b6_install.css",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"type": "ASCII text, with CRLF line terminators",
"sha256": "9b59c4be219676b6ac3d478d3044c98d46d1ea131c5792ada18b0d7b586fba5e",
"urls": [],
"crc32": "8F82884A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/9b59c4be219676b6_install.css",
"ssdeep": null,
"size": 9154,
"sha512": "6627519cec0b5ed4b1cb393f5fa114ffe4a34d20ede8694cca285bc8292f9de2c80f4144be14e2ef35d04b22c29328e828881784c5d34d6d47c445f9df8cf453",
"pids": [
2816
],
"md5": "744924daea3046f00e025ce60b6c311b"
},
{
"yara": [],
"sha1": "beab9fc3c0f2be6e3bdddcef86949a9f52131c5f",
"name": "05eb6004d5d029dd_action.log",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"type": "ASCII text, with CRLF line terminators",
"sha256": "05eb6004d5d029dd0f9f87b292fce57eb5e6a3fb75ccf819d76c89ffeb5d7102",
"urls": [],
"crc32": "AE5DD364",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/05eb6004d5d029dd_action.log",
"ssdeep": null,
"size": 73,
"sha512": "ca52ddc6bd7e2f52470c5ac7317af9662ee362884cb39ab9c96d33ca6e8139f60ac179c95028ba27ce1641d6eb25fc5987e773f511590eb75d3a736ea8815da3",
"pids": [
1676
],
"md5": "a439fb7ea8e5de8703f3956382fc053e"
},
{
"yara": [],
"sha1": "c0a5649cd94a8954dea1f5d5b45ac6e505bc17a3",
"name": "ccb4ccbee52f5378_retake.html",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html",
"type": "HTML document, UTF-8 Unicode text, with CRLF line terminators",
"sha256": "ccb4ccbee52f5378d2f6a2a83653a86cb28a16725891d27a8f7e909089250183",
"urls": [],
"crc32": "7639D8BC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3841\/files\/ccb4ccbee52f5378_retake.html",
"ssdeep": null,
"size": 1305,
"sha512": "a6c3a29f34416214d342bc02eb706c6be7209eafdbe79c5468546bc49de5feb1a12f236eda313b0edc1a2d641e96bc3d93a87635a55c8c0e58e9e831b584e793",
"pids": [
2816
],
"md5": "6fc64a02a4d1c374766969a395e69649"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\726fbfbd089ab537d9856d85281e07bc9e13906558169087551f875bc952b6b1.bin",
"process_name": "726fbfbd089ab537d9856d85281e07bc9e13906558169087551f875bc952b6b1.bin",
"pid": 2816,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP"
],
"dll_loaded": [
"feclient.dll",
"kernel32.dll",
"C:\\Windows\\system32\\advapi32.dll",
"C:\\Windows\\system32\\advpack.dll"
],
"file_opened": [
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Advanced INF Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\spinner.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\PdfPro100.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\alert-icon.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\jquery-3.2.1.slim.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\install.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bg.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\brand.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\uninstall.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\pref.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\win10_install.html",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517130957005_490x60.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\1517143390278_1512482433840_logo.png",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\loader.gif",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\retake.html"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Advanced INF Setup\\AdvpackLogFile"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0"
]
},
"first_seen": 1574790785.875,
"ppid": 2016
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1574790785.53125,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"process_name": "AppSync.exe",
"pid": 1676,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"\\Device\\KsecDD"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\LanguageList",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe"
],
"dll_loaded": [
"imagehlp.dll",
"API-MS-Win-Security-LSALookup-L1-1-0.dll",
"DNSAPI.dll",
"SHELL32.dll",
"dwmapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll",
"ncrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\OLEAUT32.dll",
"API-MS-WIN-Service-Management-L2-1-0.dll",
"crypt32.dll",
"C:\\Windows\\SysWOW64\\bcryptprimitives.dll",
"SspiCli.dll",
"advapi32.dll",
"psapi.dll",
"SHLWAPI.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll",
"USER32.dll",
"C:\\Windows\\syswow64\\CRYPT32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"C:\\Windows\\System32\\wship6.dll",
"setupapi.dll",
"iphlpapi.dll",
"CFGMGR32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"urlmon.dll",
"ntdll",
"apphelp.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Gdiplus.dll",
"kernel32.dll",
"oleaut32.dll",
"SensApi.dll",
"ntdll.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"cryptsp.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"IPHLPAPI.DLL",
"RichEd20.dll",
"uxtheme.dll",
"winhttp.dll",
"profapi.dll",
"comctl32.dll",
"RpcRtRemote.dll",
"WINTRUST.DLL",
"C:\\Windows\\system32\\cryptnet.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\\\wminet_utils.dll",
"DEVRTL.dll",
"Cabinet.dll",
"user32.dll",
"WINHTTP.dll",
"gdi32.dll",
"ws2_32.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorsec.dll",
"CRYPTSP.dll",
"credssp.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"ole32.dll",
"NSI.dll",
"mscorsec.dll",
"SXS.DLL",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\oleaut32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\iphlpapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll",
"ADVAPI32.dll",
"WS2_32.dll",
"gdiplus.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll",
"imm32.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"cryptnet.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Runtime.Seri#\\4a984a9ad59d14063bc6ae64a0c8f62a\\System.Runtime.Serialization.ni.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"version.dll",
"shell32.dll",
"OLEAUT32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"RPCRT4.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"sxs.dll",
"mscoree.dll",
"C:\\Windows\\system32\\mswsock.dll",
"AdvApi32.dll"
],
"file_opened": [
"C:\\Windows\\Fonts\\msyh.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\LocalLow",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\Fonts\\tahoma.ttf",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Fonts\\msjh.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\System32\\en-US\\WINHTTP.dll.mui",
"C:\\Windows\\Fonts\\malgun.ttf",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Users\\cuck\\AppData\\Local\\GDIPFONTCACHEV1.DAT",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config",
"C:\\Windows\\Fonts\\micross.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"C:\\Windows\\Fonts\\segoeui.ttf",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\UrlDllGetObjectUrl",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DNS",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllPutSignedDataMsg",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\00000005",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontLink\\SystemLink",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\UrlDllGetObjectUrl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\SecurityProviders\\SaslProfiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\BFE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyCertificateChainPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllEncodeObjectEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{06C9E010-38CE-11D4-A2A3-00104BD35090}",
"HKEY_CLASSES_ROOT\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InprocServer32",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllVerifyEncodedSignature",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\msasn1",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NetBT\\Parameters",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AABA-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LsaExtensionConfig\\SspiCli",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\AuthRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_CLASSES_ROOT\\AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Fonts",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_CURRENT_USER\\EUDC\\1252",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus",
"HKEY_CURRENT_USER\\Interface\\{00000134-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip6\\Parameters\\Winsock",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllConvertPublicKeyInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{DE351A42-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\TVO",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.JScript__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.System.Runtime.Serialization__b77a5c561934e089",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_CLASSES_ROOT\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.1.1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\33abb01d\\69ef69c7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllConvertPublicKeyInfo",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Class\\{4d36e972-e325-11ce-bfc1-08002be10318}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Wintrust\\Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyRevocation",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.0.SMDiagnostics__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\SspiCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\do\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration.Install__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{DE351A43-8E59-11D0-8C47-00C04FC295EE}",
"HKEY_CLASSES_ROOT\\do",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\SchemeDllRetrieveEncodedObjectW",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}",
"HKEY_CURRENT_USER\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\TimeValidDllGetObject",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllVerifyCertificateChainPolicy",
"HKEY_CLASSES_ROOT\\AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1A610570-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\ChainEngine\\Config",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\{846EE342-7039-11DE-9D20-806E6F6E6963}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllGetSignedDataMsg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\MAIN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\do",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllImportPublicKeyInfoEx2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{000C10F1-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\ContextDllCreateObjectContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_CURRENT_USER\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Ole",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.11",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\TimeValidDllGetObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllImportPublicKeyInfoEx2",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\DiagnosticPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllVerifyEncodedSignature",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{000C10F1-0000-0000-C000-000000000046}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\Root\\ProtectedRoots",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\TrustedPublisher\\Safer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\SchemeDllRetrieveEncodedObjectW",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.12",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TravelLog",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SystemCertificates\\AuthRoot\\AutoUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\ContextDllCreateObjectContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllVerifyIndirectData\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v4.0",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptSIPDllVerifyIndirectData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.4",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx\\1.2.840.113549.1.9.16.2.2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CryptDllEncodeObjectEx",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{603BCC1F-4B59-4E08-B724-D2C6297EF351}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Setup Migration\\Providers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.3.5.System.Core__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation\\DEFAULT",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Winsock\\Parameters",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
"HKEY_CURRENT_USER",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_CURRENT_USER\\TypeLib",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllPutSignedDataMsg\\{06C9E010-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 1\\CertDllVerifyRevocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg\\{1A610570-38CE-11D4-A2A3-00104BD35090}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
],
"resolves_host": [
"ocsp.digicert.com",
"crl4.digicert.com",
"crl3.digicert.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\Action.log",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\All.log"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp"
],
"file_exists": [
"C:\\Windows\\inf\\",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.PDB",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Windows\\Fonts\\ahronbd.ttf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\System32\\qagentrt.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\System32\\dnsapi.dll",
"C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
"C:\\Windows\\System32\\p2pcollab.dll",
"C:\\Users\\cuck\\AppData\\LocalLow"
],
"mutex": [
"Global\\.net clr networking"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\2659C1A560AB92C9C29D4B2B25815AE8",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_3F584A3392BB586FC541F0F81FC9D443",
"C:\\Windows\\symbols\\dll\\mscorlib.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\0270780F846F08BEFE0DD8112D932FEF",
"C:\\Windows\\symbols\\exe\\AppSync.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.pdb",
"C:\\Windows\\exe\\AppSync.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Windows\\dll\\mscorlib.pdb",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_DD7CBED22FCB4DBB59011DF9ECBBC293",
"C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\config.txt",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\6E47DC54834F661FE77B461D2DF73D9D",
"C:\\Windows\\AppSync.pdb",
"C:\\Windows\\mscorlib.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\AppSync\\ToUnzip\\pref.txt",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_943A1DFFA777580B483765AB2C11CA95",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\782AC1F7D5B160B0F71F6F92B0912799",
"C:\\Users\\cuck\\AppData\\Roaming\\AppMaster\\pref.txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.pdb"
],
"wmi_query": [
"select * from Win32_OperatingSystem",
"SELECT * FROM Win32_PhysicalMedia",
"Select ProcessorId From Win32_processor"
],
"guid": [
"{00000000-0000-0000-c000-000000000046}",
"{4590f811-1d3a-11d0-891f-00aa004b2e24}",
"{44aca674-e8fc-11d0-a07c-00c04fb68820}",
"{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}",
"{674b6698-ee92-11d0-ad71-00c04fd8fdff}",
"{8bc3f05e-d86b-11d0-a075-00c04fb68820}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{7c857801-7381-11cf-884d-00aa004b2e24}",
"{8856f961-340a-11d0-a96b-00c04fd705a2}",
"{f309ad18-d86a-11d0-a075-00c04fb68820}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{dc12a687-737f-11cf-884d-00aa004b2e24}"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\CabA6D3.tmp",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\TarA6D4.tmp",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\config.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe.Config",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\Content\\94308059B57B3142E455B38A6EB92015",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\94308059B57B3142E455B38A6EB92015"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\WinSock2\\Parameters\\Protocol_Catalog9\\Serial_Access_Num",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\SecurityProviders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.44.3.4!7\\Name",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagMatchAnyMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\RemoteRpcDll",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.JScript,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.64.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCertCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsSecureNameQueryFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Comment",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableUnsupportedCriticalExtensions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\409ACDAA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseHostsFile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Capabilities",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpNodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\TabProcGrowth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\TokenSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ShareCredsWithWinHttp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\WaitForNameErrorOnAll",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DiagLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsTest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetPreFetchTriggerPeriodSeconds",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryIpMatching",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DhcpDomain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DirectAccessQueryOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptDllFindOIDInfo\\1.3.6.1.4.1.311.47.1.1!7\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\MaximumAllowedAllocationSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AppendToMultiLabelName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Version",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\PrioritizeRecordData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\ScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetCachedOcspSwitchToCrlCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FrameTabWindow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\EvalationData",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastResponderFlags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\TypeLib\\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\\1.1\\0\\win32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\AdminTabProcs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\SessionMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableDns",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\UseDomainNameDevolution",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadOverride",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\NodeType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration.Install,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DnsQuickQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationRefreshInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\SMDiagnostics,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\WinTrust\\Trust Providers\\Software Publishing\\State",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationRefreshInterval",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\SessionMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MaxSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableWanDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlCountInCert",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\EnableProxy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AdapterTimeoutLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\EnableAdapterDomainNameRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistrationOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogMaxFileSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{00000134-0000-0000-C000-000000000046}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\Safety Warning Level",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\StringCacheSettings\\StringCacheGeneration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\SspiCache\\credssp.dll\\RpcId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization,3.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheTtl",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateSecurityLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\FinalizerActivityBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\GDIPlus\\FontCachePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DnsQueryTimeouts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\Extensions\\NdrOleExtDLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalCountPerChain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxySettingsPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Parameters\\Transports",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DowncaseSpnCauseApiOwnerIsTooLazy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultRegistrationTTL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameTabWindow",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Local AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ResolverRegistration",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationOverwrite",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableMulticast",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterPrimaryName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\EnableDAForAllNetworks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{423EC01E-2E35-11D2-B604-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureRoutine",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegistrationMaxAddressCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\RegisterAdapterName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegistrationEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableAdapterDomainName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\LsaExtensionConfig\\SspiCli\\CheckSignatureDll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\TabProcGrowth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableReverseAddressRegistrations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterWanAdapters",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\WinHttpSettings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\AdminTabProcs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\MaxNumberOfAddressesToRegister",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\NavigationDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxNegativeCacheTtl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{8856F961-340A-11D0-A96B-00C04FD705A2}\\InProcServer32\\Class",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7b5311d7\\1b0ed4d\\61\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\NetBT\\Parameters\\DhcpScopeId",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseEdns",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\UseDelayedAcceptance",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\svcVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenDefaultServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\CertCheck\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\CacheAllCompartments",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\RegisterReverseLookup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\FilterClusterIp",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\SearchList",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INTERNET_SHELL_FOLDERS\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\Domain",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseNewRegistration",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCachedSockets",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ServerPriorityTimeLimit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MulticastSenderMaxTimeout",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxAIAUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\MaxCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\LogLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenBadTlds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\CryptnetMaxCachedOcspPerCrlCount",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Winsock\\Setup Migration\\Providers\\Tcpip6\\WinSock 2.0 Provider ID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UpdateTopLevelDomainZones",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Cleanup\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableInetUnknownAuth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\\ProxyStubClsid32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableCANameConstraints",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\p2pcollab.dll,-8042",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\MinSockaddrLength",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\36d9491a\\3fb203dc\\5f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\UseDomainNameDevolution",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Initialization\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Core,3.5.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Signature\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\ChainCacheResyncFiletime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5a8de2c3\\2b1a4e4\\47\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Winsock\\HelperDllName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\77a2835c\\36d9491a\\5e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DynamicServerQueryOrder",
"HKEY_CURRENT_USER\\Local Settings\\MuiCache\\2\\52C64B7E\\@%SystemRoot%\\system32\\dnsapi.dll,-103",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FrameMerging",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\ScreenUnreachableServers",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\MaxUrlRetrievalByteCount",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\35df3f71\\6cb3f6b9\\5d\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\73843e06\\43a920ef\\66\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Message\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\Tracing\\Enabled",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DisableDynamicUpdate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\DomainNameDevolutionLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\7ac727df\\7b5311d7\\61\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\AllowUnqualifiedQuery",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\FinalPolicy\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$DLL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\Providers\\Trust\\Certificate\\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\\$Function",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Interfaces\\{EF381EA0-4D07-418D-A490-68AF67CE948B}\\QueryAdapterName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\WinHttp\\DisableBranchCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\DisableMandatoryBasicConstraints",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\OID\\EncodingType 0\\CertDllCreateCertificateChainEngine\\Config\\EnableWeakSignatureFlags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Dnscache\\Parameters\\AddrConfigControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\141dfd70\\6b79efab\\43\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\TCPIP6\\Parameters\\Winsock\\Mapping",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0\\mscorwks.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\DA3B6E45325D5FFF28CF6BAD6065C907_*",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Runtime.Serialization\\3.0.0.0__b77a5c561934e089\\System.Runtime.Serialization.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.INI",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache\\MetaData\\8890A77645B73478F5B1DED18ACBF795_*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.INI",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.INI",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI"
]
},
"first_seen": 1574790786.375,
"ppid": 2816
}
]Signatures
[
{
"markcount": 4,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574790807.031,
"tid": 2184,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 7908
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574790807.109,
"tid": 2700,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 8125
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574790807.188,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 8559
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1574790807.266,
"tid": 2624,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 9117
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1574790786.484,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 334
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "wextract.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 2,
"families": [],
"description": "Tries to locate where the browsers are installed",
"severity": 1,
"marks": [
{
"category": "file",
"ioc": "C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "locates_browser"
},
{
"markcount": 1,
"families": [],
"description": "The file contains an unknown PE resource name possibly indicative of a packer",
"severity": 1,
"marks": [
{
"category": "resource name",
"ioc": "AVI",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "pe_unknown_resource_name"
},
{
"markcount": 3,
"families": [],
"description": "One or more processes crashed",
"severity": 1,
"marks": [
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n5\nd\nf\n0\n4\n3\n5\n\n\n0\nx\n5\n5\n4\ne\nf\n8\n7\n\n\n0\nx\n5\n5\n4\ne\na\nb\nf\n\n\n0\nx\n5\n5\n4\ne\n4\nf\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n6\nd\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n6\nd\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n0\nc\n5\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n0\n6\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n2\n0\n6\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n0\ne\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n0\n5\n9\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\nd\na\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n7\n6\n1\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n7\n6\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n4\n3\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\n9\nd\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\nb\n3\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\nb\n3\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n3\n8\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\na\n8\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\na\n8\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\na\n8\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\na\n8\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n3\n8\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n1\n8\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n1\n8\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\n0\nc\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\nf\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\n1\n4\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\n1\n4\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\nb\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\n5\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\nb\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\nb\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n7\n1\n2\n3\nc\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\nf\n0\n3\n1\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\nd\n9\n2\n8\n4\n \n@\n \n0\nx\n6\ne\n4\n2\n9\n2\n8\n4\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\n9\n5\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n9\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\n9\n9\nf\n \n@\n \n0\nx\n6\ne\n4\n6\n9\n9\n9\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\nb\n1\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n7\n5\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\nb\n5\nc\n \n@\n \n0\nx\n6\ne\n4\n6\n9\nb\n5\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\na\n4\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n2\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n8\nc\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n8\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\n9\nf\n2\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n7\nb\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n3\na\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n3\na\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\n9\na\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n8\nc\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\n9\nf\n0\n \n@\n \n0\nx\n6\ne\n3\ne\nc\n9\nf\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n5\nd\n7\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\na\n4\nf\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nd\nd\nc\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nd\nd\nc\n1\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\nf\na\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n2\nc\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\nf\nf\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nc\nf\nf\n1\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\n8\n7\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n2\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n3\n2\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n3\n2\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\ne\nf\n3\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n3\n7\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\nf\n3\nb\n \n@\n \n0\nx\n6\ne\n4\n7\n7\nf\n3\nb\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\ne\n5\n0\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n1\nd\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n9\n8\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n9\n8\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\nd\ne\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n8\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n3\n0\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n3\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\nd\nc\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\na\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\ne\n0\nf\n \n@\n \n0\nx\n6\ne\n4\n7\n7\ne\n0\nf\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nC\nl\ni\ne\nn\nt\nR\ne\nc\nt\n+\n0\nx\nc\n5\n \nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n-\n0\nx\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n2\n7\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n2\n7\n\n\nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n+\n0\nx\n1\nb\n \nS\ne\nt\nR\ne\nc\nt\nE\nm\np\nt\ny\n-\n0\nx\n3\n8\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n4\nd\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n4\nd\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\nc\nd\n3\n \n@\n \n0\nx\n6\ne\nf\nc\n8\nc\nd\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n2\nf\n9\ne\n0\n \n@\n \n0\nx\n6\ne\nf\nf\nf\n9\ne\n0\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\n4\nf\na\n \n@\n \n0\nx\n6\ne\nf\nc\n8\n4\nf\na\n\n\n0\nx\na\n4\n0\na\n6\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\nc\ne\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n1\nc\nf\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n7\n9\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n7\n9\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n1\n3\n4\n1\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n4\n7\n5\nc\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n3\n8\ne\nc\n \n@\n \n0\nx\n6\ne\n3\nb\n3\n8\ne\nc\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n5\n9\nb\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\n0\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nb\n4\n6\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nb\n4\n6\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n9\nf\n9\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\na\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nf\na\n4\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nf\na\n4\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n4\nd\n5\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\nc\n8\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\na\n8\n0\n \n@\n \n0\nx\n6\ne\n3\nb\n4\na\n8\n0\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\na\n9\n3\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\n0\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n5\n0\n3\ne\n \n@\n \n0\nx\n6\ne\n3\nb\n5\n0\n3\ne\n\n\nS\no\nf\nt\nw\na\nr\ne\nU\np\nd\na\nt\ne\nM\ne\ns\ns\na\ng\ne\nB\no\nx\n+\n0\nx\n2\n7\n8\n9\n6\n \nI\nE\nA\ns\ns\no\nc\ni\na\nt\ne\nT\nh\nr\ne\na\nd\nW\ni\nt\nh\nT\na\nb\n-\n0\nx\n2\nb\n5\n8\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\nf\n0\n2\n2\n3\n \n@\n \n0\nx\n6\ne\n5\n4\n0\n2\n2\n3\n\n\nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n3\nd\nf\n0\n2\n \nG\ne\nt\nP\nr\ni\nv\na\nt\ne\nC\no\nn\nt\ne\nx\nt\ns\nP\ne\nr\nf\nC\no\nu\nn\nt\ne\nr\ns\n-\n0\nx\n1\n9\n7\n9\n7\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n9\n4\n1\n6\n8\n \n@\n \n0\nx\n7\n0\nc\ne\n4\n1\n6\n8\n\n\n0\nx\n5\n6\nf\n0\n6\na\ne\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n1\nb\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n1\nb\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n7\nb\n9\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n7\nb\n9\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n9\n4\ne\nc\nc\ne\n \n@\n \n0\nx\n6\nf\n7\n1\ne\nc\nc\ne\n\n\n0\nx\n5\n5\n4\n7\na\n4\n6\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n6\na\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n6\na\n5\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n1\n4\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n1\n4\n5",
"registers": {
"esp": 8298468,
"edi": 8298888,
"eax": 0,
"ebp": 8298500,
"edx": 2130566132,
"ebx": 52737444,
"esi": 52177724,
"ecx": 0
},
"exception": {
"instruction_r": "8b 01 ff 50 28 8b f0 ba 01 00 00 00 b9 f6 5e 1a",
"instruction": "mov eax, dword ptr [ecx]",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x5df1d23"
}
},
"time": 1574790806.953,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 7509
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n5\nd\nf\n1\nd\ne\na\n\n\n0\nx\n5\nd\nf\n0\n4\n6\ne\n\n\n0\nx\n5\n5\n4\ne\nf\n8\n7\n\n\n0\nx\n5\n5\n4\ne\na\nb\nf\n\n\n0\nx\n5\n5\n4\ne\n4\nf\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n6\nd\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n6\nd\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n0\nc\n5\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n0\n6\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n2\n0\n6\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n0\ne\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n0\n5\n9\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\nd\na\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n7\n6\n1\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n7\n6\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n4\n3\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\n9\nd\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\nb\n3\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\nb\n3\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n3\n8\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\na\n8\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\na\n8\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\na\n8\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\na\n8\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n3\n8\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n1\n8\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n1\n8\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\n0\nc\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\nf\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\n1\n4\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\n1\n4\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\nb\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\n5\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\nb\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\nb\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n7\n1\n2\n3\nc\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\nf\n0\n3\n1\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\nd\n9\n2\n8\n4\n \n@\n \n0\nx\n6\ne\n4\n2\n9\n2\n8\n4\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\n9\n5\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n9\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\n9\n9\nf\n \n@\n \n0\nx\n6\ne\n4\n6\n9\n9\n9\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\nb\n1\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n7\n5\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\nb\n5\nc\n \n@\n \n0\nx\n6\ne\n4\n6\n9\nb\n5\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\na\n4\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n2\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n8\nc\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n8\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\n9\nf\n2\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n7\nb\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n3\na\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n3\na\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\n9\na\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n8\nc\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\n9\nf\n0\n \n@\n \n0\nx\n6\ne\n3\ne\nc\n9\nf\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n5\nd\n7\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\na\n4\nf\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nd\nd\nc\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nd\nd\nc\n1\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\nf\na\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n2\nc\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\nf\nf\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nc\nf\nf\n1\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\n8\n7\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n2\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n3\n2\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n3\n2\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\ne\nf\n3\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n3\n7\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\nf\n3\nb\n \n@\n \n0\nx\n6\ne\n4\n7\n7\nf\n3\nb\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\ne\n5\n0\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n1\nd\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n9\n8\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n9\n8\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\nd\ne\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n8\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n3\n0\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n3\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\nd\nc\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\na\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\ne\n0\nf\n \n@\n \n0\nx\n6\ne\n4\n7\n7\ne\n0\nf\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nC\nl\ni\ne\nn\nt\nR\ne\nc\nt\n+\n0\nx\nc\n5\n \nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n-\n0\nx\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n2\n7\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n2\n7\n\n\nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n+\n0\nx\n1\nb\n \nS\ne\nt\nR\ne\nc\nt\nE\nm\np\nt\ny\n-\n0\nx\n3\n8\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n4\nd\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n4\nd\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\nc\nd\n3\n \n@\n \n0\nx\n6\ne\nf\nc\n8\nc\nd\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n2\nf\n9\ne\n0\n \n@\n \n0\nx\n6\ne\nf\nf\nf\n9\ne\n0\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\n4\nf\na\n \n@\n \n0\nx\n6\ne\nf\nc\n8\n4\nf\na\n\n\n0\nx\na\n4\n0\na\n6\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\nc\ne\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n1\nc\nf\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n7\n9\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n7\n9\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n1\n3\n4\n1\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n4\n7\n5\nc\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n3\n8\ne\nc\n \n@\n \n0\nx\n6\ne\n3\nb\n3\n8\ne\nc\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n5\n9\nb\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\n0\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nb\n4\n6\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nb\n4\n6\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n9\nf\n9\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\na\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nf\na\n4\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nf\na\n4\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n4\nd\n5\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\nc\n8\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\na\n8\n0\n \n@\n \n0\nx\n6\ne\n3\nb\n4\na\n8\n0\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\na\n9\n3\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\n0\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n5\n0\n3\ne\n \n@\n \n0\nx\n6\ne\n3\nb\n5\n0\n3\ne\n\n\nS\no\nf\nt\nw\na\nr\ne\nU\np\nd\na\nt\ne\nM\ne\ns\ns\na\ng\ne\nB\no\nx\n+\n0\nx\n2\n7\n8\n9\n6\n \nI\nE\nA\ns\ns\no\nc\ni\na\nt\ne\nT\nh\nr\ne\na\nd\nW\ni\nt\nh\nT\na\nb\n-\n0\nx\n2\nb\n5\n8\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\nf\n0\n2\n2\n3\n \n@\n \n0\nx\n6\ne\n5\n4\n0\n2\n2\n3\n\n\nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n3\nd\nf\n0\n2\n \nG\ne\nt\nP\nr\ni\nv\na\nt\ne\nC\no\nn\nt\ne\nx\nt\ns\nP\ne\nr\nf\nC\no\nu\nn\nt\ne\nr\ns\n-\n0\nx\n1\n9\n7\n9\n7\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n9\n4\n1\n6\n8\n \n@\n \n0\nx\n7\n0\nc\ne\n4\n1\n6\n8\n\n\n0\nx\n5\n6\nf\n0\n6\na\ne\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n1\nb\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n1\nb\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n7\nb\n9\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n7\nb\n9\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n9\n4\ne\nc\nc\ne\n \n@\n \n0\nx\n6\nf\n7\n1\ne\nc\nc\ne\n\n\n0\nx\n5\n5\n4\n7\na\n4\n6\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n6\na\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n6\na\n5",
"registers": {
"esp": 8298412,
"edi": 8298436,
"eax": 0,
"ebp": 8298452,
"edx": 158,
"ebx": 52737444,
"esi": 53046588,
"ecx": 0
},
"exception": {
"instruction_r": "8b 01 ff 50 28 89 45 dc c7 45 e4 00 00 00 00 c7",
"instruction": "mov eax, dword ptr [ecx]",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x5df1f47"
}
},
"time": 1574790807.078,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 8005
},
{
"call": {
"category": "__notification__",
"status": 1,
"stacktrace": [],
"raw": [
"stacktrace"
],
"api": "__exception__",
"return_value": 0,
"arguments": {
"stacktrace": "0\nx\n5\n5\n4\ne\nf\n8\n7\n\n\n0\nx\n5\n5\n4\ne\na\nb\nf\n\n\n0\nx\n5\n5\n4\ne\n4\nf\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n6\nd\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n6\nd\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n2\n9\n8\n7\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\nb\n4\nc\n \n@\n \n0\nx\n7\n0\nc\n5\n1\nb\n4\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n3\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n7\nd\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n7\nd\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n3\n2\n9\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n5\na\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n4\n5\nc\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n4\n5\nc\n\n\nG\ne\nt\nM\ne\nt\na\nD\na\nt\na\nI\nn\nt\ne\nr\nn\na\nl\nI\nn\nt\ne\nr\nf\na\nc\ne\n+\n0\nx\na\n4\n8\n7\n \n_\nC\no\nr\nD\nl\nl\nM\na\ni\nn\n-\n0\nx\n3\n4\n4\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n6\n5\n5\nb\na\n \n@\n \n0\nx\n7\n0\nd\nb\n5\n5\nb\na\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n4\n5\n8\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n4\n5\n8\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n2\n0\n6\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n2\n0\n6\n\n\nm\ns\nc\no\nr\nl\ni\nb\n+\n0\nx\n2\n1\n5\n0\ne\ne\n \n@\n \n0\nx\n7\n0\n3\n6\n5\n0\ne\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n1\n2\n5\nd\ne\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n1\n8\nd\nd\ne\n \n@\n \n0\nx\n7\n0\nc\n6\n8\nd\nd\ne\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n9\n0\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n2\nc\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n2\nc\n\n\nC\no\nU\nn\ni\nn\ni\nt\ni\na\nl\ni\nz\ne\nE\nE\n-\n0\nx\n4\n9\n5\nd\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n2\n6\na\n5\nf\n \n@\n \n0\nx\n7\n0\nc\n7\n6\na\n5\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n0\n5\n9\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\nd\na\nf\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n7\n6\n1\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n7\n6\n1\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n4\n3\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\n9\nd\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\nb\n3\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\nb\n3\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n2\n3\n8\n0\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n4\na\n8\n8\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\na\n8\n8\n \n@\n \n0\nx\n7\n0\nd\n3\n9\na\n8\n8\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\na\n8\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n3\n8\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n1\n8\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n1\n8\nf\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\n0\nc\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\nf\nc\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\n1\n4\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\n1\n4\n\n\nD\nl\nl\nG\ne\nt\nC\nl\na\ns\ns\nO\nb\nj\ne\nc\nt\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n1\nb\nb\n7\n \nM\ne\nt\na\nD\na\nt\na\nG\ne\nt\nD\ni\ns\np\ne\nn\ns\ne\nr\n-\n0\nx\n5\n2\n5\n1\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\ne\n9\n2\nb\nf\n \n@\n \n0\nx\n7\n0\nd\n3\n9\n2\nb\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n7\n1\n2\n3\nc\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\nf\n0\n3\n1\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\nd\n9\n2\n8\n4\n \n@\n \n0\nx\n6\ne\n4\n2\n9\n2\n8\n4\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\n9\n5\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n9\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\n9\n9\nf\n \n@\n \n0\nx\n6\ne\n4\n6\n9\n9\n9\nf\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n1\nb\n1\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\ne\n7\n5\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\n9\nb\n5\nc\n \n@\n \n0\nx\n6\ne\n4\n6\n9\nb\n5\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\na\n4\n4\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n2\n9\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n8\nc\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n8\nc\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\n2\n9\nf\n2\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\nd\n8\n7\nb\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n1\na\na\n3\na\n \n@\n \n0\nx\n6\ne\n4\n6\na\na\n3\na\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\n9\na\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n8\nc\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\n9\nf\n0\n \n@\n \n0\nx\n6\ne\n3\ne\nc\n9\nf\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n5\nd\n7\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\na\n4\nf\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nd\nd\nc\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nd\nd\nc\n1\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\n3\n4\nf\na\n9\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n8\nb\n2\nc\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n9\nc\nf\nf\n1\n \n@\n \n0\nx\n6\ne\n3\ne\nc\nf\nf\n1\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\n8\n7\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n2\n1\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n3\n2\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n3\n2\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\ne\nf\n3\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n3\n7\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\nf\n3\nb\n \n@\n \n0\nx\n6\ne\n4\n7\n7\nf\n3\nb\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\ne\n5\n0\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n1\nd\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n9\n8\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n9\n8\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\ne\nd\ne\n8\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n1\n4\n8\n5\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n6\ne\n3\n0\n \n@\n \n0\nx\n6\ne\n4\n7\n6\ne\n3\n0\n\n\nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n+\n0\nx\nb\nf\nd\nc\n7\n \nS\ne\nt\nQ\nu\ne\nr\ny\nN\ne\nt\nS\ne\ns\ns\ni\no\nn\nC\no\nu\nn\nt\n-\n0\nx\n4\na\n6\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\n2\n7\ne\n0\nf\n \n@\n \n0\nx\n6\ne\n4\n7\n7\ne\n0\nf\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nC\nl\ni\ne\nn\nt\nR\ne\nc\nt\n+\n0\nx\nc\n5\n \nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n-\n0\nx\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n2\n7\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n2\n7\n\n\nC\na\nl\nl\nW\ni\nn\nd\no\nw\nP\nr\no\nc\nW\n+\n0\nx\n1\nb\n \nS\ne\nt\nR\ne\nc\nt\nE\nm\np\nt\ny\n-\n0\nx\n3\n8\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n2\n0\nd\n4\nd\n \n@\n \n0\nx\n7\n6\n3\nb\n0\nd\n4\nd\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\nc\nd\n3\n \n@\n \n0\nx\n6\ne\nf\nc\n8\nc\nd\n3\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n2\nf\n9\ne\n0\n \n@\n \n0\nx\n6\ne\nf\nf\nf\n9\ne\n0\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n8\n4\nf\na\n \n@\n \n0\nx\n6\ne\nf\nc\n8\n4\nf\na\n\n\n0\nx\na\n4\n0\na\n6\n4\n\n\ng\na\np\nf\nn\nS\nc\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\n+\n0\nx\n3\n3\n2\n \nG\ne\nt\nA\np\np\nC\no\nm\np\na\nt\nF\nl\na\ng\ns\n2\n-\n0\nx\n8\ne\na\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\n2\nf\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\n2\nf\na\n\n\nG\ne\nt\nT\nh\nr\ne\na\nd\nD\ne\ns\nk\nt\no\np\n+\n0\nx\nd\n7\n \nG\ne\nt\nW\ni\nn\nd\no\nw\nL\no\nn\ng\nW\n-\n0\nx\n2\nc\n4\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n6\nd\n3\na\n \n@\n \n0\nx\n7\n6\n3\na\n6\nd\n3\na\n\n\nG\ne\nt\nW\ni\nn\nd\no\nw\n+\n0\nx\n3\nf\n0\n \nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n-\n0\nx\n1\nb\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\n5\ne\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\n5\ne\n\n\nS\ne\nn\nd\nM\ne\ns\ns\na\ng\ne\nW\n+\n0\nx\n4\nc\n \nG\ne\nt\nA\nn\nc\ne\ns\nt\no\nr\n-\n0\nx\nc\n0\n \nu\ns\ne\nr\n3\n2\n+\n0\nx\n1\n9\n6\nc\n5\n \n@\n \n0\nx\n7\n6\n3\na\n9\n6\nc\n5\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n8\nc\ne\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n1\nc\nf\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\ne\n7\n9\n \n@\n \n0\nx\n6\ne\n3\nb\n4\ne\n7\n9\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n1\n3\n4\n1\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n4\n7\n5\nc\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n3\n8\ne\nc\n \n@\n \n0\nx\n6\ne\n3\nb\n3\n8\ne\nc\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n5\n9\nb\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\n0\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nb\n4\n6\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nb\n4\n6\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n9\nf\n9\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\na\n4\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\nf\na\n4\n \n@\n \n0\nx\n6\ne\n3\nb\n4\nf\na\n4\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\n4\nd\n5\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n5\nc\n8\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n4\na\n8\n0\n \n@\n \n0\nx\n6\ne\n3\nb\n4\na\n8\n0\n\n\nI\nE\nL\na\nu\nn\nc\nh\nU\nR\nL\n+\n0\nx\n2\na\n9\n3\n \nI\nE\nI\nn\nP\nr\ni\nv\na\nt\ne\nF\ni\nl\nt\ne\nr\ni\nn\ng\nE\nn\na\nb\nl\ne\nd\n-\n0\nx\n3\n0\n0\na\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n6\n5\n0\n3\ne\n \n@\n \n0\nx\n6\ne\n3\nb\n5\n0\n3\ne\n\n\nS\no\nf\nt\nw\na\nr\ne\nU\np\nd\na\nt\ne\nM\ne\ns\ns\na\ng\ne\nB\no\nx\n+\n0\nx\n2\n7\n8\n9\n6\n \nI\nE\nA\ns\ns\no\nc\ni\na\nt\ne\nT\nh\nr\ne\na\nd\nW\ni\nt\nh\nT\na\nb\n-\n0\nx\n2\nb\n5\n8\n2\n \ni\ne\nf\nr\na\nm\ne\n+\n0\nx\n1\nf\n0\n2\n2\n3\n \n@\n \n0\nx\n6\ne\n5\n4\n0\n2\n2\n3\n\n\nD\nl\nl\nR\ne\ng\ni\ns\nt\ne\nr\nS\ne\nr\nv\ne\nr\nI\nn\nt\ne\nr\nn\na\nl\n+\n0\nx\n3\nd\nf\n0\n2\n \nG\ne\nt\nP\nr\ni\nv\na\nt\ne\nC\no\nn\nt\ne\nx\nt\ns\nP\ne\nr\nf\nC\no\nu\nn\nt\ne\nr\ns\n-\n0\nx\n1\n9\n7\n9\n7\n \nm\ns\nc\no\nr\nw\nk\ns\n+\n0\nx\n9\n4\n1\n6\n8\n \n@\n \n0\nx\n7\n0\nc\ne\n4\n1\n6\n8\n\n\n0\nx\n5\n6\nf\n0\n6\na\ne\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n8\n1\nb\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n8\n1\nb\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nb\nc\n7\nb\n9\n \n@\n \n0\nx\n6\ne\nf\n8\nc\n7\nb\n9\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n9\n4\ne\nc\nc\ne\n \n@\n \n0\nx\n6\nf\n7\n1\ne\nc\nc\ne\n\n\n0\nx\n5\n5\n4\n7\na\n4\n6\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n6\na\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n6\na\n5\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n2\n0\n4\n1\n4\n5\n \n@\n \n0\nx\n6\ne\nf\nd\n4\n1\n4\n5\n\n\ns\ny\ns\nt\ne\nm\n+\n0\nx\n1\nf\n6\nd\n7\n1\n \n@\n \n0\nx\n6\ne\nf\nc\n6\nd\n7\n1",
"registers": {
"esp": 8298508,
"edi": 8298888,
"eax": 0,
"ebp": 8298904,
"edx": 52542852,
"ebx": 52737444,
"esi": 52177724,
"ecx": 0
},
"exception": {
"instruction_r": "8b 01 ff 50 48 8b c8 8b 15 f4 91 1c 04 8b 01 ff",
"instruction": "mov eax, dword ptr [ecx]",
"exception_code": "0xc0000005",
"symbol": "",
"address": "0x5df05c9"
}
},
"time": 1574790807.375,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 9354
}
],
"references": [],
"name": "raises_exception"
},
{
"markcount": 147,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74ac1000"
},
"time": 1574790785.969,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74a91000"
},
"time": 1574790786.141,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 509
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70c51000"
},
"time": 1574790786.453,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 85
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74634000"
},
"time": 1574790786.453,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 87
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70c51000"
},
"time": 1574790786.469,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 222
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0096a000"
},
"time": 1574790786.484,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 345
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70c52000"
},
"time": 1574790786.484,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 346
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00962000"
},
"time": 1574790786.484,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 347
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00972000"
},
"time": 1574790786.5,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 456
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x64021000"
},
"time": 1574790786.5,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 483
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x75ce1000"
},
"time": 1574790786.5,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 485
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x749e1000"
},
"time": 1574790786.5,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 487
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x745b1000"
},
"time": 1574790786.531,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 640
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x760d1000"
},
"time": 1574790786.563,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 934
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74531000"
},
"time": 1574790786.578,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 1219
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74511000"
},
"time": 1574790786.578,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 1221
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x744d1000"
},
"time": 1574790786.578,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 1231
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74491000"
},
"time": 1574790786.641,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 1672
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x75b61000"
},
"time": 1574790786.641,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 1674
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74481000"
},
"time": 1574790786.656,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 1966
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x743e1000"
},
"time": 1574790786.984,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2050
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74391000"
},
"time": 1574790786.984,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2052
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77311000"
},
"time": 1574790786.984,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2071
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x77b61000"
},
"time": 1574790786.984,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2073
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74381000"
},
"time": 1574790787.078,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2122
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x73b11000"
},
"time": 1574790787.078,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2162
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x73af1000"
},
"time": 1574790787.078,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2250
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x73a71000"
},
"time": 1574790792.344,
"tid": 2468,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 2466
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x750a1000"
},
"time": 1574790806.141,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 3795
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x73a51000"
},
"time": 1574790806.141,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 1676,
"type": "call",
"cid": 3807
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00973000"
},
"time": 1574790806.313,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4877
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009bb000"
},
"time": 1574790806.313,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4889
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009b7000"
},
"time": 1574790806.313,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4890
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0097c000"
},
"time": 1574790806.313,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4931
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05540000"
},
"time": 1574790806.313,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4941
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00975000"
},
"time": 1574790806.328,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4942
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00986000"
},
"time": 1574790806.328,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4943
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00976000"
},
"time": 1574790806.328,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4945
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00977000"
},
"time": 1574790806.328,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 4947
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0098a000"
},
"time": 1574790806.359,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5062
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00987000"
},
"time": 1574790806.359,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5063
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00978000"
},
"time": 1574790806.359,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5104
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0099a000"
},
"time": 1574790806.359,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5113
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00992000"
},
"time": 1574790806.359,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5126
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009b5000"
},
"time": 1574790806.375,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5154
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05541000"
},
"time": 1574790806.391,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5183
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00979000"
},
"time": 1574790806.391,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5189
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05542000"
},
"time": 1574790806.391,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5194
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0099c000"
},
"time": 1574790806.406,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5196
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1676,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x05560000"
},
"time": 1574790806.406,
"tid": 2872,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 1676,
"type": "call",
"cid": 5200
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 2,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceW",
"return_value": 1,
"arguments": {
"root_path": "\\",
"sectors_per_cluster": 8,
"number_of_free_clusters": 5740756,
"total_number_of_clusters": 8362495,
"bytes_per_sector": 512
},
"time": 1574790785.969,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 59
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceW",
"return_value": 1,
"arguments": {
"root_path": "\\",
"sectors_per_cluster": 8,
"number_of_free_clusters": 5740756,
"total_number_of_clusters": 8362495,
"bytes_per_sector": 512
},
"time": 1574790785.969,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 76
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 3,
"families": [],
"description": "Executes one or more WMI queries",
"severity": 2,
"marks": [
{
"category": "wmi",
"ioc": "select * from Win32_OperatingSystem",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "SELECT * FROM Win32_PhysicalMedia",
"type": "ioc",
"description": null
},
{
"category": "wmi",
"ioc": "Select ProcessorId From Win32_processor",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_wmi"
},
{
"markcount": 1,
"families": [],
"description": "Checks adapter addresses which can be used to detect virtual network interfaces",
"severity": 2,
"marks": [
{
"call": {
"category": "network",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "GetAdaptersAddresses",
"return_value": 111,
"arguments": {
"flags": 15,
"family": 0
},
"time": 1574790787.078,
"tid": 2468,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 2254
}
],
"references": [],
"name": "antivm_network_adapters"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.7833856490976565,
"section": {
"size_of_data": "0x001ef800",
"virtual_address": "0x0000c000",
"entropy": 7.7833856490976565,
"name": ".rsrc",
"virtual_size": "0x001ef800"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.9838669645073219,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 1,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1574790806.5,
"tid": 2872,
"flags": {}
},
"pid": 1676,
"type": "call",
"cid": 5483
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 1,
"families": [],
"description": "Executes one or more WMI queries which can be used to identify virtual machines",
"severity": 2,
"marks": [
{
"category": "wmi",
"ioc": "Select ProcessorId From Win32_processor",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "wmi_antivm"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
"reg_value": "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\\""
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 6,
"families": [],
"description": "Attempts to modify browser security settings",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\\AppSync.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_NINPUT_LEGACYMODE\\AppSync.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_WEBOC_DOCUMENT_ZOOM\\AppSync.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_GPU_RENDERING\\AppSync.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_AJAX_CONNECTIONEVENTS\\AppSync.exe",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AppSync.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "browser_security"
},
{
"markcount": 2,
"families": [],
"description": "Attempts to create or modify system certificates",
"severity": 3,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\8F43288AD272F3103B6FB1428485EA3014C0BCFE\\Blob",
"type": "ioc",
"description": null
},
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\AuthRoot\\Certificates\\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\\Blob",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "modifies_certificates"
},
{
"markcount": 1,
"families": [],
"description": "Uses Sysinternals tools in order to add additional command line functionality",
"severity": 3,
"marks": [
{
"category": "cmdline",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\AppSync.exe",
"type": "ioc",
"description": null
}
],
"references": [
"docs.microsoft.com\/en-us\/sysinternals\/downloads\/"
],
"name": "sysinternals_tools_usage"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.218070983886719,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 13118,
"time": 12.217803955078125,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 14962,
"time": 9.16071891784668,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 15282,
"time": 6.154805898666382,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 15610,
"time": 14.348017930984497,
"dport": 5355,
"sport": 52259
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 15930,
"time": 4.1614110469818115,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16258,
"time": 6.162499904632568,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16586,
"time": 24.136492013931274,
"dport": 5355,
"sport": 54237
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 16906,
"time": 4.6595189571380615,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17234,
"time": 19.523442029953003,
"dport": 5355,
"sport": 54335
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17554,
"time": 3.051319122314453,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 17882,
"time": 6.474728107452393,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18202,
"time": 23.801321029663086,
"dport": 5355,
"sport": 58989
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18522,
"time": 21.542927980422974,
"dport": 5355,
"sport": 59548
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 18842,
"time": 26.384418964385986,
"dport": 5355,
"sport": 60071
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19162,
"time": 27.52581000328064,
"dport": 5355,
"sport": 62601
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19482,
"time": 16.92945909500122,
"dport": 5355,
"sport": 63506
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 19802,
"time": 24.927303075790405,
"dport": 5355,
"sport": 63646
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 20122,
"time": 11.76521897315979,
"dport": 5355,
"sport": 64017
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 20442,
"time": 4.67561411857605,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 39852,
"time": 4.179297924041748,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 48236,
"time": 6.249229907989502,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "b471fbf44c4dc72a901e558c3699d69f33b2a6a1d17335b4ec58274eee2aeb16",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "e609e18f3cb1f0996281fd91a90da0cb3c19ceccb5d3b68b993fcd2e414fdc15",
"irc": [],
"https_ex": []
}Screenshots
pupdate.exe removal instructions
The instructions below shows how to remove pupdate.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the pupdate.exe file for removal, restart your computer and scan it again to verify that pupdate.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate pupdate.exe in the scan result and tick the checkbox next to the pupdate.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate pupdate.exe in the scan result.
c:\downloads\pupdate.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the pupdate.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If pupdate.exe still remains in the scan result, proceed with the next step. If pupdate.exe is gone from the scan result you're done.
- If pupdate.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that pupdate.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 8baadc8e0e4cb99aee39ec695f57d2ca |
| SHA256 | 726fbfbd089ab537d9856d85281e07bc9e13906558169087551f875bc952b6b1 |
Error Messages
These are some of the error messages that can appear related to pupdate.exe:
pupdate.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
pupdate.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
Win32 Cabinet Self-Extractor has stopped working.
End Program - pupdate.exe. This program is not responding.
pupdate.exe is not a valid Win32 application.
pupdate.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with pupdate.exe?
To help other users, please let us know what you will do with pupdate.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.