What is testrotected.exe?
testrotected.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected testrotected.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
testrotected.exe is not signed.
VirusTotal report
47 of the 72 anti-virus programs at VirusTotal detected the testrotected.exe file. That's a 65% detection rate.
| Scanner | Detection Name |
|---|---|
| Acronis | suspicious |
| Ad-Aware | Trojan.GenericKD.41130150 |
| AegisLab | Trojan.Win32.Generic.4!c |
| AhnLab-V3 | Malware/Win32.Backdoor.C3115924 |
| Alibaba | Trojan:Win32/Tiggre.964c11dd |
| ALYac | Trojan.GenericKD.41130150 |
| Antiy-AVL | Trojan/Generic.ASVCS3S.1E5 |
| Arcabit | Trojan.Generic.D27398A6 |
| Avast | Win32:Malware-gen |
| AVG | Win32:Malware-gen |
| Avira | TR/Autoit.sberm |
| BitDefender | Trojan.GenericKD.41130150 |
| CrowdStrike | win/malicious_confidence_90% (W) |
| Cybereason | malicious.4cd541 |
| Cylance | Unsafe |
| Cyren | W32/Nymeria.E.gen!Eldorado |
| DrWeb | Trojan.Nanocore.528 |
| Emsisoft | Trojan.GenericKD.41130150 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | a variant of Win32/Injector.Autoit.DUZ |
| F-Prot | W32/Nymeria.E.gen!Eldorado |
| F-Secure | Trojan.TR/Autoit.sberm |
| FireEye | Generic.mg.4985880f27cc2d2d |
| Fortinet | AutoIt/Injector.DUO!tr |
| GData | Trojan.GenericKD.41130150 |
| Ikarus | Trojan.Autoit |
| Invincea | heuristic |
| K7AntiVirus | Trojan ( 0054a3571 ) |
| K7GW | Trojan ( 0054a3571 ) |
| Kaspersky | HEUR:Trojan.Win32.Generic |
| MAX | malware (ai score=100) |
| McAfee | Artemis!4985880F27CC |
| McAfee-GW-Edition | BehavesLike.Win32.Downloader.th |
| Microsoft | Trojan:Win32/Tiggre!rfn |
| MicroWorld-eScan | Trojan.GenericKD.41130150 |
| NANO-Antivirus | Trojan.Win32.Nanocore.fogdvh |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | HEUR/QVM10.2.F8D9.Malware.Gen |
| SentinelOne | DFI - Suspicious PE |
| Sophos | Mal/Generic-S |
| Symantec | Trojan.Gen.MBT |
| Tencent | Win32.Trojan.Autoit.Auto |
| TrendMicro | Backdoor.Win32.NANOCORE.THCBAAI |
| TrendMicro-HouseCall | Backdoor.Win32.NANOCORE.THCBAAI |
| VIPRE | Trojan.Win32.AutoIt.ypa (v) |
| ZoneAlarm | HEUR:Trojan.Win32.Generic |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat"
],
"file_recreated": [
"\\Device\\KsecDD"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs",
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"urlmon.dll",
"kernel32",
"ntdll",
"apphelp.dll",
"gdi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"Advapi32.dll",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll",
"ADVAPI32.dll",
"ntmarta.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"PROPSYS.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"SspiCli.dll",
"advapi32.dll",
"comctl32",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"IMM32.dll",
"C:\\Windows\\system32\\sfc.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dnsapi.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll",
"XmlLite.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
"AdvApi32.dll",
"uxtheme.dll",
"OLEAUT32.dll",
"profapi.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"dnsapi.dll",
"psapi.dll",
"comctl32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"SHELL32.dll",
"VERSION.dll",
"mscoree.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
"shfolder.dll",
"shell32.dll",
"SETUPAPI.dll",
"user32.dll",
"ws2_32.dll"
],
"file_opened": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Windows\\SysWOW64\\schtasks.exe",
"C:\\Windows\\AppPatch\\sysmain.sdb",
"C:\\",
"C:\\Windows\\SysWOW64\\",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\SysWOW64",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\FileMaps\\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Windows"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CLASSES_ROOT\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_CLASSES_ROOT\\Directory",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\AppCompat",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CLASSES_ROOT\\.com",
"HKEY_CLASSES_ROOT\\.bas",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_CLASSES_ROOT\\.cmd",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_CLASSES_ROOT\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_CLASSES_ROOT\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer",
"HKEY_CLASSES_ROOT\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\292d2ab",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Progid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder",
"HKEY_CLASSES_ROOT\\exefile",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegAsm.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\DropTarget",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.cpl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\ProgIDs\\exefile",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CLASSES_ROOT\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_CLASSES_ROOT\\.bat",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\schtasks.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Clsid",
"HKEY_CLASSES_ROOT\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_CLASSES_ROOT\\.app",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CLASSES_ROOT\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\ddeexec",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_CLASSES_ROOT\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid",
"HKEY_CLASSES_ROOT\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CLASSES_ROOT\\.exe\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.chm",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder",
"HKEY_CLASSES_ROOT\\Folder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}",
"HKEY_CURRENT_USER\\Control Panel\\International",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\26d19501",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5aa75839\\10fdf3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CLASSES_ROOT\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.ade",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\schtasks.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.adp",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\4ecde57e\\31d9ddbb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CLASSES_ROOT\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\a054161\\46043f61",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder",
"HKEY_CLASSES_ROOT\\AllFilesystemObjects",
"HKEY_CLASSES_ROOT\\.cer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open",
"HKEY_CLASSES_ROOT\\.asp",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_CLASSES_ROOT\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\.csh",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject",
"HKEY_CLASSES_ROOT\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.crt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}",
"HKEY_CLASSES_ROOT\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a"
],
"resolves_host": [
"dish123newpro.publicvm.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
],
"command_line": [
"schtasks \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"\"C:\\Windows\\SysWOW64\\schtasks.exe\" \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#\\Lzma#.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin\\ClientPlugin.dll",
"C:\\Windows\\SysWOW64\\schtasks.exe",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\catalog.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat",
"C:\\Windows\\SysWOW64\\schtasks.exe:Zone.Identifier",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#.dll",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Windows\\SysWOW64\\propsys.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Exceptions\\1.2.2.0",
"C:\\Users\\cuck",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\storage.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bak",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.PDB",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\System32\\propsys.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#\\Lzma#.exe",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin:Zone.Identifier",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin\\ClientPlugin.exe"
],
"mutex": [
"Global\\{c253fe26-7f15-444b-bcbf-bdaaa6a4fb19}",
"Local\\ZonesLockedCacheCounterMutex",
"Local\\ZoneAttributeCacheCounterMutex",
"Local\\ZonesCacheCounterMutex",
"Global\\.net clr networking",
"at"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier",
"C:\\Windows\\RegAsm.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\symbols\\exe\\RegAsm.pdb",
"C:\\Windows\\dll\\System.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Windows\\symbols\\dll\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.pdb",
"C:\\Windows\\exe\\RegAsm.pdb",
"C:\\Windows\\System.pdb"
],
"guid": [
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{79eac9ee-baf9-11ce-8c82-00aa004ba90b}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}",
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"file_read": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\FileMaps\\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{04731B67-D933-450A-90E6-4ACD2E9408FE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{645FF040-5081-101B-9F08-00AA002F954E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\Flags",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{9343812E-1C37-4A49-A12E-4B2D810D956B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\QueryForOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\UseDropHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{450D8FBA-AD25-11D0-98A8-0800361B1103}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\LogIgnoreMonitorReason",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bat\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NoStaticDefaultVerb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\NoFileFolderJunction",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsFORPARSING",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\2D132F93",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{11016101-E366-4D22-BC06-4ADA335C892B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\SetWorkingDirectoryFromTarget",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{E345F35F-9397-435C-8F95-4E922C26259E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\*",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\QueryForOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bas\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\DelegateExecute",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{89D83576-6BD1-4C86-9454-BEB04E94C819}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpl\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\NoWorkingDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\InheritConsoleHandles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\command",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{26EE0668-A00A-44D7-9371-BEB064C98683}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\TransparentEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\NeverDefault",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.com\\(Default)",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cmd\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\RestrictRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder"
],
"directory_enumerated": [
"C:\\Windows\\SysWOW64\\schtasks.exe",
"C:\\Windows\\SysWOW64",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.INI",
"C:\\Users",
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Windows\\SysWOW64\\*.*",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\SysWOW64\\schtasks.*",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin:Zone.Identifier"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
]
}Dropped
[
{
"yara": [],
"sha1": "9d49f2213a0a97a1363f7dd04221432d08741101",
"name": "5d3f2e5a231bd545_run.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat",
"type": "ISO-8859 text, with no line terminators",
"sha256": "5d3f2e5a231bd5452456c984a6b044361480dc1f1910cff9c00bb6e2edd944c9",
"urls": [],
"crc32": "EB9FE95B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/6957\/files\/5d3f2e5a231bd545_run.dat",
"ssdeep": null,
"size": 8,
"sha512": "165f85e2655571d82f769b2e7a4bb84c514fb190355d7cb575925ed627b50952ebbfec9d5e1106d2075171872b6e2f349384f1d89d1f6f6f51c0368acb7b26a9",
"pids": [
2584
],
"md5": "ac71fde5fb05f4e4badc94cc2858c195"
},
{
"yara": [],
"sha1": "356e48b85fc6c7234b5b6b9f11408fffcf93b9d2",
"name": "60dd5ead89069eec_shutdown.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "60dd5ead89069eecf5685036b4ef633847a739640ee49f266a274df5c0112a16",
"urls": [],
"crc32": "1B243B59",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/6957\/files\/60dd5ead89069eec_shutdown.exe",
"ssdeep": null,
"size": 1302024,
"sha512": "d4c1717194c547017a55d23c4f5b11a8b81d14aea44a754dab2054cd52a1fee86b48bf9fb8ed69d216574b00ef89f27259c121298aa37285196ee5effbf06a9c",
"pids": [
1268
],
"md5": "1c9d226f3bfb3046cb226487cf47617d"
}
]Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\schtasks.exe",
"process_name": "schtasks.exe",
"pid": 2648,
"summary": {
"file_opened": [
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"guid": [
"{2faba4c7-4da9-4013-9697-20cc3fd40f85}",
"{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"dll_loaded": [
"ADVAPI32.dll",
"VERSION.dll",
"kernel32.dll",
"XmlLite.dll",
"SspiCli.dll"
]
},
"first_seen": 1587333262.343124,
"ppid": 1268
},
{
"process_path": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"process_name": "RegAsm.exe",
"pid": 2584,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat"
],
"file_recreated": [
"\\Device\\KsecDD"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck"
],
"dll_loaded": [
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.VisualBas#\\08d608378aa405adc844f3cf36974b8c\\Microsoft.VisualBasic.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\culture.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll",
"ntdll",
"gdi32.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ws2_32.dll",
"kernel32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Windows.Forms\\3afcd5168c7a6cb02eab99d7fd71e102\\System.Windows.Forms.ni.dll",
"dwmapi.dll",
"ntdll.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Drawing\\dbfe8642a8ed7b2b103ad28e0c96418a\\System.Drawing.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ole32.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\ntdll.dll",
"ADVAPI32.dll",
"bcrypt.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll",
"advapi32.dll",
"ole32.dll",
"SHLWAPI.dll",
"CRYPTSP.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\dnsapi.dll",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\bcrypt.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\psapi.dll",
"AdvApi32.dll",
"uxtheme.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll",
"dnsapi.dll",
"psapi.dll",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll",
"ws2_32.dll",
"mscoree.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\uxtheme.dll",
"shfolder.dll",
"shell32.dll",
"user32.dll"
],
"file_opened": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Windows\\System32\\l_intl.nls",
"C:\\Windows\\assembly\\pubpol4.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\assembly\\NativeImages_v2.0.50727_32\\index127.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.Accessibility__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Web__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\RegAsm.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Deployment__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Configuration__b03f5f7f11d50a3a",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\LocalIntranet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\AppPatch",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Remoting__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80",
"HKEY_CLASSES_ROOT\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\4ecde57e\\31d9ddbb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Windows.Forms__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets\\Internet",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Management__b03f5f7f11d50a3a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_CURRENT_USER\\Control Panel\\International",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Security__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\292d2ab",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Data.SqlXml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Security\\Policy\\Extensions\\NamedPermissionSets",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Drawing__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Standards\\v2.0.50727",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Installer\\Assemblies\\C:|Windows|Microsoft.NET|Framework|v2.0.50727|RegAsm.exe.Config",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\219e9581\\26d19501",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\v2.0.50727\\Security\\Policy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\StrongName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Fusion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\PublisherPolicy\\Default",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Xml__b77a5c561934e089",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\5aa75839\\10fdf3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Fusion\\GACChangeNotification\\Default",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\Managed\\S-1-5-21-699399860-4089948139-3198924279-1001\\Installer\\Assemblies\\Global",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\Upgrades",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\a054161\\46043f61",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87",
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\.NETFramework\\Policy\\APTCA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\Policy\\v2.0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\.NETFramework\\Policy\\Standards",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064"
],
"resolves_host": [
"dish123newpro.publicvm.com"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#\\Lzma#.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin\\ClientPlugin.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Logs\\cuck",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\fusion.localgac",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\catalog.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\run.dat",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin.dll",
"C:\\Windows\\Globalization\\en-us.nlp",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#.dll",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources.dll",
"C:\\Windows\\assembly\\GAC\\PublisherPolicy.tme",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bin",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\Exceptions\\1.2.2.0",
"C:\\Users\\cuck",
"C:\\Windows\\Globalization\\en.nlp",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\storage.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\CB9D2EC8-77AE-49E5-9FEC-16D9EA7FA00C\\settings.bak",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.PDB",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Lzma#\\Lzma#.exe",
"C:\\Windows\\System32\\MSCOREE.DLL.local",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en\\SurveillanceExClientPlugin.resources\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\en-US\\SurveillanceExClientPlugin.resources.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\ClientPlugin\\ClientPlugin.exe"
],
"mutex": [
"Global\\.net clr networking",
"Global\\{c253fe26-7f15-444b-bcbf-bdaaa6a4fb19}"
],
"file_failed": [
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config.cch",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe:Zone.Identifier",
"C:\\Windows\\RegAsm.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\enterprisesec.config",
"C:\\Windows\\symbols\\exe\\RegAsm.pdb",
"C:\\Windows\\dll\\System.pdb",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config.cch",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\security.config",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\CLR Security Config\\v2.0.50727.312\\security.config",
"C:\\Windows\\symbols\\dll\\System.pdb",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.pdb",
"C:\\Windows\\exe\\RegAsm.pdb",
"C:\\Windows\\System.pdb"
],
"file_read": [
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.Config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe.config",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\CONFIG\\machine.config"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgJITDebugLaunchSetting",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\LatestIndex",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Data.SqlXml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\DisplayName",
"HKEY_CURRENT_USER\\Control Panel\\International\\sYearMonth",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\CLRLoadLogDir",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\First Counter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DevOverrideEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NoClientChecks",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\CategoryOptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DownloadCacheQuotaInKB",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\IsMultiInstance",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LoggingLevel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\ILUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\UseLegacyIdentityFormat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStart",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\Server\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\OnlyUseLatestCLR",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Modules",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Library",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DbgManagedDebugger",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\index127\\NIUsageMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\Status",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\475dce40\\2d382ce6\\85\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\CacheLocation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\LegacyPolicyTimeStamp",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\24bf93f6\\455bab30\\6e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\VersioningLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\GCStressStartAtJit",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\mscorlib,2.0.0.0,,b77a5c561934e089,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\f6e8397\\46ad0879\\6f\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\\InprocServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2b1a4e4\\38a3212c\\44\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\Latest",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\InstallRoot",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3f50fe4f\\6f1da7aa\\88\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogResourceBinds",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\6faf58\\19ab8d57\\86\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\424bd4d8\\1c83327b\\86\\LastModTime",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\Counter Names",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\EnableLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\InstallationType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ConfigString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\159a66b8\\424bd4d8\\87\\MVID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\.NETFramework\\DisableConfigCache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\ILDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\ForceLog",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\LogFailures",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\.NET CLR Networking\\Performance\\FileMappingSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\c991064\\2bd33e1c\\79\\Modules",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\ConfigMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\3cca06a0\\6dc7d4c0\\7b\\MissingDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\61e7e666\\c991064\\7a\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\30bc7c4f\\3f50fe4f\\88\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\41c04c7e\\7f3b6ac4\\78\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\75638fee\\7566cac\\84\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\19ab8d57\\1bd7b0d8\\87\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\181938c6\\7950e2c5\\83\\EvalationData",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\4f99a7c9\\53bea2b0\\2e\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\DisableMSIPeek",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\2dd6ac50\\163e1f5e\\80\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\SIG",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\7950e2c5\\183e33de\\83\\DisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\NI\\1c22df2f\\4f99a7c9\\2e\\NIDependencies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\GACChangeNotification\\Default\\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\3ced59c5\\1b2590b1\\7c\\LastModTime",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\NativeImagesIndex\\v2.0.50727_32\\IL\\6dc7d4c0\\a5cd4db\\7e\\Status",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Fusion\\PublisherPolicy\\Default\\index4"
],
"directory_enumerated": [
"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\8.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\Upgrades.2.0.50727\\mscoreei.dll",
"C:\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\\msvcr80.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"C:\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\mscorlib.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Drawing\\2.0.0.0__b03f5f7f11d50a3a\\System.Drawing.INI",
"C:\\Windows",
"C:\\Windows\\winsxs",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscoreei.dll",
"C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.INI",
"C:\\Windows\\assembly\\GAC_MSIL\\System.Windows.Forms\\2.0.0.0__b77a5c561934e089\\System.Windows.Forms.INI",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll"
]
},
"first_seen": 1587333260.858751,
"ppid": 1268
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1587333190.296875,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"process_name": "dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"pid": 1268,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT"
],
"dll_loaded": [
"C:\\Windows\\system32\\sfc.dll",
"urlmon.dll",
"kernel32",
"apphelp.dll",
"dwmapi.dll",
"kernel32.dll",
"UxTheme.dll",
"Advapi32.dll",
"ntmarta.dll",
"PROPSYS.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"comctl32",
"ole32.dll",
"CRYPTSP.dll",
"IMM32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"comctl32.dll",
"ADVAPI32.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\SysWOW64\\schtasks.exe",
"C:\\Windows\\AppPatch\\sysmain.sdb",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Windows\\SysWOW64\\",
"C:\\Windows\\winsxs\\FileMaps\\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"C:\\Windows\\SysWOW64"
],
"regkey_opened": [
"HKEY_CLASSES_ROOT\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\ShellEx\\IconHandler",
"HKEY_CLASSES_ROOT\\.cmd",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562",
"HKEY_CLASSES_ROOT\\Directory",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\AppCompat",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}",
"HKEY_CLASSES_ROOT\\.crt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\CurVer",
"HKEY_CLASSES_ROOT\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\LSA\\AccessProviders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder",
"HKEY_CLASSES_ROOT\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.com",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\Clsid",
"HKEY_CLASSES_ROOT\\.app",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\DropTarget",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.cpl",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\ProgIDs\\exefile",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CLASSES_ROOT\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\KnownFolders",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security",
"HKEY_LOCAL_MACHINE\\System\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\schtasks.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\Directory",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\Clsid",
"HKEY_CLASSES_ROOT\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PropertyBag",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\CurVer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_CLASSES_ROOT\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_CLASSES_ROOT\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\Progid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\4",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_CLASSES_ROOT\\.exe\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppCompat",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Shell\\RegisteredApplications\\UrlAssociations\\Directory\\OpenWithProgids",
"HKEY_CLASSES_ROOT\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.chm",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder",
"HKEY_CLASSES_ROOT\\Folder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Associations",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Blocked",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\Clsid",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PropertyBag",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\ddeexec",
"HKEY_CLASSES_ROOT\\.bas",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.ade",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Paths\\schtasks.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\LDAP",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\0",
"HKEY_CLASSES_ROOT\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder",
"HKEY_CLASSES_ROOT\\.adp",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace\\DelegateFolders",
"HKEY_CLASSES_ROOT\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SessionInfo\\1\\Desktop\\NameSpace",
"HKEY_CLASSES_ROOT\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CLASSES_ROOT\\.bat",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder",
"HKEY_CLASSES_ROOT\\AllFilesystemObjects",
"HKEY_CLASSES_ROOT\\.cer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open",
"HKEY_CLASSES_ROOT\\.asp",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\3",
"HKEY_CLASSES_ROOT\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\1",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\Explorer",
"HKEY_CLASSES_ROOT\\exefile",
"HKEY_CLASSES_ROOT\\.csh",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.exe\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Desktop\\NameSpace",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones\\2",
"HKEY_CLASSES_ROOT\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Objects\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_CLASSES_ROOT\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject",
"HKEY_CLASSES_ROOT\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}",
"HKEY_CLASSES_ROOT\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe"
],
"regkey_deleted": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName"
],
"file_exists": [
"C:\\Windows\\SysWOW64\\schtasks.exe",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Windows\\System32\\propsys.dll",
"C:\\Windows\\SysWOW64\\schtasks.exe:Zone.Identifier",
"C:\\Windows\\SysWOW64\\propsys.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin:Zone.Identifier",
"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT"
],
"mutex": [
"Local\\ZonesCacheCounterMutex",
"at",
"Local\\ZoneAttributeCacheCounterMutex",
"Local\\ZonesLockedCacheCounterMutex"
],
"guid": [
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{79eac9ee-baf9-11ce-8c82-00aa004ba90b}",
"{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}"
],
"command_line": [
"schtasks \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"\"C:\\Windows\\SysWOW64\\schtasks.exe\" \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F"
],
"file_read": [
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\winsxs\\FileMaps\\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"C:\\Windows\\SysWOW64\\ieframe.dll"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{04731B67-D933-450A-90E6-4ACD2E9408FE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{daf95313-e44d-46af-be1b-cbacea2c3065}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\2\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cer\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bat\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\RelativePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{645FF040-5081-101B-9F08-00AA002F954E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HideFolderVerbs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\ParentFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\QueryForOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\0\\1806",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HideFolderVerbs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsFORPARSING",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{9343812E-1C37-4A49-A12E-4B2D810D956B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.chm\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{450D8FBA-AD25-11D0-98A8-0800361B1103}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\LogIgnoreMonitorReason",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{208D2C60-3AEA-1069-A2D7-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\KindMap\\.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsParseDisplayName",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{89D83576-6BD1-4c86-9454-BEB04E94C819}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Security",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Category",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\MachineThrottling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.com\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{645FF040-5081-101B-9F08-00AA002F954E}\\SuppressionPolicy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\QueryForInfoTip",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\NoStaticDefaultVerb",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\LocalRedirectOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\AccessProviders\\MartaExtension",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\InProcServer32\\LoadWithoutCOM",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\NoFileFolderJunction",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{11016101-E366-4D22-BC06-4ADA335C892B}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledProcesses\\2D132F93",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{04731B67-D933-450a-90E6-4ACD2E9408FE}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\SetWorkingDirectoryFromTarget",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{11016101-E366-4D22-BC06-4ADA335C892B}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\RelativePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\PreCreate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Icon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{ED228FDF-9EA8-4870-83b1-96b02CFE0D52}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.crt\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{E345F35F-9397-435C-8F95-4E922C26259E}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_LOCALMACHINE_LOCKDOWN\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{9343812e-1c37-4a49-a12e-4b2d810d956b}\\SuppressionPolicy",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\1\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN\\*",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_PROTOCOL_LOCKDOWN\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\StreamResourceType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Category",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.bas\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Description",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\InitFolderHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\PublishExpandedPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\DelegateExecute",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Name",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{89D83576-6BD1-4C86-9454-BEB04E94C819}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cpl\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\NoWorkingDirectory",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\InheritConsoleHandles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\DisabledSessions\\GlobalSession",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\FolderTypeID",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseOldHostResolutionOrder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Directory\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\MAIN\\FeatureControl\\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\Cache",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{B4FB3F98-C1EA-428D-A78A-D1F5659CBA93}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\command\\command",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{26EE0668-A00A-44D7-9371-BEB064C98683}",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\UseHostnameAsAlias",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\TransparentEnabled",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\LocalizedName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\shell\\open\\NeverDefault",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{04731B67-D933-450A-90E6-4ACD2E9408FE}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\SpecialFoldersCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.cmd\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Roamable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\LDAP\\LdapClientIntegrity",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{871C5380-42A0-1069-A2EA-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DisallowRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{e345f35f-9397-435c-8f95-4e922c26259e}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\CreateUriCacheSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\StreamResource",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{E345F35F-9397-435C-8F95-4E922C26259E}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{9343812E-1C37-4A49-A12E-4B2D810D956B}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\Desktop\\NameSpace\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\SuppressionPolicy",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{89D83576-6BD1-4C86-9454-BEB04E94C819}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\RestrictedAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\Security",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\DisableSecuritySettingsCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\\ParsingName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\EnablePunycode",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.asp\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Stream",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.exe\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\exefile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.exe\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\4\\Flags",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\AllFilesystemObjects\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached\\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\RestrictRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Folder\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{ED228FDF-9EA8-4870-83B1-96B02CFE0D52}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{26EE0668-A00A-44D7-9371-BEB064C98683}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{11016101-E366-4D22-BC06-4ADA335C892B}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\\ParentFolder"
],
"directory_enumerated": [
"C:\\Windows\\SysWOW64\\schtasks.*",
"C:\\Windows\\SysWOW64\\schtasks.exe",
"C:\\Windows\\SysWOW64",
"C:\\Windows\\SysWOW64\\ieframe.dll",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\SysWOW64\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Windows",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99.bin:Zone.Identifier"
],
"regkey_written": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet"
]
},
"first_seen": 1587333190.765625,
"ppid": 2308
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Queries for the computername",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1587333261.999751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 1959
},
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetComputerNameW",
"return_value": 1,
"arguments": {
"computer_name": "CUCKPC"
},
"time": 1587333262.453124,
"tid": 2508,
"flags": {}
},
"pid": 2648,
"type": "call",
"cid": 39
}
],
"references": [],
"name": "antivm_queries_computername"
},
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1587333190.890625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 66
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741700,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1587333260.967751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 315
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "SUCCESS: The scheduled task \"BrokerLib\" has successfully been created.\n",
"console_handle": "0x00000007"
},
"time": 1587333262.515124,
"tid": 2508,
"flags": {}
},
"pid": 2648,
"type": "call",
"cid": 51
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 1,
"families": [],
"description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
"severity": 1,
"marks": [
{
"category": "registry",
"ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "recon_fingerprint"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1587333261.952751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 1800
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 91,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1268,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x00360000"
},
"time": 1587333259.015625,
"tid": 2740,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1268,
"type": "call",
"cid": 8894
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 1268,
"region_size": 229376,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x007b0000"
},
"time": 1587333259.062625,
"tid": 2740,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1268,
"type": "call",
"cid": 8911
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70d21000"
},
"time": 1587333260.936751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2584,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74534000"
},
"time": 1587333260.936751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2584,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70d21000"
},
"time": 1587333260.952751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2584,
"type": "call",
"cid": 203
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004ba000"
},
"time": 1587333260.967751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 326
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 8192,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x70d22000"
},
"time": 1587333260.967751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2584,
"type": "call",
"cid": 327
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004b2000"
},
"time": 1587333260.967751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 328
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c2000"
},
"time": 1587333260.983751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 433
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c3000"
},
"time": 1587333260.999751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 522
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004fb000"
},
"time": 1587333260.999751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 529
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004f7000"
},
"time": 1587333260.999751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 530
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x75081000"
},
"time": 1587333260.999751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2584,
"type": "call",
"cid": 574
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c4000"
},
"time": 1587333261.311751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 781
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c5000"
},
"time": 1587333261.311751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 782
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c6000"
},
"time": 1587333261.311751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 783
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004cc000"
},
"time": 1587333261.311751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 784
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00960000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 864
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 327680,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 1056768,
"base_address": "0x7ef60000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2584,
"type": "call",
"cid": 876
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef60000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 877
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef60000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 878
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 1056768,
"base_address": "0x7ef50000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE|MEM_TOP_DOWN"
}
},
"pid": 2584,
"type": "call",
"cid": 879
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x7ef50000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 880
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004ea000"
},
"time": 1587333261.342751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 881
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c7000"
},
"time": 1587333261.358751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 886
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004da000"
},
"time": 1587333261.358751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 896
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004d7000"
},
"time": 1587333261.358751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 897
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004bb000"
},
"time": 1587333261.358751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 956
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004d6000"
},
"time": 1587333261.374751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 988
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c8000"
},
"time": 1587333261.389751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1084
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004ca000"
},
"time": 1587333261.405751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1093
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74e01000"
},
"time": 1587333261.421751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2584,
"type": "call",
"cid": 1109
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00980000"
},
"time": 1587333261.421751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1117
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00961000"
},
"time": 1587333261.436751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1256
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004f5000"
},
"time": 1587333261.436751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1257
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00962000"
},
"time": 1587333261.467751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1268
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 524288,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 8192,
"base_address": "0x00ff0000"
},
"time": 1587333261.483751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_RESERVE"
}
},
"pid": 2584,
"type": "call",
"cid": 1290
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01030000"
},
"time": 1587333261.483751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1292
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01031000"
},
"time": 1587333261.483751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1293
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01032000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1294
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01033000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1295
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 16384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01034000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1296
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 28672,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01038000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1297
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x0103f000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1298
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 8192,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01040000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1299
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01042000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1300
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01043000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1301
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01044000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1302
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x004c9000"
},
"time": 1587333261.499751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1304
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x01045000"
},
"time": 1587333261.514751,
"tid": 2576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2584,
"type": "call",
"cid": 1313
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 0,
"families": [],
"description": "Checks whether any human activity is being performed by constantly checking whether the foreground window changed",
"severity": 2,
"marks": [],
"references": [
"https:\/\/www.virusbtn.com\/virusbulletin\/archive\/2015\/09\/vb201509-custom-packer.dkb"
],
"name": "antisandbox_foregroundwindows"
},
{
"markcount": 2,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "schtasks \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 1,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "A process created a hidden window",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "\/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"filepath": "schtasks",
"filepath_r": "schtasks",
"show_type": 0
},
"time": 1587333262.250625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 10727
}
],
"references": [],
"name": "stealth_window"
},
{
"markcount": 1,
"families": [],
"description": "Checks for the Locally Unique Identifier on the system for a suspicious privilege",
"severity": 2,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "LookupPrivilegeValueW",
"return_value": 1,
"arguments": {
"system_name": "",
"privilege_name": "SeDebugPrivilege"
},
"time": 1587333262.936751,
"tid": 2328,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 2146
}
],
"references": [],
"name": "privilege_luid_check"
},
{
"markcount": 2,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "schtasks \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 4,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 874b7c3c97cc5b13b9dd172fec5a54bc1f258005",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: 92e4dd2c1be51ac5f675644c714ff9d6b8dfef1e",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: 073d0765b39faf7cd1a9385f77918b911817f1da",
"type": "ioc",
"description": null
},
{
"category": "buffer",
"ioc": "Buffer with sha1: 874f3caf663265f7dd18fb565d91b7d915031251",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 1,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 229376,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x0000012c",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1587333259.062625,
"tid": 2740,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1268,
"type": "call",
"cid": 8912
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Looks for the Windows Idle Time to determine the uptime",
"severity": 3,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "NtQuerySystemInformation",
"return_value": 0,
"arguments": {
"information_class": 8
},
"time": 1587333262.405751,
"tid": 2700,
"flags": {
"information_class": "SystemProcessorPerformanceInformation"
}
},
"pid": 2584,
"type": "call",
"cid": 2099
}
],
"references": [],
"name": "antisandbox_idletime"
},
{
"markcount": 1,
"families": [],
"description": "A process attempted to delay the analysis task.",
"severity": 3,
"marks": [
{
"type": "generic",
"description": "RegAsm.exe tried to sleep 2728307 seconds, actually delayed analysis time by 2728307 seconds"
}
],
"references": [],
"name": "antisandbox_sleep"
},
{
"markcount": 2,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"category": "cmdline",
"ioc": "schtasks \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 1,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2584,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x0000012c",
"base_address": "0x7efde008"
},
"time": 1587333259.390625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8919
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 2,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 1268 called NtSetContextThread to modify thread in remote process 2584",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"registers": {
"eip": 2008678852,
"esp": 3734320,
"edi": 0,
"eax": 4319122,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2584
},
"time": 1587333259.390625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8920
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 4,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 1268 resumed a thread in remote process 2584",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333260.718625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8921
},
{
"category": "Process injection",
"ioc": "Process 1268 resumed a thread in remote process 2648",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000288",
"suspend_count": 1,
"process_identifier": 2648
},
"time": 1587333262.250625,
"tid": 2572,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 10705
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 19,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2576,
"thread_handle": "0x0000011c",
"process_identifier": 2584,
"current_directory": "",
"filepath": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegAsm.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x0000012c",
"inherit_handles": 0
},
"time": 1587333259.062625,
"tid": 2740,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 1268,
"type": "call",
"cid": 8908
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c"
},
"time": 1587333259.062625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8909
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2584,
"region_size": 229376,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x0000012c",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1587333259.062625,
"tid": 2740,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 1268,
"type": "call",
"cid": 8912
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "92e4dd2c1be51ac5f675644c714ff9d6b8dfef1e",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2584,
"buffer": "",
"process_handle": "0x0000012c",
"base_address": "0x00400000"
},
"time": 1587333259.062625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8913
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2584,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x0000012c",
"base_address": "0x7efde008"
},
"time": 1587333259.390625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8919
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"registers": {
"eip": 2008678852,
"esp": 3734320,
"edi": 0,
"eax": 4319122,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2584
},
"time": 1587333259.390625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8920
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000011c",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333260.718625,
"tid": 2740,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 8921
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000280",
"suspend_count": 1,
"process_identifier": 1268
},
"time": 1587333261.187625,
"tid": 2572,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 10377
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2508,
"thread_handle": "0x00000288",
"process_identifier": 2648,
"current_directory": "C:\\Windows\\SysWOW64",
"filepath": "C:\\Windows\\SysWOW64\\schtasks.exe",
"track": 1,
"command_line": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" \/create \/tn BrokerLib \/tr \"C:\\Users\\cuck\\AppData\\Roaming\\WinSAT\\shutdown.exe\" \/sc minute \/mo 1 \/F",
"filepath_r": "C:\\Windows\\SysWOW64\\schtasks.exe",
"stack_pivoted": 0,
"creation_flags": 67634196,
"process_handle": "0x00000228",
"inherit_handles": 0
},
"time": 1587333261.250625,
"tid": 2572,
"flags": {
"creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 1268,
"type": "call",
"cid": 10673
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000288",
"suspend_count": 1,
"process_identifier": 2648
},
"time": 1587333262.250625,
"tid": 2572,
"flags": {}
},
"pid": 1268,
"type": "call",
"cid": 10705
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000160",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333260.967751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 313
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000001b4",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333260.983751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 378
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000023c",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333261.842751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 1466
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000278",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333261.905751,
"tid": 852,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 1659
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000002e8",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333261.999751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 1980
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000318",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333262.030751,
"tid": 2576,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 2046
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000334",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333262.905751,
"tid": 2700,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 2111
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000354",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333263.405751,
"tid": 2700,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 2191
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000378",
"suspend_count": 1,
"process_identifier": 2584
},
"time": 1587333266.952751,
"tid": 2624,
"flags": {}
},
"pid": 2584,
"type": "call",
"cid": 2378
}
],
"references": [],
"name": "injection_runpe"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.1302759647369385,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.129382848739624,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.0589399337768555,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0766148567199707,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.073608875274658,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.505511999130249,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.04893302917480469,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.5825109481811523,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0952768325805664,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.162755012512207,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "f62ce50b2b77ac0746f62644889da585efe440ec74f5c449ba925c7c8021349b",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "06d3ccdf28a9d315b7279d95749b9c99829f38654d3f3d219d2851242fb490d7",
"irc": [],
"https_ex": []
}Screenshots
testrotected.exe removal instructions
The instructions below shows how to remove testrotected.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the testrotected.exe file for removal, restart your computer and scan it again to verify that testrotected.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate testrotected.exe in the scan result and tick the checkbox next to the testrotected.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate testrotected.exe in the scan result.
c:\downloads\testrotected.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the testrotected.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If testrotected.exe still remains in the scan result, proceed with the next step. If testrotected.exe is gone from the scan result you're done.
- If testrotected.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that testrotected.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 4985880f27cc2d2db644f474ab916119 |
| SHA256 | dbe4e496fa84fe97bd579d3ebc4a29c851a6303fd77e95765cf5f0a67e6aae99 |
Error Messages
These are some of the error messages that can appear related to testrotected.exe:
testrotected.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
testrotected.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
testrotected.exe has stopped working.
End Program - testrotected.exe. This program is not responding.
testrotected.exe is not a valid Win32 application.
testrotected.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.