MalScore
100/100

client.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 19/60 Related 2135
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 462.91 KB (474016 bytes)
Compile time: 2017-03-29 04:43:52
MD5: 78adc6ac4cf7a51f7da68a06acac09e9
SHA1: 39b089a559f8f4b5bd202eb2696d760428193d33
SHA256: 61327b698a626b760568ea37b026dfc3c684ee70d431348f363ea1c633e68999
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 4 import resource relocation security
First submission: 2017-03-29 16:39:34
Last submission: 2017-03-29 16:39:34
Filename detected: - client.exe (1)
URL file hosting
Antivirus Report
Report Date Detection Ratio Permalink Update
2017-03-29 12:15:19 [19/60] VirusTotal
PE Sections 2 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x6faf4 457728 9bdb6cab12976627414bdb1832eb3ecf aab43560a8153f683f39895d10c4ca51ecda52c2
.rsrc 0x72000 0x800 2048 48a801dec19e8d6b8e91595fa4e4d2a4 7546027d95b85f2ce101909a41b8a31fae6341e2
.reloc 0x74000 0xc 512 f9c9f6f9093ae2b0772c133c871f0630 52c31fcfeeb41fa3539e6ed89c042937be1d03e8
PE Resources
Name Offset Size Language Sublanguage Data
RT_VERSION 0x72090 724 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_MANIFEST 0x72374 1144 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright:
Assembly Version: 1.3.0.0
InternalName: Client.exe
FileVersion: 1.3.0.0
CompanyName:
LegalTrademarks:
Comments:
ProductName:
ProductVersion: 1.3.0.0
FileDescription:
Translation: 0x0000 0x04b0
OriginalFilename: Client.exe
XOR
No XOR informations found in this file.
Signature
MD5: 51beae62540ffcf6ed9056575ef59215
SHA1: 4cee5fe9dd1530379ad5535a6130122ce5d62e8b
Block Size: 13216
Virtual Address: 460800
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
ntdll.dll
mscoree.dll
KERNEL32.dll
IP Found
No IP detected
URL(s)
http://cert.startcom.org/intermediate.pdf0
http://ocsp.startssl.com/ca00
http://cert.startcom.org/policy.pdf05
http://cert.startcom.org/policy.pdf0
http://aia.startssl.com/certs/sub.class3.code.ca.crt0
http://schemas.microsoft.com/SMI/2005/WindowsSettings
https://www.startssl.com/policy0
http://www.startssl.com/policy0
http://ocsp.startssl.com07
http://crl.startcom.org/sfsca-crl.crl0
http://aia.startssl.com/certs/ca.crt0
http://crl.startssl.com/sfsca.crl0C
http://crl.startssl.com/crtc3-crl.crl0v
http://aia.startssl.com/certs/sca.code2.crt06
http://aia.startssl.com/certs/ca.crt02
http://www.startssl.com/0Q
http://ocsp.startssl.com00
http://ocsp.startssl.com0@
http://crl.startssl.com/sca-code2.crl0#
http://cert.startcom.org/sfsca-crl.crl0+
http://www.startssl.com/policy.pdf0
http://crl.startssl.com/sfsca.crl0f
http://www.startssl.com/policy/0
Assembly Version
Profiler detected
___.netmodule
VarFileInfo
Debugger detected (Managed)
Comments
Can't Read 1
FileVersion
InternalName
<Unknown>
1.3.0.0
StringFileInfo
COR_PROFILER
Translation
Client.exe
Loop broken
Y(/
VS_VERSION_INFO
000004b0
Y"+
ProductVersion
FileDescription
OriginalFilename
LegalCopyright
Y4\
CompanyName
Y4U
LegalTrademarks
ProductName
COR_ENABLE_PROFILING
&s7mV
^ .M
/8]:i
G5@D
Int32
T[bh
W A#
CZ[m
Oj{y
m}t "HS
@=rK
Gr/<[
*wy+
VtAg
ResolveEventHandler
W=n"Z

}a.S
n\3-OL
z/u1
e`qb|
V@A1
p=d
"%5}}ER
d-F#
]6iKB
g@Bo
wB]7bj`i
p)Sj
1%$^
:p{n
GL3IU g6
K&*)
y1RAh
C }O
} s<_z
ad3(
CryptoStream
V7*<
#jwk^
Decoder2
J\#X
'5p`
PR||
s#Dab
"5`
wtrG
5#i"u9
6-7wl
V2[c
KO/$
re^0o}c C
pk/|
{(XX
QF#B
FVoV
<+oKg
0#BXh
_g,JTB
~*UQ
Y1JS{
mkse
,Kc
R ax
q hn
G&y}
System.Reflection.Emit
$Q-
MT~F
FG>9
AJ1:
t%U;
ugT!m7
_)S-
xaHC98?
VM&Hk
\j
gY<G
!{J1
+U"%
b\+u
!ZP2
rsoI
=I5q
n?M=;]g
d:4{+
JNBa
D$7-9t
ya(S
iACn4
zrt
1v16:5
G6y>
m_LowCoder
H A0
t$jW
x%w#
a+i7
2Gj
NvxlP
Uu#7
X sQ~\)wB
A,$xm
/UF(
44sC
LK )
KaG%v9!
SIX
vMW
)-;y;
th
pxg 9|
&NfPtF
U BoF
J~I:<;L
)r`i
3XU]G
*: '
q'EOI
%+b\1g
bgTj5
,O8" U
It~H2
A A
&0ZV
xz)QPM>
8FYv
- 'o
])*U
[GW_
xG?y
^'Fc
7t8<S
:~kQ
{!Q.
8xE#;
V7Mq<p
-b!+>
0H3!
o`5B!
{=Y1w
Sr5Y
ZvZx
Dq=!F
D =h
][~kp
=6<X
DH5L
)C:\\M
DC&z
get_FullyQualifiedName
*+wX
#v%7
; CI
Y6)0%y\
-|Cf
Qv[ x
x# u
_^ZJ+
GetParameters
h[l]
ywm&
aprj
O)cg/
x4OL
&R,
0=f;
.text
b R
+@qw@
EQk=
%z{6
E2E*
lGX?
JrMQ
,2'
pBAq
@`97
#?s"5"
J<wP
1RO"
&\69
B{{^g
g*Fl$
^.\
Fh^(p
0aa D
msX
l r'&o:
NXXaXX
$hJa
y09}r
CFNT
YXXaXXaXXYYa_b
ExHN
M%l.gR
U*}P
ZZ$_
w*<b
# : W
WTrSj
o]`U
L&s?
#/myK{e
AJ4uF
to8
O]1C^fb
f01FY
]|E
CreateDecryptor
g K6
l@KyM
3~8qD ^
"O+Z
cleb
}MPxcccM eT
XaYa
ifK~
E?~k
W7:m
~243
ProcessHandle
dhE
@+7f
'
set_IsBackground
#)}D
Q'`(I
f3<&C
StartCom Time Stamping Signer0
s`6sN
LenDecoder
Ip1
Wq@a0#1
q_VIS
#SFn
pI!n
O Xl
7UL
Q` B
N*Me
g<]r
)Iz+
l|Y%
&2UN
"6-3o
@f<"
N49;:v
Uec
^:MXE
]Qw
uOig
+i2H
6Wrr
i`o
Ix}K
OJX;
P}&SMy
=bP
V~,b
!LYn
`ml`+oXy
get_Assembly
-8Sg
!a |B
BL 0
t@:u
*G,VMw
LHps#62
aXYX
= [3$
! &E
MR0yW
2eZY
$1&n
ju8T
[(v;
49(
J ~W[k
8'"]
\^Cnc
Bl T{
~$Hp
/4 c
z=h!
&]SG
`V k"H
yOjp
QHfh
op_Explicit
JZiF
Y[`L
DGD_G7:5
uX]1@
ztxa
c)?P,
+GjpY9
_streamPos
:t]n
Hv5xm:O
r/1NtRs
4aXa
StartCom Certification Authority0
>7pd
I$'/sfz?g
UKAe
!uy#I
>9 s
'7 p
t&2E?
I69s
m_PosStateMask
-RB]
v)aoPb*
+sfc
_gb\
x@L%
< <.
1'%k
80Ooz?
e^-9
vAB Q
}@/f#
LZAH
VOS+-K
~o|>Z
MethodBase
%8Bz
'R>]
mXGL
VvBY
45Fd
H'8"p->
:L%n
ZobzJ
v>.8n
BW9p
jq`XX
5}[ '
h{ G :B
Ap%P
|v*c
${(a
Bh!-
i-ON
{]a[/
o]:-
[Q.t
Uq=<
L:d~
tuh}
R5C\
qzHt4e{
u#
zdfr_
#&27
/d\n
ZJ@:o
#+;A
Gt<m
0G +p
wFPR
Mq'n
=Sg-
#!y:_49,.
P L`+
~4J0
,j?}
9|M3
z= $9,
En?k
stwY/Z
E4l/
"Md8
9HtM
g#eR
%-Fa
m)N
cM0>
w SJ_
*Ju
]nTE
9Q6
AacC
f!F>O>Vt
lYXX uL9
O_7 U
.o{T
[L@6
$4&s
IvKd
_^s/
Jx%|
C!#O
zk$7:
\A&0M]pN
4`fcAR
w|.2a
n*_h
^z,jW
Yi>
[p s
Y6xpi
gstHW
gA@U
*(It
(MN7.r
e]QZ|
"u:U
gtqS` :)
_=l;
bSkO!
/5=V*j
i2\j
CKoW
>A?km
>~g(
j< 2
Newobj
/>X~
dB&@
,+dNWu
Ws l4
\ruT
X) k
'.*C
K$E#k
u6E$A&<
xBSJB
+ *O
t?
SO"i
`. w&`U
L-9$
@<V,
v Mp
FzP'
Byte
#H?J{
nC9.w
gtF
/17~
@[Ja?x/
{@W
GetEntryAssembly
wqRs
PaaY F
BGEP|
hU$=
m_HighCoder
|tzy
|~Pz
|&uzD
!YI*
>hZ#
;4<u
[Nlrr9a
70?oK
q2nj
`f>tY
E- X k
R2mN_
d~ X
[ 4 Hib
DJV0
% y/
'Ek=l
bwN<
M.)B
,NP?
{ Q&uBL
0H*B
kLPs,-
M)6w
tVAe
`@mb
fe:}
XbRY[
43aEL
+NNc
{2Ep
lQ>S
3(k4
ILGenerator
r'[t_
Rwugi
O# bn
M:1k
g <b
!z@a
}ZZV
p$J^'
Z(8+
deX%
*yW-
numPrevBits
_cd-
}BZ4
]leU=
%sr6M
Do~4\
W7`h
hd8P
OutWindow
x X`
h4rj
<;:4
ahqYYXaXa_b
S}aG
wPFE
4^_5 s
daWH
"}W
V[s
Zhz}.u
G\)XbpDM
CJ<m
.lG!
^cqaW
mcN/
SA!M
pvtE
NumBitLevels
%Vo 0Gq
dsql
|{-9
gFCH
6S44
]oM|pT
t3{u
A<0;
Kr(V
Invoke
-/-jUQ
HUOQ
z vl
M,GI
u=c8c
x=cH
@f3b3asZ
%AiZI
/G<6bj
rZA4
=cr
+0)0'
7uli
Array
Rx1#'
9eY`
v[,o
|+6z
-oGy
i1sL
M$w&
{pXQ
;9}Uv
/i@:
;X2|
=ii:^
Te0n!
+ Q
m9|*=qT
M:vZ
dXD
Ac&E
T_qo 8
N6V#
|1c
|Jw0l
Z+XL
DynamicMethod
R>yR
|t_S
XXaXj!7
?Y|'
OJfHN
M CZ
lpAddress
m5Vf
jKWu
hy+ELYE
I5
nM(r
S/=~
Bw`
Wqd8ixI
&!8MC%
5pTn
DYXX
rVo
3csHv
%Q R
U.]p
Z D
a_1I
k/KWt
8bcl
Q5RKT
QF~GK
6o>
eKer*Y
http://www.startssl.com/policy/0
naP*
!D\
")^#
K/yd
ZY*R
jZ`\
_U]$.
l8YQ
geKNW
p# K
NJQS
XaX_b
l=ij
U:C@?
2jh
l+9+B
;Ux
I54 uMR
N0PNd
4%o_
pdR_
dS #
gO Y
/so{
4 /I
Rgm%i
MXX?
&eX]b=
F01]
A$=B
nXv%
/KOJq
F02
]I*Vo
fm4w
lfLp
Hk$=
Qn\v
Y! p
'bH|
t7/,
)5>A\$
2{J
fIK,i
y%q~
SyUKD
{YN0G
92YoC>J
Q26Y
^y*hz
,YtG1/cM[}
75=*0
Gie
KLg2bF<.)
3ctHzl
tsM<p;
`)5(Q
p)U
DvL^
0 (
n0.E
!o&|/
JZe ,yTyaX
+`(i
aCwC
LJSX
}4XS
CYIm1
\=T#
3#;fHn^"
&3t]Jez
-9j
kF`zb\
dpiz
uibN
x9Uy
l&ZT+
'aaYaYYXaYX
iV2g0
isR8
>psA7TS
`p# p+
0ioj)
%h/\
^Zm>
s[pY
_ZdB
D_Yr
aX!]
GhlW
l5H
U_Yi
er F
V=Rg+
)Hm
G 8$
= 7hWax3
DKL1
//2\
3Vgkr
x+$.
Qr"<h
\PNu
rRn[
0&L4
KIWv
gG0-a2
8I3 i
wYX (
S{HB
dvWn
vyiO
Read
&3^z
oHo
pBy'q>
;Y _
2x/+
%\)5
{(*o
Dgov>
f/Ei<q
V(jQGf
pg_ s
*XX &m
N,(32
Z 9.
Klh]
TO j<
RD(8|
=s^q
x70eEjNC8`
) B_b+
]E+GJ1
ToUInt32
{CTA ;
*HuP&n
f__#
i0 w
CFaQ
C)er
Z F5X
f3a(
tS>q
>as/
J-W!
a%p APa
dovG4
~zGr
:4 $
zoEy
asaa t
Uq1$
XD2t
{k5)~
~%Fo
wVg *
t= 2
\$g2
INn#
a].04
#>`r
C.Jc:
TBh[
Pd8"
Kj j
%[ C
E9]F
TW3M
\hg<
m}b N[
E0(|
2 4n
EZ]
cFKO
YE .V@;
sender
+tzM
5|r?
S3 r
z_AJ
k">z
lo_#
8{wh
]0[0,
]0[0'
q{+vE
7"@+
C],.G
-:!d
zVzU
yaNe
=hXN4
y^9E
+7: G
: l7
mV i
L9M%
ro b
!'st
^bAvl
1!}BR'u
b\PtJ1
0 My#
pPb;x
S 9CiAf
aHH6
xjAh
:A.Hz
_16h;I
YW}lg`
GZK)
"\L
1l*k
Z*L!-
I f<E
V;@u*
Pn@eL[
m?5hWM
8X -
Emit
1C, Rl
On@}
|xR
!This program cannot be run in DOS mode. $
XX]j}Z
.]b$+}
R3
6k$p
Dispose
)http://cert.startcom.org/intermediate.pdf0
ConstructorInfo
Sf(F
0atY7
Sk;m
EQL(.
a B(
~|:&
XPU1
[qlF
(B?
;""d
fO~c
c'qk
cEv5h

8' $&P
eC9f
,UV>
D}C.bA
dEG.
l!RfHS
~`4L
-B Ro
,q3+
op_Inequality
q3JD
nVW+g
W.4mwDu
'}d~
/4uN
":0=
t4J
"+vk
W)ex
?ARF
n.(}
8 ^W
`WDg
=W|U
~Sx
2dtk
vqT7C3S
} d@"
&Q U
uQ8sR
y6wwmN
Mcd[
}w:`9W
eS_G~
m_RangeDecoder
eJ{
NN
y]I
2ldP
3+c
F@=0
"" N
{vn_
)m 3Q
MV=|
BlockCopy
{-X(
)0u1
numTotalBits
:zj (
B o^
VrJ]l
lZFC
_ 56x_
dm\t
<?sdC
a 9lJ
@X8h
BinaryReader
mwI/
n\'ae
QU !
+http://aia.startssl.com/certs/sca.code2.crt06
n8e6O3B
@A }r
Q]kF
a: #
43.|TB(
+ fo
,)Ae
=3;d|
n*</
rtS&
wSr8 !|
F{:l
Bx;C
yzZe
u GaEVV
8xP@
Q6_fw Y
1^mH/
K!
BNqPj
]7C0
KtAsXG
1B/]+
T<8-
MemoryStream
!?8s-
p:KU
Code
)~ gZ04?J{
{tX
7"^#`
17)
Qe7"j!
W*\F
3'{=
X t^
*.~/
von:%
Qf}W
NGk2Xs
"Z{E#22
*.~3
Uyrz
@m@w
e2Jou;
shT!
@.@+
s@._
V8^oN
oLQH
J+61%
*6~2
zK{>
w9we
> N.S
]kX7
+fN{
,h~~
O~'c:`
iWSl l?
/StartCom Class 3 Primary Intermediate Object CA
MCHB
M11g|T}
q@j3o
Gkf-
59r [
>%=a
Start Commercial (StartCom) Ltd.0
madD
~~-4
UpdateMatch
Sy6p
w$@T
Tj6j{n
/pb^
`-Z0:
zcq6t
n-Z*pA
@g>S
USGu
m[N2q
jH+^
8wUA
g"/u
matchByte
`< X
support@startssl.com1&0$
(/LXX*
FuQ;`
~+ mh
okz:
~uL0K(U
St/p
g_m8<
/_>k
dG#{k
.[AR
;:I Y
d26
8a<7
3u5^
4http://aia.startssl.com/certs/sub.class3.code.ca.crt0
5 Pq
nn@
'Fx%28),*B
aXY
m_IsRep0LongDecoders
{0BY
']d_U/Fl
Mis)'8
@~!U
U;,&
K "(
System.Text
AN[:
EAP*D
]/4A
{<NWHwh
( wLK
"IHXXY q
A5N.
S]Al
hObject
OM"u
g[w@yj
?-8
y*giJ
XO^/
<HVo
p# (
Rbg's
MhpF
eq3i
-'q3d
08
xGSH/
/WCA
^=,oW O[
G\;L3Q3
l8>S
is5HD~
K0]r)
ENnJ
= M:
e$6U
U* <
^sN5
k&6 P7
b=Oo
UTZ!
3/ "Ir
_:S
rPD
."<I
UVv`
7{s7
sN ,K
OE?B
91iTW:P7
blga;
_CorExeMain
[!iC
THTn
-9}z
O!hX*aM
J6%R
o>Ue
KnD]$L
4Bxh
U&7~
oNR>
A {Y8
E~IZ^/=/
a5Dr\CY
^qJ
lq9?
9Eq$
yW(MQ
Jyvw^
zoA#{T
c{Gca
b[S#2n
LoadModule
2KA?
k@:.J
e~d87
dwSize
`&^D+
Bd|9r
%Quz^
bC$pU
gm82
|f!f
X7E
L2f^
Au|SX
)[V
}F$I$4f
1 e%
dQRI
z)Q~7
fJv\0
aaYY
^Oj
!Ta{
1Z5z
3NxwQ
b`ak
u !Q
%~T?
Apzc
~.9C2
n}eZ
Ypo0Z
kwpY
c5\3
7LPN[
lUJu~@v
}gy
]H F
QPAz
S3M*
$P><
p_S
c %p
OC ]QPO1
y_/)
z~Z
ec'vPLi
.<MH
7/$,
VJ'r
A2%1p
\; jJl
j02q2
La?dA
lDMB
}q ,
j_<7
`_'{wJ~
p #d
301216010005Z0u1 0
>o!*S
a/2H\
(]z5
<q5
xxk\La
"Secure Digital Certificate Signing1806
]G9i
$ro+Js
iq`j
FVr=
DF! *v
aU@*)>B%?
Gl,r
b_l
Stream
ro,a
b .YDGY
FailFast
'R&J
ReadBytes
BitTreeDecoder
eNBo
88mz`:
%!jT
}Yf7D
+= -
p~y=
XL>q
k(,%
5:JAi
nrP}P
w6or%
3UhW
<bLT
<6nx"b
"(7}=
)IWg
h?pf
e'za(y|)X
lanLy
d"u
a=Lo[
GRy]l
ea]Jl
De}|a
|AvL
e,e4
?=Hi
$h?
0Aiu
_solid
>EJyjs
Nn9J
;aX
r-m
1,N[
T+\bX
SaR
%http://crl.startcom.org/sfsca-crl.crl0
dGp'
C|,i
\&wW/
hI`!
get_IsInterface
a*L;,
]$gpL
?~w n
wgNx
Bywf
=P 2D,z
v*-c
D[~K
'))N#a
9AXw
X Fm"
(#+b
0*<<
}-pz,S
dJ)ZCnJ
sOlIrn
8^I@
OZL]
RNr<Pq
oOtRCQ1n
K GIH|"
|Jo
A%m"
F^ 9e
]X\- k
,:mE;
SetPosBitsProperties
p?3w
k[x`M
T]i
bL;/
0%7f
[ xZ
w+ko
{="|
I$wb
t/1a
N"*_5
""2l
`G;}
)l ze.
A|H;oU
<4tL.
B0 V
.m}7
e9{"s
u/=&
sCXN
u"Ta
]`Uzk
) 8e
{x50O
N3xXw
kTWS
yuuy
rW:q8Z
LjC5l
prevByte
dFYw
Yi(~
00&{&
Prob
Tlc"
a"d||
pKI(
&H(0
Z/L+`Y'
dY}
Wy-?
>QGc
UC3A
7ron
t^dT
cp7TR
7q>z
g r
flNewProtect
rr1Q
`C DB
o2^;
4Re=m
)!6s
!*.2
FbRw
wM0+
=6e
;KQ ^
~[x
h(^
-i$F-
K-=SE.~j
rXaYXYa 3
f~M$I
0oe
X 7I|
+ (E
J$,tp
GYa ?g
oAnc
UFxiy
IP0z
C]#V
c`:s
8"Z|Ich
aL/+D,L
BYX
pL /CO
7x;0-
DY2y&
VaXaXaYY
iq'XXYYY
XaaY_b
p>~N
&Di~
,5<T
,v~!)
m`1*
QYsG
"|MWN
w dAR
v6f\
XmH<Hp|
6eB F%
YRK|'T
! 8
L^Zw
x={{
R @M
3s6/e
F|9@I
, M;
@(r
hd K
"maXX
pb&C
r&sr
IDisposable
./+%e|l{
cp?\/
C3H[
O=X=
bbP;
./Un
Dsi A
}[[:$
?eQeTK
555B
fw,
Sm&>
g=1
kdrP
ZwN%
$-ck
`&
1?1yk
{(,n
D.FKg
5L,7V R
]dME[b|
A&a<ly&
TG H
}$ B
tCN,
Init
{Z?!
G)>Ay
L,-2
Ka% F
)3C^
6CVo
ke \
#GUID
v9 J
N)G>
DDMa
2O J
?E*kG[J
>twk/
d5Wz
$pW&"9
2>J 3
j)|/
y0XXY \
m]A,
!ai1
T -
$K.6S8
BH<z
xXXYY4)
,)`p
K>O:
sP?83
zR{K`
(/ }
.q 5{~ 9U%
Debugger
J;)=
hV(N
! BW
e0#,y
g;5]
:MBan
ZN'}
W,7t
E$HJW
0aP)
Jz/"
.:scTa
}t3b
?Ly+w
%5KPnL
U]5/9
h.wGUw
maV@
dyB]
zV+;
boBn
y{~%
JM5l
"DFj
T d9
y_YT
MQ#'
-'EO
=Q3Z
.6 ws_e
}u.
EgpK
x tlK
T(4
1v
$8/\
1x!A
TeoE
j!"doOb
;E51
z >
^jtp
r%iM
`1Z%
a|)z*
,6%.?
4|,K(
,jfxU
/ 9
i;;o6
2|F@
=Yqce
F5<Z
tHIU
Ql{ f
lF&3
(P]p
*R>z
:q&^e
4r,
IN l
$ob;
)" &
4N2N
)Y5u
}l'Bn
ResolveResource
&!`W
iwJC
--MXz&~
6U/k9
Gfd
!H2u
gsqG
\@Q
rttyi
NtSetInformationProcess
qP$i_
a JMG{
*qJ%j
3Zi%
DecodeWithMatchByte
,Zm]
AJaV/
Eqx
G2[X
O7iC^+
uM
6[z*
qL</
iG@VZ
9=L'
/StartCom Class 3 Primary Intermediate Object CA0
T<7
5-'\~
;(q}
http://www.startssl.com/policy0
Marshal
^Y o
[ b
htw ot1
[ro9-
,m'`we@.
rES`\
g4?w
GetILGenerator
Sn|
Ou yb
rl\{
lr{b
1%_bQuR+
.<Q&
mp()])
T@eg
!GI?
%aT/-
N&Q=
d60B
'!@S}1
%|n4
MT;K
4^(-p
Rq OuH
V <D
{K;n801
SV%lQ
S #Jc
S{ .
3.cO
bW}U
#8@:^>I
4sOe
PiH%
[ =.\
` G2
ipbu
t)cJ
G8u,
! o]
+k(g+
/"UH
AppDomain
=Feh
T`VevJ
m_DictionarySize
U}Y[a(g7|e
7HZJ
NV$n
ceX bm
)zO=
a,>^5`
x 89
[ 2{
T\Xq{b
4Fhbv
72J 0
V=L.<o
SA*uAA
;Y%*#
VKiD
P6n(
htp K
t'hJ
wG d
q {0'
|>84=
J0H0
jR#Ok
#"v"t
Xta(
{XXY_bX
0T;}
s.n:
_M T
^;7
?%Kj
RV|Z
Z`&,
&8LE
c\Ud
d>Db7N
5oZZ
7|6b
Type
(/KG0V
dlKjX
E% %j
1F0c
hQfdW
~!B1
_LY5
Yq"5!
9My`~17
GetByte
{$.@z
d:[ ;
$wV}
}'-}
Kax,
RVDm
Jc ?8
LXK+
$onD
n\eT2\*
*9:b
OutputDebugString
M@n&
+<,.
221012010009Z0
xF$F
Nb <
8 c9
UV0q
tRtB
H`<\
^grn
I`cDUd
|Jc#
Ye47QHI
e`fj`2
R]^a
2r/5u
pe_
,A'u
,` u
B;"9E
=9CoVk
zohP
OrkM>}
,")p
GetString
;Z4[g
lcdTA
Ev9q
lXg
q6;i
"#APw
""a
r-ZD=u
zXaYX h
AFJa
mM]2E
DYxxR
U 2xa'
n: 7
{Z e
n M*&
a2Ogw
Mq_Q
\Mb%Q
= Y^
`Oi9
?Hq/
39P_
Ne~w[3
m eOX
_I9y
d!c4
QTG ]
icHT1C {
zKXf
) V
h@hU
$p2b
p])4
-P"W
`.rsrc
}o
8!.wJ
t #H
G5h
*Brkw
' WGD
rMC8,Wc
Go\.Z~
R!^(
ME(z
g"-yg
*rp^
EF>dI
2^7f
YaXXY_b`
]i]~
P2Df1
;oibk
c~v=
XYqa
UcqE4A"\
8c2{)
LJiT
=~2D
d\/{yz
a:sl
aC}Q
@I 1
get_ParameterType
9,z],
55yK
vlP!t
9qIAd
{$V_
N~a
4Ez$
NxV
qF#UN+u/uC6I>
>fRs2
,)I3
46)vs
m_IsRepDecoders
q=O)A
beY>
(ZNlr
sr7j
\nzh
![g8
^Ur
Gk&F
]!L;e~
\r%e
/h[`[
S3G
!)vM
Nguyen Hoang Tung0
'XY7
x89f
WS:
H8 {
+^8[ s
*K?
f 3
.[IiW
]CQb
k=a$
a 1[
N4hd
Ir~Qg
|~<
|K2.wx
|S]=+
la "
m*wY
Z5>{
5#T2
HR2 4
m_IsRepG1Decoders
?2T U
RXf5
vqbi
ap*;
~1\>
Tp@?
@8Mz
&{J]
.ZF
sW%m[$
$+=K
r "z
K7=x
+ [.
R ,P
ZJj0
372+#
LuZ*j[
NY#;R{
#Strings
87Y
f,b]
C-?.y
8bnO%
<X"j% `
1w K
g}KP
5D9[
5Bmu?
ni(D|
A?Dg
Ot?m
_2h+
q|%5
System
] 4i:
!MpP%
0zbL
@P3,
=@4^
8A"RIO7
OOHK1
B~J[
C/Z|
.)s
QNh >
s-e%
:jL/_
3r@
XaYX
D< f
cf+y
@K
E&;D|
fWXr0FV
;$vA
~3m,5
^w'l
mkNg
R q`e
\-Et
h6[(?c]
J?Y,
y}:&
[e] i E
+Q_g"
+d9{p
0,0*
j>5r
t@5I
,'He a
j23>Di
99YrK
:R*D]'
Ap~K
;Q;k
wzj^
.CDz {
t<vhq
6a9C
4@j#
kV@*
BitConverter
W /y
SBb
ntdll.dll
*PXl
'GoI
BLelu
[GmSC
F ]o /
XC j
]vct
ra#c
')OM)
- dK
8L;C
hY$T
6#E\
o)-S
?t b
4%'6
Kp[IO
pM];
c^/pJ$
>:|dpHv
D=[3
<9;m
lW@F{u
}&r]
gN@4Q
6rz8
c]0&
kdi9
livc
8@\#
' t;i
6{4 2
&g<W
P2 A
k mTU
80&"
*A@zfx
%[+R
4vdWL
$D8B
jA/dxh,
-2J*
bC\I
azU
>)Z4
Z}Km
BD9Y
ValueType
-`#u
EL/
SFGT
*2~-
B)I
i@k %
e, qM
|xl-
|G$A
g'u8
,<H"
nBXL
ntdlT
@oxE
9_[3
9J,J
P O -
151228010009Z
?{7 F
UpdateChar
uS}2
<aX
0[X
AGc\
`WNj
G'8XHF
^bE>
9C],
P+^`
@`j
U4 8e
(9Rj]W
8=\8
c K#0;O
'){S
Y>E
e,^zI
VESgn
$|yi
args
F@W
_IE}
jZd)C
vJ9Q
<=2(
GetState
Cvzv
+Z }
5
^"+9n<<
System.Security.Cryptography
/cS3
\t=n
n^HB"4
D}t9
aIn=
W80A
\zTG
gAS7
4C2}q
E$NF
@Q$u
y91l
R4yN
SetDecoderProperties
bf,+_
s9PoX7
.nlS-~ K
exE.
k-6}
.ctor
*|&
- fZP
TQ $
<ed>
nq#p
)StartCom Free SSL Certification Authority0
?JdM
U:3|
l2cU
hz4
* 81
Main
~~'a
^;}4
x&`h
Y Bs
77D!
">3A
@0P2
&OE04
m's9
a XDf
Z3aaaXYa
> LM?_
/ ?E
Module
u:.4
numBitLevels
a8AAJ"
+&`;O*Z)
Y[Kr<Z?&
/e"?~B
p=]
xz!x9
@.reloc
xaO.
fEJN&Q
qPB>
C?"G D
m%A[m
Tav"
E8&
TO:D
-wOr
!+1A+=
0MZ#p
x;v$d
n[y&
NdKp?
;.B\
o^e
Ca?p~
p=]_
4TCL]
PGP<
# UC
6*3*
j.7
/DX9
zjp)vX
-l>,
2<XW"
:oTrw
?jdA
,
C'*Mp
3,z ;Za'-
]fA{
$D]~
IP>,t
,VHQ
0"e&
'vMM0
3Gw=
!*s}
gyv
K>=n
/-NC
(K";
?IW;OU
|oD)
jc=V.
QB0:
(d4 %D
]2Hk
C#XX )@
w4<6
7p3&f
*>%@
:Ejqy
r/s>
+|A
^N `
t$&Y
5k#sl
oyEH
a54i
P0Lq
;ZfkE
(oD\
Dzah
:1\a
s)2s
D'h}~
GrP.Pmb~
Cj>||
oFlP
6mjl
m; ~
3 a8E
i a
~1XYXaa
[ww:9X
`Q}~*
/Q :
q]TYs
Z0X0$
w?h6
aU5F
]Y R
kE~WHyF
http://ocsp.startssl.com00
e&Nu
q @^
I^Y`p
b,oL
dDaU;
vX"T
lqD`
~P({
j"mn
oha&
&u4n
\5cI
d\c|
#9V Y
pghU
c1b F
>@e'
c%ff.
n)Ws
Jm4+Q
j,S8
vEK'
I,"O
KY%I
Epe98
RN@)K
QEfwA
wU26
H8O=k
Q ?u
^4KIT
Tt#d
:|%+
KZiu(
Hn3j
FBO[JE
93Hh
U u4;
IVH>j
|C2x
>Gx6
::_S
Fa 5
!B2Ji
+o I
&>Xk
[Mo
z<e`g
~rC
RP{2
g/ @)
F=$J
s> 2a
6==`
N(~#[`k
startIndex
Mt\~e
FE M7
tk
:WMmcP'
*;#$
P>@\
ag@
n#y/
u wMjo5
H W1R|qx
[Y0B
v'vg
1%@7
wF3YIz
>bw_
;~Cv
^WZd>
e| "@S
,#OgiCu~bn
A;o5
L9Bg
p7fE&u%
Q<!S
R 6'
fKIk
qAMe*&`
C!(8
cHKq
JF X17
,:Ab
*d\i
inMO
m_OutWindow
((gp
#o 6v
$ e<
Q0ZLL
TSu4
s%$/
f'R^
Zx,r``
q"4n
IX !j
D2;.
7w/GP
#DB8
4hRsr
Q;58}
V5E7O/<K
./bg(q
; 'a Av-Hi
Y`
T.Y {
<`#\
/LT\0=
[Jl.
N]Q9
YY o
P2t?
h lV
T$&8
WxWS
yV+j
&V>7
4rp
DJ+%
LS+],
m/\g1
='!n
W'cw0
t3Hp
a 1F
Se([
+TkI
c/\n6<
mK-e
YY =
9)!
;tK|4
(n*>
#J 2
sEX|
)lL}i
>KP-
+:
[ fPc
IntPtr
i@|n
=As +
ZL@I
Gu?x
\Rd.F
M$iY
Pa;3p
.lsC2
Y}@[
Normalize
v(mZ
*D(.>
\y'"S
U@xx
%"'Q
\8E9zXs]kQ
[2`@
iOm4
DykVs
s<]y
2=9\+
; f(;
A)(F
<@7E(T
Pt<Y
qag6E+
M<\C
F6AgD
.HX:
mscoree.dll
d<-i
!Z4b
N|Z1
: @IV9=*-
vW;.
RE&>
F"xt
^2#W
%z#Sc~==
o*lzvI'
ZCw|5`
j[*
$d*2
/3;%
teRK
a0_0$
;oY|p
. N|
A-I Tpsc
m}i c>
Dn]6
w.aC
KO@r`
I#3F
YH)D
\cN
mwXz
M&%jd
.\dns1:
4p^>
%ba
hDh$'X
`ex]
sX`Gr
j ch
(r:i
7A"k
\aaYb`
V1cCkJ!
sj=q
*U{o
K#m#
K_y)7B<
nz[
"}>|
Hq o
C^ #(
7!!?
II$UlI
GetManifestResourceStream
:u;c~
(hEJ
Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at http://cert.startcom.org/policy.pdf0
fF*w
AZ.>
@^|q/W
AR;Yb
RV'{
nj1Y
" ~TJ
Y5NAW3*
T)?C
byfw
*BhFu
dGa/
$h{/
<a)Q
H*:_
<XKum
Q-^/
&lA<M,
KItI a
V:97
5qC^
S(S&
T FrOK
<w
RijndaelManaged
BW2e
8FFI
R;1 C
t qt
Ky &
[m4)wn~F
=v`)~
>viw?
Od#?
bC<[5
dy
6VSs
()sf
pOJb
@V2"u
kjAV`
?aZ~T
K$>!
fCIJ
=z V
bXoXb
@WFfG
.wu"
t.J>
+o?-)
nt}FG
n_a^
z}^2
j3XX
o@ n
jSRCa
/>!;
Q9:q
aY 3
D&xt
2,wh
Yj[E
!| |1}
h)vx
EaaYaYYX_bj
b+;eV
5+b|
cDm<
0AU}
gNev
P7~T
&qL'o
^$#X
;VQUN<y*
|0Yq@
OJxM
R\FR
QMYNq
K<HYb
M pA
`YSf
wTNv4
" d~
Z+C.
M'U9A$
[R"Y-
>'Ud
U_!OpUr9
,%R<
Bna
_hR wO
Bs |
'H*[
"LK>~HThBR
:4 HI
]by:
HHT u
td,P
#;@=
SU'3
!MC=
ResolveSignature
&=4r
X ntinT
dY!TL
+>2c
wlBn%
{s\Z
/pT:
*D~h
$H=)
|^&DE
y5/=
Fys:
c$6@
5q</X
{sy&
zQ8Th
0-+Y
oxnEW
>zRc
(]Q+
98'&&
000.
S*C
F(C`WmG
E CY^W*qY
S`_Wj
l{V*
"]/i
>= !
VRsL
c'nc
ZMt;e
|<Y2T
#9b`
P14u
X4=D
MvR-F
#b\&_ PC
e9Ro*
YevI
GGeG
.e+M
r/ g
C/\F
SwZ^
`<-z`
qBc#
*:5r
xc2m'
seWuv
"_|TuU9
bVGs
eC4`
en0c
k?^^
qWXC
ReadInt32
t(\
5 N
%d&\
YyBw
nF /Ns
|c/)X
q6^7
H,0E
zLZ^U+
Pu-tC
Ay@L
Imo/
Bl\7
HZpH#
U2WH
"http://www.startssl.com/policy.pdf0
!\cBQAs
-9:)
U;Zv%
?XI6
iz_Q
+l-9
(m3z
Jc)
Q2q
1 0
%gA-0
&]!u
xK*z
WvD
cp +E
S *qN
N<"/
O;K3d
E\m"
Paf
$ SM
K8!,$q
p JfjA:
u3f,
)0@FJ
3=|P
http://ocsp.startssl.com/ca00
-*@z2
(p"`
V#WTD
Rr`z
}.M 3
nFrn
Attribute
B+rF:
/&4-
2'ZusS
Dbva
7 PV
G{uo
P/x6
,>|l
4:zCw
laAsZ
>xn+
+*(O L
^WX8G
bsV;
Gt`
[2A5
)?o8
3q/:194
vphE
8C"W
a3A1
deL&
eBUZ
ae>v
^9O_y
SU !
F@F*
W1j.
TZb;
L@}oU
!<Q
=lx\/
x M+9
2.2w
P~x2
|;Ige
hIo6X?/
oOLR
xC/q
*{4aYYaY
ygDsY=
A&9}.{
\yX;
u#{J
hC^H{
O p$
+
# TN
>h+/
D0$NB
Index
%R+T
BitDecoder
cMp $B}
kT`s+3
[`SRh
6Y>v
0~Xol
z^Oq
_o50
d"2|
t<{JSq
5R=8
+n>.
~9Ai
{J^0
8G_I
&%Fq
Rk?A
`{'rE'
:j?Y
}V,b
~o;!Z
*ci#
+ U@iO
!i!*]CU2
Q!U
Zu$XH
3XeL3IK
numPosBits
*7F.
JV w
m_Coders
ak-p
=@<c
GetFieldFromHandle
gH p
-$'T
'V8x
q[~"
9c.{
Jie9
U\bv
Zs~f
,0" "
rNe@Xc
xS+F
-Bw@6
#}<H
AK`#
`d{p
CkkX+
Eu6]cv@l
!PFF
j0\@
aAIU/WuY
i.Cl
5?+U
XhJ&W#
rangeDecoder
\etTe
ca b
8e$y6
?qr1.
t&Mp
>r T
E6}-
vzt8s
':{1
4_<!
FmywX
.3 +
UxaW
w w
[*v3n
DJbcC
GetHINSTANCE
X!c$%
%UHS
YYY!
%* 9
i}G
4PS^
BrFK
N]
d2|?m
uf!H
qs$!
W=C'
IhGp
wW!N
qwO]g
Xb87(x')
]F=j
1 C
(,P&d
W W!7R`
*;*3
oasC
gU;Pe
T.T
KiM3
J5B w!
*3u7
XtHw
R04b
G(1
@KH[
C{VYJ(
U"Xz
%y[:
/|~8
aw6"O
/66[
Cm&4u
IG64b
#~5@
&" y8yb<
oWRQ?
)Hr3
)#/uzvs
ov;'
iJ#9A
Exception
c(|X/
;#p\
D Vg}
oci}
4N&"
cvx7
hB%D
G;=e?}K*
0FNd
mH0E\}
?Bbu3
F(;4
(xR"}*
rzy/
UpdateRep
"C(~
h&r@
IG3dr
Hum
cB6[5
windowSize
VP%K+
W3>I
]f}$?>
./Do
XGR
LzmaDecoder
t*MX
|~z_
*>E>m
CompressShell
J="-
B7y1
TOhVE
_x`q
&(9VD
Math
r7=9
c-:I
lq'L7c
6wH^r
|uCN
f #P
Rjo:
SuppressIldasmAttribute
"Z#a
!T(_/1A
X +P
,k<Hn
rONv
uGl?|
ryx\D`
Nnq=
_pos
eVB'
~wyD
XaZ9
M"l2
e&cI
ywbJ
7F)0
:lr!
L4fx
EFQe
`i [/^
e`.
d>I~
)&v/
Confuser v1.9.0.0
0kl0
Y'&*xJy
q5rt
;#U[
h)z\
do$Nh ?
@"z
!P!1.
w &
\AQlH/ |86
1m\l2
Q{@|
r0-tM
Z=(
BFxT
<Module>
1::O
YA,n=
MulticastDelegate
X?#
<Qh2
H \r
RiQ o
)d#
t<RW~
Tz`[
KrEz
c Mo
,)D
"rKLj
;|w"
Lb'Li3U
E~}i
X'FFKP
=\d\
ql?7
m&{p[
=`9(f
E"Dt
Wz[W
1<O
HiSL%
4XLz
T8.j
!Yaa_b`
l.wJ
Hohk{
(N[N
k`xr
m_DictionarySizeCheck
sVGPoE
\5/3o
p6EV
$http://aia.startssl.com/certs/ca.crt02
rQWx^B\2 /R]
b5pY
PdQ
eMP+
Y ]G2
w#{k
[_hEZ
vp_@q
IgxCU
jMk}
dbF}3{
Y;YyU
N0^^vI
'G-
9)^
^ dG1
oJ=4
ond*
~[Qt,
9jV#
z_(o
2+yu
SetValue
HD2]
$X'pR
"?[$;
3^p"
0?1c
$ @|
]J*L
eLi@Hv
Z*VVB
MA1]7!r
a!*v
eA*#
\Tcd
JTsW$
a0+)' %
_}>I
_wLH
vz 4M
nAw9
C3&F^I
oQaR$
]^afg9Tr-I
xc`o LM
HcWy
r:9
o ~h
hE<U
pE=v
y,X8o
)wjo
MaY#
dO>dD
Qym>$
kG:lC-
IP%P
G&-<
SG:0
U_=j
CopyBlock
!Z
-o L
bPV9
O8O6
`MM7Y
9HHAS
~505`%
/"D#
s==v
U&}\z
|q(,
PutByte
ewgn
kt@6
'':
0_#]
kjko
{t>'[
#xEb
$ -|u
l8Kp
i@,0c
_Gdo
Y=n8
s |h
b x~
JV$Tc)
|T 5fL
sN5z
ConfusedByAttribute
Hx\ik
?g!4
T ^g
ICryptoTransform
kkZd
fm?54E
!bM
lHOt
ax6 (.
EYip
&x9O
Ea @
T;O
StartCom Class 2 Object CA0
Z,x&e
,JdS;
_Bch
2s<W
"k@-
l`O
rI(I
#j4O
`Rde |
49Y&
LF&X
4:P>I
]dzk
N #8
S(U&
^ rp
v\{]
SHFp_9Q
]6" E{
gaYYaa
# I|L
DYX EQO
% Z
>_9G:Y
(Df}c
XaX
Si?reaQD
P~+S
.a6w
P$R.
)n^1V
StartCom Ltd.1+0)
`l?|
Zr*/
Z?a'
@Fa
nqV(,
[td]7
?.k;
/vi@ z
w]4S.p2l'
BHt{
$c{)
J[rZ1
GqC~
p/n)
&YX 9
>#Czc
t34k
^ :|
ReturnLength
9m\~
d3-$;ec
!9B8
B4hK
160608113850Z
K%vB
k /}
`_GA
.e='L
EG"Q
&Ul
K Qz
CkcB
aGSJ0
5$B/U
V34
``wzA
^
<z$0
get_CurrentDomain
^waT
QM<'~
1{8#
K[m
9vXz
Hd9R/
=Dio
NtQueryInformationProcess
b"~ A-
l&(-
Pg!(M
j=/fyA
pL9)
+-.7
S"Zxc
D`d
]$ o$c
PYaaYa
ak!K
+X a
v g'
_/ :
.nEE
Crj
a>y'~
1hsi=?w
i$Ix
cJuQ
^FkhBz+`
Y*9X
=COVa,l
$'YPu
)COk
}YJfj
#Blob
PU%E0
*xB
8}FH
~G Z
kKUJwY
2j/
8+pi
NROf
c+S
`&l:Eg
qbv7>
^iN3\
Ac$=)V
(6Y(U
;cQ7
{. J2
%mAZzu?9}
Ziwk
k^'}
llYI
IQIq
-^R<
fKLF%
KVP`
]3_b
> HSKA
7;a=
v),A
wY;
vaV)
.BzP
)I ?jKh`pg
+'wiv
P @B
Vu(1S
U1"A
distance
/X
TQ[:
$ )`
xB"[)}
B 8p
obTty
:zF
3MA u
1R>;
,4m^
Decode
&_vO
$ M_
|tqb
m!De
T:J
L[Cy
n'y7
v p)e_<
NW"i
Io /
NMSM
_stream
p@s*
00(9o
%MTY
J!|
wy*0
rGH"(
SXU3
.E@nd
$f8U
kWcSnZ
5fIM
j-BJM
50faa
/\*&D
Lq4{
sHVgKZ
?_b`
]1I]?[
&E?d
GnU^
M<-Y
7nsc3
X{B_
\Fb/
uT[R
fKd0
xqx=w
/RNZN
B~[.G
9m!u
)i_
i&Z\
xR7K
D ha
-*#?
UjD43
d5ZK
wcYh[
["1{
https://www.startssl.com/policy0
v) F
&`bF
7!>f<
:?va
8+DI?
U1:Dl
#&#Y
]{``
tj~3_i
oK'T
+G}
~:3O
c8?s
d}v^
'E&<
axGY
h"HK/
9PeZ
+iA
6]x~
e-zI
H7Ut+&
g Q$}w
^^>S
x'(O
Wsne
5{$
N,Fyna<0
rzKE
Rz@
[B!,
o6^ %
Xy$E
vwj\
6=~4z
0-0+
Ml_<
'(xs;
kx2E"
FAB;
kj;U+].
sT6#
modPow
)&r4
.5Ms
System.IO
xg*N%
8 f~@
hth ZQ
8BgG
<HTvM
aoFZ|
qo@ZQ@
7,'
1RN~
*[`&{
Y9Ov
V0dd
C5R$we
,D\m
' bd
Qu~
#-qf
f A$
j\Q@6
T_HiC
l"a5C
\_?dN
npj<
m;RK
$g<S
g,RJ
;^9{
f;yAbQ
e6QRr[
mK$G
[HMn
~.VM`
IoGx8
l0*/
Y*@fOl
7 >gk
E!@%o
o6?k$
/@x~
%%p<vY:
W]&
i u6
*r/K
VirtualProtect
cz\P"
[KLUr;
I:aY mW
mq]|
*/ [
Ttz
?LBX
eOkH(J
iLj_
rbRY
aXXa(7
}C\M
o":N
`Fs.:
_Z3f
iK^?
p/Jw
}W[KS1a
Hy7[
~,L
System.Diagnostics
JG$X
6gCTk}w
[vr3
http://ocsp.startssl.com07
_l]=h
$A5/\I
kY2a
+4\A
http://ocsp.startssl.com0@
`n m
S1g_~
G">YY
WT8@
5'tIu
-IJK
.R`"=
eoY6
jy
TxBG
hO+@5
get_UTF8
ot.(
m6\|b
4Leg
+ Zr
]9[h
g/Ut
@Nhq
90<>
hzN]
/T+~,!
6A9?
D0mWG
PhDN`
'M+P
xQGj
(T=e
*bqR
13zT}%6|d
I5$=e
|Z:p4
j:|L
e>X$T~0
t2kn=n
e7\Vi(
j -I
XY
wjXS
XPv;J
<ttJ
-+ at
>6)aB
RhJb
^q`>
;#f'Z
=?c(
\GE.
O CTr
numPosStates
6JwH
GCeZ0V
zWP k`
40L0
%oTW
VYIZ*"
m_LiteralDecoder
_KC1
W9*g
,JPT
F3vXvp
Bt8
% tW
b'-H
.1tL
Drns
]`tR
PI1sb(
p E<
-;Ps
[ J_
E R3
gZ #
y|-|`
KuPv?
?2>1l
DQ !
t6H\
;>UW
myi@
& Yi
d\o<
IU %
3j|f
/:vE
=c#M
& Yw
LYXYX
#R8o{
|I(:
_b D
n>]%3-
&Fop
pF1YX
#EI`
~&;F
< _{
Tuxd6
ywcx~$
[0'T
,94,
J.h
w i+
2v^W
8 M`
h4Vb
_nsO
W.=
J6hI
u Q a
P#TE
sJ6!
hw!j
}'"~
Vv(
Z:2|
9g6R}
P} S
#<i<(
:Nx]\5
SY T%
++rg%b(
,>+*
4M7`
J$bJ
} 7r
b9 K
z=#>
ga>PTq
89wp
D['"6
+m6FQ"
yl{
jV3u
54GL
^*x0<
"GqQ
n3vf
=uDE';
UInt32
Ku2~f6
/MGQ
~N48
a]Gz
V"Y
T{u5
oWGG
d fxc
eVv)
V,Mq
1tJR
%b?9
D7vn
wYB"
\ K >
Oe(]
DcYaaX~
IsDebuggerPresent
~KP
|>P5
/q']
t!x}W
4Tsy
xpek
Z~b%!Cj
' Vo
rW< oq
}B0 Z
<}37
JcAD
AL#J
; {8t|sD
o-<x
gS n4
$QMP
>am0
- Ev`Z/,V
MemberInfo
.U3G
<90-In:
+-*C
_ND_n
X$"b
"bP.Xwm
0 ({
z3\Q
lKK
Nk.@S
&dJP
g*7u
_1I6
c`{r
x{e6
0+TL
byP
Tw,O
j Db
aeCE
/U9`
qMcW
,><iP
dEB|
[G& D0
c$LD>I
EiK1
1LBy
}1jw
j+@]
ORZY
RI5>'!7
8q@U
71P8
Thai Nguyen1
D/D|
zqXaYX_b
^7'U_
t68uR
?e$&
( %S
PE]l
Qt4T
]h$;
e>y`G
Kx P
ProcessInformationLength
<0:08
*x,%
Gp0*+hf
x{2
J7I"
Z `
i Nz
iR7;X
CryptoStreamMode
WjXYaY
{v6}
<>t}`)
6x^!
& _c
12DQ
/p'YU
C4?0
C:Fh
|2Aj?&
0,0q
UO\[:
ZX;l
cqeF
fTa;
[(K0
- O<
6dTC-
F5(q
^ {G
Ck{#r
l!W=U
Ug3F
hHzM
g8\3=
CyB
bXX
DjpE
C)8o
DjpW
Aa#2
=,q
?U!=
"Secure Digital Certificate Signing1)0'
~Lf6
6F;t`
, u)
.(md
^C69
lqv4
>r.t
get_FieldType
<4 k
Assembly
g$}E
a#8IQ~
[TVnZ6S
1Zov
jo.0-{
` Wu"
;k!0
]n2
"?O.#
6Jiu
# 4s(ZkC
DvP;
xUqZ
%+d
_+1e
> 5j
w['gSh
s0+eT
w9MJ~
[eQ!
B&'\X
NJX6w'ek
*oAPB
Uc|$
lS86Zf
W ec
LPmV
/.D
-WW$3M
[wM)
p$)8
ParameterizedThreadStart
\2[CaPl
N&o][
=nSq
*t-_
Y3;T%n
=a <
1|$]
b<Y;
Zr{R
Kj E
o c d`
B%f(
zU%stH
&\sh
W(-7
'*-0+
SxF^
m_NumPosStates
CHTt>
^2j_
80604
puv{g
5r4eO
360917194636Z0}1 0
Ob|s=
t+l-[
<"%=hmO
WAZ_P
<99&8
^*i7
E qB
&Zyj|.
b1 {Lo
m 'N
\Q>$k
'evv
)uwr
R#ax
/f@7
O~!>
5"3~
TcHy(
V4R9~
d@$07
R(/S
- ru
*&<E[
=AEc.Y
f[ {
BY>
D.3W
L1"=
PH9*a
Rh([R
4s[4
m2<-
q&)Qrq
XY/h
*OQ
u,IXx
A_X+
K8D}
e04&
_wcr
VHOA c
UfVx
r/;X
^pg
klBr
1\1z
q Zp
(NC+6
vL5|
|,Q1a
NUWq
Tw.&
+jY[
|wXh
Q4H7
^p_
L.)
1:JBB
a%}q
i=!&
<Yq$
ReverseDecode
{F1k
e_\;
1N7:
DioP@5
;0S
qFa\=
*J_b
UTY~
-wtV
QiU-
&wS[;~
1FqS
}b3"
bTodl
k0!6w`
.cctor
''x2
"^ l$
GZ4:
G* d
>&(8
f-$
&http://cert.startcom.org/sfsca-crl.crl0+
inSize
Ev38
"XGR
^`mGh)
_JaC
S+
221014220355Z0
=P C
GetLenToPosState
z~t:u
g n+
S?jw
5aey
2v{a$ !
System.Reflection
|XX
qY/*
J "N
.%aL
MN`F
h|yN
R}uo
Y_Y
f.h,a\
a$ 5
c'\>
AnKbkR
L8inS
GOf9
ProcessInformation
#w:uT
GzX
2G)p}tP
1|FcA
O` 9
|p@
"7Nc
wr$4
gl"ji
0CBU
p;G0
~TAU
DecodeNormal
-G+9
282w
gE
0eSx
g_8M
XfGB
tv^/>P
i a`
h/1`G
_ M$
rzte`
V:*?
- nT
&Hx *
<y8Z
CdMEIA
$,p}W
OpCodes
.r\|
paW`
]|b!v
<0o N
q-N-o
Yl%N
iQ&JT7Tv
1$Lo<
P_7q
$Pr(K
x1'b
$}1i
cku<X
O:K_
z Xg1
iAm>
L'Oh
#/@6
7`_
RUAq
vx&^Ob
get_Name
oKt/
R 5&;
DVBE
^wV[
:gz
5S\
m~iF
A?Sv
\6sn
)&?2*L
5]~u
9O3x
a5aA
180608113850Z0U1 0
h[dL
get_DeclaringType
}5nv
}q=gp
IP_6
H|W?
:S.%w
'-\[
010
Hx%L'
z^Tuj
aE8\
n$M +g
Wl-_
q:&;
CtZ-
gMY"
88;X
MGs}
}2TW
Mj[.Cp
exOXjxd
'9$J[F
,3.y
yuaXaa
?D\
j":a(
g0W}
IS@Y{j
Lxt{>dF
MY `
^qoEk
FaX h
toJs
WzK]]RB
o/ {g
H2\&'
v ae
Wl&[
uuUH-
w?-dc>
jc>?
:ukg
DS53
M0FF
'z&=
SetLiteralProperties
V{Kq6
h^Y9.
+7$R
XGR
9dnY
-alK
Tt a
X l.dlT
HAU/
ZR0rq
8Em} Es
Y*| U
f$&x
ResolveEventArgs
hI{OB/
b.=t
} CX8
"( |g'
]PAQ
IC%,
f}zyA
l^3A
;wK<
Vh)x
(z k%
Q0Z<
Create
vk#a
IZC5
I1>35
Y6F(
QM_#c
Kbh$
L4M5
QKFE
.rqA
hImBb
;#12
!6@\b[
}* #
*2~.
RXU8)_T6
VFaz\#M
RPHkd
k}gH9
;}G? R-
YV6R
*2~1
[j;V
et\!
3rgd
kzR
{=Q;
LsW-u
*:~0
O-xO
1"iL
@!dz
UFY3
]?t{7
;(~i
~*&V,3b:
0e,h
gQC~
cq?a
x._Hx2:
Ib/B%
dT $
B\:I !xI
*uvR
-}ko
hh7v
solid
GNax
x)Qn"
fyNz
*C_C
oEEz
zmdH
wDTo
9"y1
Xc_
86%fL
\ncz
("Lc
1`6 )^
r@KZ-}
OpCode
V|K`
Copy
sQ)pf
,yIH^
uf/D
cjD;
F'pS
&\j{
fk;4
nrkbg
K -4^
%U\c
SjViQ
vpyP
jfTj
QoJ{
X ue
7 @;
_lAS|
ZQba
`3T]
g *5B
`= Y
M=x
8%B"
Gqp)
?sN%d
Z:t)K
F=~]
m_NumPosBits
{fqaq
ra?D
hp_/:)
fItAqv*
Zn`;h
791H L
}?p[
9>HN
=Fb$
VN
FieldInfo
bwq*
J#bc%z9
___.netmodule
m_Choice2
]bZDm
y&3s
r!E)
"~5^
}GCo
=t4L[7J
yo{%CU
(t5FF
-*Vb+
MGy ]
{5Y$
y(h|z
Xa^D1 l
(R>+R.+
{`+a
JavU
(O x
w6Vk{h
j0h0$
Gjy
pXYYXa X
go6!
m_IsRepG2Decoders
^SGD
l8LaK
'QE(
:2.zg
) `Vj
vku&KL
. mU
MgY~
w8\Q
eV8)N
;iAiZI<
t<wNa
$=jc
fT,A$x8K 18
t*^(
#o7o
T'0z
lu!t
G,^h
.H<S09;C
%y/y
rNbF
og!J
[9T
^Z x
fC|k
+}s#H]
N~8e
;frYHK
9{MnJ
pk=i
L@~Ht
8/FRH
|,*{
[Pl^T
oByV
56!R{=
)#&y
"g[0R
.Da
!u::G^D(
6C>=p
$1]U
{>isuPg
V7Q|
CloseHandle
7~53
i#(^`
c4~[
mfl$v
cYuQT
+"aNk
+zbA,W"lb
rIw9
GRa6J]
+V55bF,!
Sp!j^-
cACj
+i|;.:
kS"T
W~/'C
M3kz
r;{
v&(i
Su@#j
~KHR
jJX*?
[.x@
&A 1b
d[[*
9f<PZ_
VDp>
get_IsArray
q3pj
XS:>
0'z]
(f~MSXv
ua_@
`qWD
"Na{
get_IsAlive
!}6x
6Ovl
D|>sa[
ck Kk
get_IsAttached
}l]5
Vog( P9aa
t@_Lsw
bgqkY
K 2(
&Jv{!
u:|rk
YJ*.
Ah::
k`DZ
W-t
t #m
qs8Ug
EB w
2BVx
?_SPt
\;'4>
?FQE
c-`,M
Y`e\$
gt"^
]~m>
w#S2
a&'w
3~e2
;-u]d c
J&$9)
m^rNk`^
kDo g9
2'5B6
m [S
6"5)u>
4LX-J
Y`e"I^
:}]2!
outSize
d&u
n`dE
c& p
EPZD
oC i
R7x&G<R
F`;~
A+_q
YnqeN[
L,ZI
{K
YyVxu
l\ *N
uu{`
zJm r
[=:I1
>WX D
?QT5w
/qA&j
huG.
&diI
M #B
U6^{
]r#jM
?Ur)
^bNB
%}{wt
P<Us
{QZ
_lzp
we@V
qZc?
+YXaXYX_cX*
D} T
d'Qq
="obU
Uij="
Gbdn
*010
?jpv
vh V
,h1h
| H$N
&MUSO
KK^)
gv,%33;
kg6"g"
6!A8
sqK5
R#x=
e2FF
K1h$pw1j
>U<k
U0A>
+Y Rdfna_
(IFMR
kN #l
:hKcu
(9UK
lpflOldProtect
vUh
ulhx
|@ F
v2.0.50727
713R
-%My
+EU2
0/a '
o"WB
G,/B
'AxP=
z,%c
g0A\e)%k
o->0
PR$T
N hpl
ZTbb
^~]vO
UEQS
\\l4
UpdateShortRep
:u'P
k(#u
HYY
FYFO/
http://www.startssl.com/0Q
z9T FM
'D +>
sb/
*uWs
$k'
0 gx
!http://crl.startssl.com/sfsca.crl0f
zySY
XD?0
~NtV
F5s(F
oJDB
Flush
g/%F
SymmetricAlgorithm
Mn
g\v,
}F7q
:LGE
G3~
jvt,
|YG.
[y%}I
fZ5#
%DR|
L=-}
}XYX
yjD\
]1q;\
fY!>
?&u8
mN$6A
UMTk
[FB`
6 fQ
i?~F
10_\
ProcessInformationClass
:ffA
qjgb
g@ <
oU]
d| "
,D`=
(`m t
=4j0^[
[sSq
_,^~za
Decoder
Ez(]
kit]
@s4[_
dNE"
!whEsV
83Yab`o
TcB4
DecodeDirectBits
0N)5
Lr9Gh+j!
M!yp"J
:'TS3
([S8
]koN
1xK:
Jk^n
OY l
> zaYY S
_&D#
3\0y
6>"%
Q&#T
NDwy(
cZag
h'8f
MsI
j8>Z
#wJ2
R]0~
Buffer
DbRQ=
~2u5
3zyn)b
mDRQ
J!Y<#
^2MC
IH
q/B|
H ,Fc
%)39
kNJt
!]:t
StartCom Certification Authority1#0!
i)OY
Q.76Ig
z)jx
Ec9b
TY y
:M}
!{:I
;zSt
yW5n
Z})y
{,4ue
De;s
@K}+
Tw%d}
n%TM
uXb'
,a_~1<
8Na0
_2p+
7'>L
%PP"
!1 dwl
0 LjR ]
j 6CD
s; ^c
A\^p
ReleaseStream
~ rdF
"W9O% t`KKP
jU(G ~
Lq%;Qaw
nm^\
VXEy
setg
q %a
4w'"$(
T7'g
`]<+bG
P5 q
)cC{
sS{,
-=!pm$
%.|j
.Q7
eCFn
jB/N]
4*|"
Z3l(
#?4S
A0 m
Thread
Xn<f
I-e 55
^ 8y9_
_8V
8Om.
L4f 1
orf( /D^
get_CurrentThread
4N5q
vVSXd
!D8%
WYBn
0 (:
K1qd~
`WC(
.e5
t `cE
ns/n
BXE3
wBkc'T
.Ru
34]l F
f}WFe6`
?N,>k
m` hg
bm>
%?"o
RYc$ -
{nQ[
Hw/4I^
N0L0
b`:o
+o'#
r2
j%$N
_;.I
Ecb1
VUE
0u1 0
HeWB
u0E.
[].!gr
M\- g
n&'-
lbJ@#NGp
;4(z
]Vz=
_ [~
lrS Y
'd^b
%3sR
-<%\
<$@\3
Q'MdO
4O `
+;Q
4M:Fg
gv%G
Ye&s
df88
~ !)
Lp9m
}!6
K`M8}H
|,V&
4^}O
]NA\<
zs=+Z)
a ks
3-nI
Y!dW
1m/E #>
.O+K{y,O:
6'R2?pd17
Sleep
0*cU
9e L
I/>]i1
/Ns*
wD`D
*?4nPPC
!M\mF
qsrj
14P/
&+rr
/ W\
LiteralDecoder
|Y+q
DX*w
?B"1
vC.0;8
DZ`*@9
M.J-t@L
8Q[
_OP:|MX"
F# FL
VQ|l
j IA$
Decrypt
M<8A
LIF8
(:.*'
{ -
_?].
D`lu^
?Q(74a-2
dX}
<?na
/u&k*
\gt0
5,'el
@aS4pnP
_uA.
|,.3
SV`J
~!C`
Cbi2O
$<Wg
f@nw
;2<:
H;fI
6 Kp
mV$xB
2A}Es
bTQ_?Q
WYa
w5j
e$U^
RuntimeFieldHandle
[J?@R
yV]6
(ha$
k//aK
mscorlib
zXO+
o4$O
'YY
hT -}
&3/B
<Tx
&FYB
<mk/vn)?
m_RepLenDecoder
-x*Q
Y;+zN
H`@Q
nqH
{tv\
b 3-
Dk#=
)gDt
CUCB
!<~Yz?
m_PosSlotDecoder
NiO/f
'&R
O?Yhy
HU)F
k7Q7
scO++
.H,eVk
r {P
-s.^
fvy
2%]1Tk +=f
H=cB
+Q
>O _
<Fy[4
aYYY
K'f$
(O+o
/;!0a
D?(E
"?.
}Ha=
#svX
;*udV[
6eO6
Ldarg_S
Z0ls
d)Xa f
cF2p
t$!{
T5jr
LV y
sPyZ
|t7/G
X(n&
"F2b
Q[\;
%c|R
HhX|
:x4Vx
x&mt
r(%q
9 {w\
C 4#
6Kx
aHVC
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- Windows Vista --> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> <!-- Windows 7 --> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> <!-- Windows 8 --> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/> <!-- Windows 8.1 --> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/> <!-- Windows 10 --> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/> </application> </compatibility> <asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" > <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"> <dpiAware>true</dpiAware> </asmv3:windowsSettings> </asmv3:application> </assembly>
l7)\
^>K~
$E_}
2>7p
Ee8K
y1j6
TP28+
!_j?
pxM5
KY ,
>#M"
Ub(h@@
_windowSize
5<1vbJ
prB {
%CAj(]
CreateDelegate
1;$@
-kE~$
Jt[6
&-2'
U R]
=sT 1
Bpz3
X~"r
W%L b
Z,4!
#]e
?X^Mw
&~"x
gSSV
5=xd
BofMt
ux\kir
jl><+Q
S].
+r
5Y)c
sRz:yK7
%@jo
>H%<
B.dvJm
!XGR
\O!c
#http://cert.startcom.org/policy.pdf05
(_CF
M- %\`
!a@C
vW%2
E/)D
n/Ov
JrmNk|
Ny >
S=
@:_V1
X_@7
Sd8N3U
OV"g
R:X
IsLogging
"Hw,
A*T/
V =&
:HG2
E0z&)
'p-X
'xxd
{@K46B
RuntimeTypeHandle
g{)]k
!S+`
i<'y
QY&
0}1 0
i4Br
# OJ
PhUm
!<N4
060917194636Z
XI:`
kernel32.dll
X:)
x312
@jhqs
tJL3'
!http://crl.startssl.com/sfsca.crl0C
UaXYXX J
'J9,K
]~1,
yW r
hw5
4) T
T- )DW
8S8;
m$0kC
w<GFa
aa_bY*
2VVV
G\#Vn
5u[0
;|a\p
)Ah6
z%?>c;Ey
wQ(p7
=!pj
m_PosDecoders
t~ao
c4+7l
T$v<
^~/)f
GetBytes
U_}0NC1]
?Zu/`
<[E(b{
7 }>
#qyy
9> 4K+SW
yK+l
k-Hl
Write
xd]8
(_Vp
F\&_*
u Fu
vi.
+|q2d,
y>u3
g=IX
?+w/
fh#
H 3c
aisH
I y
9o'KB
?<Rl
Ki:r%
7> 5
Z/q \k
Dhi
^oAj
]DO%&
k[_D#l
4)n(
Zv<.s
Bq lR -
3j-
+IP a
_buffer
2*21
Zs?,
nZX2-
_GL9
STAThreadAttribute
F_*d
"n26
oq'r
A$&-
lLe"^|
fpP=Ua
8t?fce
^Z0&
lf v
fS t
"te<
( 07
5z7E
Md\qsj+ c
U]u
uQV.
$d5b
^2D:
8>>R^
ra !
#]/,
3TTo
,R?K
ZVaB
DecryptAsm
)w<M
RyCJ
*;n.
3g+:
06S-
170329025839Z0+
jE]<
rzaH7
RD>u
Environment
F!/0
E]Zz&
MinSz
|1U}5
)k@3
* 5+
jT_1]
6'}'
YJnw
Ax'|
i9l?Ie
i,fA;C[
K*r9
>[of
3 3.
`qH D
@RVP
8{HbFy-
%K=;pw
W/td
m+$
GR v.
:u+O3#
?]Hg
uzFFQ7c
lH6;N
k*-C9s}Ri
6"R"J
:}:`~sE
Ya}
hr y
fQ%'
m`<|
!|IT
$mId
_vrM
3`DZ
)|x^W
5iZ}a
^Z=cf
ss[N
0Jw
TM v
<M#!
u)uQbsC
?hR
o$g@
m_IsMatchDecoders
Hap M
a86gET|
^4N7R
[`W q
KUfB
BY'QM
LF$:
P>3~
jL,l
N.G4%
92I~e
DI>SN
:%09
$)vYaXXYX4
D0&a
`{r5
@T(%
#T%-
F!O
Nf M (
/xF3
hf(*}io
20170329025839Z0
Client.exe
\sGQ
x01
@['
}:y&<
u\:
>)
'*\]
, h@H
X0LI
ParameterInfo
z[r$
:"T6X
m7p-
hJ!Y
{_f}
lvpt)
[UQ0 QL
M!
u<=-
W%Fa13o!
g!wI
properties
Ii>
>Hf+O
u8d/n
=E>;
Gz*|
jp%qH
T}_`5z302
get_Length
M]Mqn
Vke{}zB
k3K f
Wp2m
2:>4:
s665
7Kn)
stream
5=44
$%ZU
Aq/#
Go{c
(G`
!/]&|
H[_&+ {
1XYaX
SO G
qRu-'_
'J9E
{drs
h|SM
XaYY
0 g U
;v^:
aW~G
PN?%9"
<#;J
{?K~1%4
ku;u
'W">@nq\
@ 4}AI
Jl U Iv
E%%
VAl1
b'KP}
:g(z
lIgJs
kS}EE
A*Ugo
djgk2=
_2W$@
eL_B"
a<je~
': g
%http://crl.startssl.com/crtc3-crl.crl0v
w3 9
E>/)
X&RV
- xj
j"k>S
OkEI)
]4(r
W|fa
>7la
%L
ecEs
x^4;Hw
=.n
^2C\
G<yo
aBY{H
FutnF
YaYaX
MWUHv_5
P#z_
*]&f0
m_Choice
h1a
;T)q
5Sf?
Hj c
C3?yl
-ksI8
6X=?
mi$I
861Qcp
Start
lF|x
Gm.M
^F8$
"R|
Q JV+
R@}Zc
5DW`
Sk.;
n`Y*%
#gXs
rl#n
s?Xhf^A
Client
IP4H:
xt<X
>D`,
OvxT
BB6v`
tyF,.
#:dzr
$9 GD
R|E"
lb5i
'P<@
xqt1
I (
j#HU
RLI|
Ri/F{
p^~j_
;5;L
${RY
^}oW
zx_a?{+
Y}4<V
ops~
^c?{.
$lG]
$ESs
jQe)"
kN5,q3kJ
y>}b
!Yoqz
JYQx
N^ A
;:ROp
$u%$
Q@+IJ
}fnG
o cJ*
U2/D
OD/GI4
;Px3>
X O?
<a,V
mi%Z 0
.f|}56
daYXY
K|Q2
Lk~sX
HX!8VGoD
urn]jB
&p?;9
zcl5
get_MetadataToken
l64v
'#oyM[(
Kon}
SS<t
GetEnvironmentVariable
Rc6e
[UC)
TkYY
G [x
V#p:
A[mf
TQ
e \Ke
[,qH
<D1
Mr'Y j
~b)R
nMOu
b?6`D
@m !=
6VX%w
add_AssemblyResolve
Gh:3
]&9@n
tqyl
5w C
7s%,
T#{(
ueTA
H)&0y
5Q K
ti%{|
/}V]
WG#9
Lp7p
9x.W
%-28
l)-C b
p;w<<
%Wp{
u SU' 7
j +
8|UmE
GX 8
gb0L4
{`0
aXYYa
L%e^
G9"7Bm6
|]H!^
;te4#
^xD!
& Xjb
kS7
I{y[
/2w@
Fb[XaYYY
(mQT=
{!e
8|2 Z
mYz5Q
j*$`
!NFnG~
jTXBl
fwJ6
@aXXY
!*}
:1g-
2l\G
i&HD
7:G-
.`b|
?7d[
")Z
" u.
io%
.[_?4
Y ~0u2
}'B0?
o)aJjLo
'/B.
:r<$
oU<[?
MM A
N&Bsq3
9iRt8
sV^v
MXjr
j$lt
a(>M
S>3n
d3:h
k"Ps
A_<h;:
%<kW
X$N
U`zY
M]6e
!]{ -
~~ s
b ^Psu
u( C
F>W=
I_+r
'WmYXX
# ?=
X(j^\
#D!/K
[$d/
thZs
0<T3
} k6C]
ReadByte
s$^
O-y/ 1
"uY~`
{ N"_
(>XQ
{HySf
nne#9
0mm,>)r
_=Th/<
%`}T>
@/T$
>i;|
d_f<
D!YZK
RK7hd
inStream
',R"\
/OwI.
6fX"s
s9V)P
hiiT
bude
]G(8
jNzsX
PyD!
gK 9{
XYGHx
vBj\t
dG HCI
)m<n4
!\RG
p 12
%G(_
r1W"'
-zT7Nf E-!
/aW8
kz+r
}-&5
= 8k
'<d:O9s
9VX[
I!x;y
+Xa
T:b
.5"D
Mz>[
-M[-
W{YD
_v[`
H]#q
'H/IZ>
>FD#
MX"^
BKo 5
W(Rt
@eY|9=
MUnv
MMn)
H:X
dnkc0M
\iS@
(q-c*
\Uxh
!=,6eYt
Goi]
|,A?
/5,i
msH>
^f4m
HBjp}
QY?v
m,C
KmU "
~& .@
7d@,O3
'~"
t_y|
O2
wd2.
Msy6
iHHf
VbLT
ujB
JM w
oqk)
Bm"T
9$t\<
h9e<
~mLZ
3('R
b E"
cq< \
VhpS
(ju
hg&M
a2fE
X) [
b~q/
Nel$d
>%xt
+o\$
!!67
zs pL
OHs|
H1|a
Qjaa
G=};c
N@*N(
,zC9No
Lw [
^^ 9H
Q1uW
Itk{
BGX@
<ng&
^t8rg d
qPx=@<
iZ#a
C;r)#
:,UL
ZRj<.
*]^"
x|h(Z|
v6U@?
;xhH
v
aVQ6
BZWQ
u")c0
u\?2E
, r
KX w2s
T +H
IaSm
k**r'
yyC:(
4')F
gAN
|#z*
\L0y
\!.^).`
>Bg:a
RaY
+>{-
}\KU
I-1i
\ *9
^ln?
*)vGe:3
7`=q
c=`f0a:]
>):?
P3 r
{b!YJ
d< p@$
{!F%
0=op<.
dF6Z0#
/4 :D
M9H
[M/e
\wO)
!Zd V
]K}W
`@@al
66GB
jF*G
f7FC
S5Co
"YaXXXaXa :s
**4v
}+mA
=z>BA{
CYP&
zTf+
XY!Y6;
>\j8J[
j5j1
k:u;9
&WU1
@Pm2
thread
IsCharState
-*dJ
?@6/w
Vik7vl?
q>w>
LP&p,
8T!8Z
PA%e~
tLa
< CrU
&-XU
Models
ResolveMethod
?GOYyn
x7ZqR
x$bR
n3W
-Ykt~
))H+
zCV-
AGY&o
|Q jA]
b W7eU>
3KF$
'g@5
v-Fp
FS}F
RoaG
/#Jz
-0[s
NEh\d$p
hWs&~
f6my
ys^Z!
d=<4
cIj.
CMdE
6lc\0T
`%RJ
`jy{L/
' ?
YE-=
nI`G
m_NumPrevBits
C(2 ~
W#~WX
?X?$
U)qs(d*XFM
`E"
m&y&
YwHB
J*cD
74K
F68}
- r
x?\Y+
}Iz^D
<A.J
l~iQ'
/QRg
U 7R0
FwP?u
ZO\.
Q@ K
7b.K
=7 Y
h>~ZI
2NMg
\/M:
/ fv
Un>l
. bE
@L1i
[B=Kg)i
y JG4B
Q=G
y5#0
gL [
.x}x
1%8-]#
+$gS
sEy>=
uB=R
=[II
w%Z`>
bVc!
Delegate
m:@" !{
pp5>
LsH }GX1
vpQ:=
M ;j
OOK#
{YVk
[t+W|
|^`u
3Pr
y.G'
8zIph
,Tu I
jHY<
oP)-
;jBi
>"X`A1
!8r"oPO
,u8,
K,b;
)RT%I
KeEI
^FY+
ID3G
.(L
f{B[
6eO G
:? '
8> 5
151216010005Z
{l$9
1D7;g
9k03
P n~A
V=UQ
o A7
}-|$
r0h1
.iIX
cLTt
0&~D
/BQh
yr`
?,?~
UA|t
kXYXa
reofi@
8ZD
-]v~
-WII w
l%y2
p0{(
;JK
OKFi^
X {:n
FS`
_ ?B>P
.Qi8
XxYH
*!$ >
/XG
"h;V
X"y~
Wle.
#XK>
9j i
zF4"
A("+
v<9e
AIX_
9i//OM
stN|
$9W`
2n"2
R7D-
J]b:RWO
g]avF
8MF n
%?0 !
`Lys
=M&x^y
RJ@W
FPYa
String
_hawBN
^ QO
Cr
[T"F
qb?!I5/G
vbi5
Nr3;V
d}5G
Kn*]xz^
yTGCIt
ss!V
[3Yc
s,"m
QweK7
g]X'D]
wP$_/~D
eq\c
'-">Nyx6
]68T
ue5Y
g|a%
lMp[)e
4]KK
xClient.Properties.Resources.resources
$zxn\C3
'UGE
G4`M
7}3oe
j 0th
EHm<
/0-0+
?\oJwg
-S<S
Y6|*
M3?mD#
Load
IGM(
$G&GR-
_ks^
+tiL
\T~F7~
[{WF
6u#
S>L;MR
5+[T
T\B
`ZP$
}e5.
M\^\Cs
.- G
StartCom Class 2 Object CA
YYXa
SPuxH
kuD
1}3"?/
\BPS
`+z^
*
);t/Z-
(4Sdq@
G !U
&4I
&nL&
S.W-?
rm,=
7d']
'CJ0
kyqe1
IX5FS
7C\Q
w<qX
)BM.
,S f%
!h#(
Object
a*OI
V52=LY
bMB;
m_MidCoder
%\}o
{Zg~
&%ay3
1(pM
+zI-_+[
L\ b
V<r?
]{F,
5EGo
UEx<
yFHQ
>=c$n
f}ZNy
Y=#CJ
State
qo*
2hQ]
xbb4
R]c#)
iAIrw
posState
%YwU
M|}=
>2|]Z
)=!
``;c
Sn-I2
sx|\X
1^_J
6mF=3>
menh{
YXa_b
1g06pO
3s/~%z
q2A#
X 6o
cAip
mh--W_
Cns8
?,zf+
X3 m
0LS9
wQvP
6e8|G
[U|Yj
:Q H
L3CcT
n13iN
BbK|
:~>s\
"*_&
eKPe
5=5'
bjZ^
^5aa
l~1}
P V,`9Y >
= B?
,MEe
>IV.
d /O_
\wdy
B'yV
bKK}
QUE
^3 5
03tyLw
"AC9x
=~F%
;TQ6
rZ,W
System.Threading
@^FR
N'@$
i\5R
.# y
? :vf
Q9A>
gp Z
?Mo8
w=OV
sOr_
WE?w
[)%7
rx~u(
R7ums
O^7.
#Dm9g
{S9"
Ki;Q
{V<]
slwx
V:A9
!].o@*
3Bwy
Y0]JYG
}v=^
u& Od\
hKHR
j %Q
_WI+
-9$i
$http://aia.startssl.com/certs/ca.crt0
ljv
x3aM-
tTH}
8u p1
W!>=
8\tn
M%MS C
_p`-
*)P
{ml\
{5i^
\ =
lJ"S
-poN
:B>yW
*[=m
xa29,P
ypdFtR
1Q)#
RI\YL
"Ya
dictionarySize
P{JZVj
vS'[
?0-Lx
Q4A)
f)Jp$
t0a QA)
5h);Ec
/`|F
"go:
zv6A
(mF65h
TA9fj
J/fH
5Ml_
j@T[sM9I
-aa
NtCoT
}-rhYa +P?
Vhpo
v ~3B
|#*|d
GetTypeFromHandle
;,M
s'E`S
`?%y>
NFk
Rb&G
m/z
s>sD
sIb-
YaaXY cbj
mHN28OWW
k.r^
P%P
1+,:
Fvqv
ulGmj
jqW&
$s7)
`wRl6t
;.{/
oSQSY4
vu~W
X6 s
48xH
=Km6
d9.
_._U
$}oZ
System.Runtime.InteropServices
"Kom
Hroa
~2cm
StartCom Ltd.1)0'
$ZE@E
Sfvm#
o(l<
"%z\
dl&~
7moS!%I
System.Runtime.CompilerServices
= }+"
rpI'
Rp! h
[~2l
1d"GAG7
)$ d
H+?+
L4F6Y
5{_5
IV%L
5#2#
m_IsRepG0Decoders
RlH'Z
outStream
'PHAJ
a*Su^
L=!nh
f-wK
AW-[<W|
j-69q
^pS7
0#9Wh
w;a8
5`|.T
145f
@EefM
BD-&
;[FJ
YeuU
(Qb!
~Xh}
6 "$^
5'^/
ItB0
$ie*d
,=zU
: ibN
?O#D;
t 4$
^&*=F
/JnN
o~@*zI
%http://crl.startssl.com/sca-code2.crl0#
4y[R
>EtS
`FU4 ~
]aOT
|)EV
x1z
wd%
<uUX
E0xnD
_,J=G L
#g5zU
qj;S
lGX"]!
A9N
/"E.
XZ<-
+p2C5D
DivMOR
$J/U
gC S;
Y9
~^:8e0
@,P4
kQ0J
y@,S
TZ92
bcp
0v/
}3EYIN
2l~~n-
c1J]rE
/eg-
z7;
^S0 d
J(M
R}i9]?
f<6v-
cwe+
l_8h
<{/^
*2H_
(=
tVsR
ANrR
m_PosMask
#Mtq
S"pJ@
fntVd
YY N
nLON
}\2z
_&F)
rHA,
<sjAK
K%P+
B fR+
<G%<
eA6b
*Xc$
{{pxMO
LAJp|
Encoding
G9$cfEr
*ZIE
qpEo
Lv3Nz@T)x
WNsE
qvw3
tRdc
flTg
get_Module
0tb|
g7z(
m_Decoders
f#A 6
N WC
PrFt
-&wlD
qP>Y
Z @t
?"jC
uAhO6;2
Range
[d?p
2 9x
=37n
B%4
)0FP
y=]
h#Q-
SetDictionarySize
EBaa
m {R
Q;%v
mu'ow
4 _2N
%`yl
PSP7
3YHE
YtR@/C
3jdl
28C=
Oo5|I
$>/k
33)&
tWY/
hD!
._#_
2[f>
Y,u>
8Q-3=C3
mAjUp
m_PosAlignDecoder
9cW i
.a7u
Q>un
m_LenDecoder
,?SXV
6J,$&
|IU
ik "n
J\R
aMYK
s,s
.enc
6SNt;
aYXX 2
~- |
9pje]
2Ei'e
z0Fbi\Y
38k1
aYaX 'X:
wz'[
Ui/w
@685
RQa>
071014220355Z
`}6kL Rp }+
Yj^a
#wcy
@0>0<
NRgy
,V Q
!9.P
@co)
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2017-03-29 16:37:36 2017-03-29 16:40:25 169

9 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2017-03-29 16:37:36 2017-03-29 16:40:25 169

10 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\client.exe.config
C:\Users\Seven01\AppData\Local\Temp\client.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\client.exe.Local\
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll
C:\Windows
C:\Windows\winsxs
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.INI
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\qagentrt.dll
C:\Windows\System32\dnsapi.dll
C:\Users\Seven01\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\*
C:\Users\Seven01\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\*
C:\Users\Seven01\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\*
C:\Users\Seven01\AppData\LocalLow
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\Seven01\AppData\Local\Temp\Cab9C11.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9C21.tmp
C:\Users\Seven01\AppData\Local\Temp\
C:\Users\Seven01\AppData\Local\Temp\Cab9C9F.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9CA0.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9CFF.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D00.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D11.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D21.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D70.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D71.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D92.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D93.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9DE2.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9DE3.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E03.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E04.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E53.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E54.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E74.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E75.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9ED4.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9ED5.tmp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
C:\Users\Seven01\AppData\Local\Temp\client.config
C:\Users\Seven01\AppData\Local\Temp\Cab9F72.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9F73.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F94.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9F95.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FA5.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9FA6.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FC7.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9FC8.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA017.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA027.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA038.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA039.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA098.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA099.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA0B9.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA0BA.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA109.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA10A.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA12A.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA12B.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA17A.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA17B.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA19C.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA19D.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA1EC.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA1ED.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA20D.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA20E.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA26D.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA26E.tmp
C:\Users\Seven01\AppData\Local\Temp\client.INI
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\Globalization\it-it.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll
C:\Windows\Globalization\en-us.nlp
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089
C:\Windows\assembly\GAC\mscorlib.resources\2.0.0.0_it-IT_b77a5c561934e089
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.dll
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources.exe
C:\Users\Seven01\AppData\Local\Temp\it-IT\mscorlib.resources\mscorlib.resources.exe
C:\Windows\Globalization\it.nlp
C:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_it_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.INI
C:\Windows\Microsoft.NET\Framework\v2.0.50727\VERSION.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Users\Seven01\AppData\Local\Temp\client.PDB
C:\Users\Seven01\AppData\Local\Temp\___.netmodule
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\it-IT\werui.dll.mui
\Device\KsecDD
C:\Windows\System32\werui.dll
C:\Windows\System32\it-IT\DUser.dll.mui
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\Comctl32.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\win.ini
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2
C:\Windows\System32\it-IT\erofflps.txt
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp.WERInternalMetadata.xml
C:\Windows\System32\drivers\*.mrk
C:\Users\Seven01\AppData\Local\Microsoft\Windows\WER\ReportArchive
C:\Users\Seven01\AppData\Local\Microsoft\Windows\WER\ReportArchive\*_*_*_*
C:\Users\Seven01\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_client.exe_14e34a40fa3ebc574da87c0b43333c029aa1712_0812b6e6
C:\Users\Seven01\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_client.exe_14e34a40fa3ebc574da87c0b43333c029aa1712_0812b6e6\Report.wer

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\client.exe.config
C:\Users\Seven01\AppData\Local\Temp\client.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6229_none_d089f796442de10e\msvcr80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\Seven01\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index126.dat
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
C:\Windows\System32\p2pcollab.dll
C:\Windows\System32\dnsapi.dll
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\Seven01\AppData\Local\Temp\Cab9C11.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9C21.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9C9F.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9CA0.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9CFF.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D00.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D11.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D21.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D70.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D71.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D92.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D93.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9DE2.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9DE3.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E03.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E04.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E53.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E54.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E74.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E75.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9ED4.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9ED5.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F72.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9F73.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F94.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9F95.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FA5.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9FA6.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FC7.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9FC8.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA017.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA027.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA038.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA039.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA098.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA099.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA0B9.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA0BA.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA109.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA10A.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA12A.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA12B.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA17A.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA17B.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA19C.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA19D.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA1EC.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA1ED.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA20D.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA20E.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA26D.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA26E.tmp
C:\Windows\System32\l_intl.nls
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\it\mscorrc.dll
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb
C:\Windows\symbols\dll\mscorlib.pdb
C:\Windows\dll\mscorlib.pdb
C:\Windows\mscorlib.pdb
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\it-IT\werui.dll.mui
\Device\KsecDD
C:\Windows\System32\werui.dll
C:\Windows\System32\it-IT\DUser.dll.mui
C:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_it-it_e4c79be92250cb6e\Comctl32.dll.mui
C:\Windows\Fonts\staticcache.dat
C:\Windows\win.ini
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\it-IT\erofflps.txt
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp.WERInternalMetadata.xml

Write Files

C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\Users\Seven01\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Users\Seven01\AppData\Local\Temp\Cab9C11.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9C9F.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9CFF.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D11.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D70.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D92.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9DE2.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E03.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E53.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E74.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9ED4.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F72.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F94.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FA5.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FC7.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA017.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA038.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA098.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA0B9.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA109.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA12A.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA17A.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA19C.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA1EC.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA20D.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA26D.tmp
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp.WERInternalMetadata.xml
C:\Users\Seven01\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_client.exe_14e34a40fa3ebc574da87c0b43333c029aa1712_0812b6e6\Report.wer

Delete Files

C:\Users\Seven01\AppData\Local\Temp\Cab9C11.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9C21.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9C9F.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9CA0.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9CFF.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D00.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D11.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D21.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D70.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D71.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9D92.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9D93.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9DE2.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9DE3.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E03.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E04.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E53.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E54.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9E74.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9E75.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9ED4.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9ED5.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F72.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9F73.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9F94.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9F95.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FA5.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9FA6.tmp
C:\Users\Seven01\AppData\Local\Temp\Cab9FC7.tmp
C:\Users\Seven01\AppData\Local\Temp\Tar9FC8.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA017.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA027.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA038.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA039.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA098.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA099.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA0B9.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA0BA.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA109.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA10A.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA12A.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA12B.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA17A.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA17B.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA19C.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA19D.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA1EC.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA1ED.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA20D.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA20E.tmp
C:\Users\Seven01\AppData\Local\Temp\CabA26D.tmp
C:\Users\Seven01\AppData\Local\Temp\TarA26E.tmp
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp
C:\Users\Seven01\AppData\Local\Temp\WERACCA.tmp.WERInternalMetadata.xml

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\client.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllGetSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4b\7F06864B
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{BA08A66F-113B-4D58-9329-A1B37AF30F0E}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllVerifyIndirectData
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My\Keys
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97E2E99636A547554F838FBA38B82E74F89A830A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97E2E99636A547554F838FBA38B82E74F89A830A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Escalation
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\WMR
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E7E3FE35
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\257878c\2c1a8707
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it-IT_b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\40dcb014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|client.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|client.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Seven01|AppData|Local|Temp|client.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1822907384-1282624486-319450072-1000\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.mscorlib.resources_it_b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\5e8c75c\1ffc8ca7
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ForceQueueMode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\AllOrNone
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_CURRENT_USER\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\InclusionList
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\Debug
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\CLR20r3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\CLR20r3
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DebugApplications
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\RestartRunTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\RestartRunTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Throttling\CLR20r3
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectUI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\dw20.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{70FAF614-E0B1-11D3-8F5C-00C04F9CF4AC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\BIOSVersion
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\CSDBuildNumber
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LastWatsonCabUploaded
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\44D72C57
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\GCStressStartAtJit
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\VersioningLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\NIUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index126\ILUsageMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ConfigString
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MVID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\EvalationData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\ILDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\NIDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\83\MissingDependencies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\DisplayName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Status
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\Modules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\SIG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\183e33de\83\LastModTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}\$Function
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931\Blob
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\627F8D7827656399D27D7F9044C9FEB3F33EFA9A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\85371CA6E550143DCE2803471BDE3A09E8F8770F\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97E2E99636A547554F838FBA38B82E74F89A830A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D23209AD23D314232174E40D7F9D62139786633A\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableInetUnknownAuth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\E7E3FE35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ForceQueueMode
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\ShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\DoReport
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\PCHealth\ErrorReporting\AllOrNone
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MachineID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Consent\CLR20r3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontSendAdditionalData
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\DefaultOverrideBehavior
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\Consent\CLR20r3
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LoggingDisabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DontShowUI
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ConfigureArchive
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\DisableQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxQueueCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\MaxArchiveCount
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceQueue
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\SendEFSFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\BypassDataThrottling
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ForceUserModeCabCollection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseSSL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerPortNumber
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\CorporateWerUseAuthentication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Reliability Analysis\RAC\RacWerSampleTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\RestartRunTime
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\RestartRunTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EditionID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuildLabEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CSDBuildNumber
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\BIOSVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\CSDBuildNumber
HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LastWatsonCabUploaded
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\44D72C57
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Write Keys

HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\LanguageList
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\@%SystemRoot%\system32\p2pcollab.dll,-8042
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\4B\7F06864B\@%SystemRoot%\system32\dnsapi.dll,-103

Delete Keys

Nothing to display

Mutexes

Global\CLR_CASOFF_MUTEX
Global\45eaffa4-148d-11e7-9b51-0800274633c1
Local\MSCTF.Asm.MutexDefault1

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
kernel32.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.IsProcessorFeaturePresent
msvcrt.dll._set_error_mode
msvcrt.dll.?set_terminate@@YAP6AXXZP6AXXZ@Z
kernel32.dll.FindActCtxSectionStringW
kernel32.dll.GetSystemWindowsDirectoryW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
mscorwks.dll._CorExeMain
mscorwks.dll.GetCLRFunction
advapi32.dll.RegisterTraceGuidsW
advapi32.dll.UnregisterTraceGuids
advapi32.dll.GetTraceLoggerHandle
advapi32.dll.GetTraceEnableLevel
advapi32.dll.GetTraceEnableFlags
advapi32.dll.TraceEvent
mscoree.dll.IEE
mscoreei.dll.IEE
mscorwks.dll.IEE
mscoree.dll.GetStartupFlags
mscoreei.dll.GetStartupFlags
mscoree.dll.GetHostConfigurationFile
mscoreei.dll.GetHostConfigurationFile
mscoreei.dll.GetCORVersion
mscoree.dll.GetCORSystemDirectory
mscoreei.dll.GetCORSystemDirectory_RetAddr
mscoreei.dll.CreateConfigStream
ntdll.dll.RtlUnwind
kernel32.dll.IsWow64Process
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddVectoredContinueHandler
kernel32.dll.RemoveVectoredContinueHandler
advapi32.dll.ConvertSidToStringSidW
shell32.dll.SHGetFolderPathW
kernel32.dll.GetWriteWatch
kernel32.dll.ResetWriteWatch
kernel32.dll.CreateMemoryResourceNotification
kernel32.dll.QueryMemoryResourceNotification
kernelbase.dll.InitializeCriticalSectionAndSpinCount
kernel32.dll.ProcessIdToSessionId
imm32.dll.ImmCreateContext
imm32.dll.ImmDestroyContext
imm32.dll.ImmNotifyIME
imm32.dll.ImmAssociateContext
imm32.dll.ImmReleaseContext
imm32.dll.ImmGetContext
imm32.dll.ImmGetCompositionStringA
imm32.dll.ImmSetCompositionStringA
imm32.dll.ImmGetCompositionStringW
imm32.dll.ImmSetCompositionStringW
imm32.dll.ImmSetCandidateWindow
mscorsec.dll.GetPublisher
mscoree.dll.CoInitializeEE
mscoreei.dll.CoInitializeEE
mscorwks.dll.CoInitializeEE
wintrust.dll.WintrustCertificateTrust
mscorsec.dll.CORPolicyEE
wintrust.dll.SoftpubInitialize
wintrust.dll.SoftpubLoadMessage
wintrust.dll.SoftpubLoadSignature
wintrust.dll.SoftpubCheckCert
cryptsp.dll.CryptAcquireContextA
wintrust.dll.CryptSIPPutSignedDataMsg
wintrust.dll.CryptSIPGetSignedDataMsg
imagehlp.dll.ImageGetCertificateData
user32.dll.LoadStringW
ncrypt.dll.BCryptOpenAlgorithmProvider
bcryptprimitives.dll.GetHashInterface
ncrypt.dll.BCryptGetProperty
ncrypt.dll.BCryptCreateHash
ncrypt.dll.BCryptHashData
wintrust.dll.CryptSIPVerifyIndirectData
bcrypt.dll.BCryptOpenAlgorithmProvider
bcrypt.dll.BCryptGetProperty
bcrypt.dll.BCryptCreateHash
bcrypt.dll.BCryptHashData
bcrypt.dll.BCryptFinishHash
bcrypt.dll.BCryptDestroyHash
bcrypt.dll.BCryptCloseAlgorithmProvider
ncrypt.dll.BCryptDestroyHash
cryptsp.dll.CryptReleaseContext
crypt32.dll.CryptVerifyTimeStampSignature
ncrypt.dll.BCryptFinishHash
bcryptprimitives.dll.GetAsymmetricEncryptionInterface
ncrypt.dll.BCryptImportKeyPair
ncrypt.dll.BCryptVerifySignature
ncrypt.dll.BCryptDestroyKey
userenv.dll.GetUserProfileDirectoryW
sechost.dll.ConvertSidToStringSidW
sechost.dll.ConvertStringSidToSidW
userenv.dll.RegisterGPNotification
gpapi.dll.RegisterGPNotificationInternal
sechost.dll.OpenSCManagerW
sechost.dll.OpenServiceW
sechost.dll.CloseServiceHandle
sechost.dll.QueryServiceConfigW
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptVerifySignatureA
cryptsp.dll.CryptDestroyKey
cryptsp.dll.CryptDestroyHash
cryptnet.dll.CryptRetrieveObjectByUrlW
cryptnet.dll.I_CryptNetGetConnectivity
sensapi.dll.IsNetworkAlive
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall2
winhttp.dll.WinHttpOpen
winhttp.dll.WinHttpSetTimeouts
winhttp.dll.WinHttpSetOption
winhttp.dll.WinHttpCrackUrl
shlwapi.dll.StrCmpNW
winhttp.dll.WinHttpConnect
winhttp.dll.WinHttpOpenRequest
winhttp.dll.WinHttpGetDefaultProxyConfiguration
winhttp.dll.WinHttpGetIEProxyConfigForCurrentUser
winhttp.dll.WinHttpSendRequest
ws2_32.dll.GetAddrInfoW
ws2_32.dll.WSASocketW
ws2_32.dll.#2
ws2_32.dll.#21
ws2_32.dll.#9
ws2_32.dll.WSAIoctl
ws2_32.dll.FreeAddrInfoW
ws2_32.dll.#6
ws2_32.dll.#5
ws2_32.dll.WSARecv
ws2_32.dll.WSASend
winhttp.dll.WinHttpReceiveResponse
winhttp.dll.WinHttpQueryHeaders
winhttp.dll.WinHttpQueryDataAvailable
ws2_32.dll.#22
winhttp.dll.WinHttpReadData
ws2_32.dll.#3
winhttp.dll.WinHttpCloseHandle
rpcrt4.dll.RpcBindingFree
cryptnet.dll.I_CryptNetSetUrlCacheFlushInfo
setupapi.dll.SetupIterateCabinetW
kernel32.dll.RegOpenKeyExW
kernel32.dll.RegCloseKey
cabinet.dll.#20
cabinet.dll.#22
cabinet.dll.#23
sechost.dll.QueryServiceConfigA
sechost.dll.QueryServiceStatus
rpcrt4.dll.RpcStringBindingComposeA
rpcrt4.dll.RpcBindingFromStringBindingA
rpcrt4.dll.RpcEpResolveBinding
sechost.dll.LookupAccountSidLocalW
sechost.dll.LookupAccountNameLocalW
rpcrt4.dll.RpcStringFreeA
wintrust.dll.SoftpubAuthenticode
wintrust.dll.SoftpubCleanup
ole32.dll.CoTaskMemAlloc
mscoree.dll.CoUninitializeEE
mscoreei.dll.CoUninitializeEE
mscorwks.dll.CoUninitializeEE
ole32.dll.CoTaskMemFree
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
kernel32.dll.QueryActCtxW
ole32.dll.CoGetContextToken
kernel32.dll.GetFullPathNameW
kernel32.dll.GetVersionExW
advapi32.dll.CryptAcquireContextA
advapi32.dll.CryptReleaseContext
advapi32.dll.CryptCreateHash
advapi32.dll.CryptDestroyHash
advapi32.dll.CryptHashData
advapi32.dll.CryptGetHashParam
advapi32.dll.CryptImportKey
advapi32.dll.CryptExportKey
advapi32.dll.CryptGenKey
advapi32.dll.CryptGetKeyParam
advapi32.dll.CryptDestroyKey
advapi32.dll.CryptVerifySignatureA
advapi32.dll.CryptSignHashA
advapi32.dll.CryptGetProvParam
advapi32.dll.CryptGetUserKey
advapi32.dll.CryptEnumProvidersA
mscoree.dll.GetMetaDataInternalInterface
mscoreei.dll.GetMetaDataInternalInterface
mscorwks.dll.GetMetaDataInternalInterface
mscorjit.dll.getJit
kernel32.dll.GetEnvironmentVariableW
kernel32.dll.SwitchToThread
kernel32.dll.VirtualProtect
kernel32.dll.GetUserDefaultUILanguage
bcrypt.dll.BCryptGetFipsAlgorithmMode
kernel32.dll.GlobalMemoryStatusEx
mscoreei.dll.LoadLibraryShim
culture.dll.ConvertLangIdToCultureName
kernel32.dll.SetErrorMode
kernel32.dll.GetFileAttributesExW
advapi32.dll.CheckTokenMembership
mscoree.dll.DllGetClassObject
mscoreei.dll.DllGetClassObject
diasymreader.dll.DllGetClassObjectInternal
wer.dll.WerReportCreate
wer.dll.WerReportSetParameter
wer.dll.WerReportAddFile
wer.dll.WerReportSetUIOption
wer.dll.WerReportSubmit
wer.dll.WerReportAddDump
wer.dll.WerReportCloseHandle
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
advapi32.dll.RegGetValueW
user32.dll.GetProcessWindowStation
user32.dll.GetThreadDesktop
user32.dll.GetUserObjectInformationW
user32.dll.CharUpperW
werui.dll.WerUICreate
werui.dll.WerUIStart
ole32.dll.CoInitialize
ole32.dll.CoUninitialize
kernel32.dll.CreateActCtxW
kernel32.dll.ActivateActCtx
dui70.dll.InitProcessPriv
kernel32.dll.DeactivateActCtx
comctl32.dll.LoadIconWithScaleDown
ntdll.dll.RtlRunEncodeUnicodeString
ntdll.dll.RtlInitUnicodeString
ntdll.dll.RtlRunDecodeUnicodeString
dui70.dll.InitThread
duser.dll.InitGadgets
user32.dll.RegisterMessagePumpHook
dui70.dll.?GetClassInfoPtr@CCBase@DirectUI@@SGPAUIClassInfo@2@XZ
dui70.dll.?GetFactoryLock@Element@DirectUI@@SGPAU_RTL_CRITICAL_SECTION@@XZ
dui70.dll.??0CritSecLock@DirectUI@@QAE@PAU_RTL_CRITICAL_SECTION@@@Z
dui70.dll.?ClassExist@ClassInfoBase@DirectUI@@SG_NPAPAUIClassInfo@2@PBQBUPropertyInfo@2@IPAU32@PAUHINSTANCE__@@PBG_N@Z
dui70.dll.??0ClassInfoBase@DirectUI@@QAE@XZ
dui70.dll.?Initialize@ClassInfoBase@DirectUI@@QAEJPAUHINSTANCE__@@PBG_NPBQBUPropertyInfo@2@I@Z
dui70.dll.?Register@ClassInfoBase@DirectUI@@QAEJXZ
dui70.dll.?IsGlobal@ClassInfoBase@DirectUI@@UBE_NXZ
dui70.dll.?GetName@ClassInfoBase@DirectUI@@UBEPBGXZ
dui70.dll.?GetModule@ClassInfoBase@DirectUI@@UBEPAUHINSTANCE__@@XZ
dui70.dll.??1CritSecLock@DirectUI@@QAE@XZ
dui70.dll.??0CCBase@DirectUI@@QAE@KPBG@Z
dui70.dll.?Initialize@CCBase@DirectUI@@QAEJIPAVElement@2@PAK@Z
duser.dll.CreateGadget
duser.dll.SetGadgetMessageFilter
duser.dll.SetGadgetStyle
dui70.dll.?OnPropertyChanging@Element@DirectUI@@UAE_NPBUPropertyInfo@2@HPAVValue@2@1@Z
dui70.dll.?HandleUiaPropertyChangingListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@@Z
dui70.dll.?HandleUiaPropertyListener@Element@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
dui70.dll.?DirectionProp@Element@DirectUI@@SGPBUPropertyInfo@2@XZ
dui70.dll.?OnPropertyChanged@CCBase@DirectUI@@UAEXPBUPropertyInfo@2@HPAVValue@2@1@Z
dui70.dll.?SetFontSize@Element@DirectUI@@QAEJH@Z
dui70.dll.?SetWidth@Element@DirectUI@@QAEJH@Z
dui70.dll.?SetHeight@Element@DirectUI@@QAEJH@Z
dui70.dll.?EndDefer@Element@DirectUI@@QAEXK@Z
dui70.dll.?OnGroupChanged@Element@DirectUI@@UAEXH_N@Z
duser.dll.InvalidateGadget
dui70.dll.CreateDUIWrapper
dui70.dll.?SetNotifyHandler@CCBase@DirectUI@@QAEXP6GHIIJPAJPAX@Z1@Z
shell32.dll.ExtractIconExW
comctl32.dll.TaskDialogIndirect
dwmapi.dll.DwmIsCompositionEnabled
uxtheme.dll.IsThemeActive
duser.dll.SetGadgetRootInfo
uxtheme.dll.IsAppThemed
uxtheme.dll.GetThemeAppProperties
ole32.dll.CreateStreamOnHGlobal
xmllite.dll.CreateXmlReader
xmllite.dll.CreateXmlReaderInputWithEncodingName
uxtheme.dll.OpenThemeData
uxtheme.dll.GetThemeMargins
uxtheme.dll.GetThemeFont
uxtheme.dll.GetThemeColor
uxtheme.dll.GetThemeMetric
oleaut32.dll.#6
duser.dll.SetGadgetParent
duser.dll.GetDUserModule
duser.dll.FindStdColor
duser.dll.AttachWndProcW
kernel32.dll.InterlockedPopEntrySList
kernel32.dll.InterlockedPushEntrySList
kernel32.dll.InterlockedCompareExchange
comctl32.dll.RegisterClassNameW
duser.dll.GetGadgetRect
duser.dll.GetGadgetRgn
duser.dll.GetGadgetTicket
gdi32.dll.GetLayout
gdi32.dll.GdiRealizationInfo
gdi32.dll.FontIsLinked
gdi32.dll.GetTextFaceAliasW
gdi32.dll.GetFontAssocStatus
advapi32.dll.RegQueryValueExA
gdi32.dll.GdiIsMetaPrintDC
dui70.dll.?GetPICount@ClassInfoBase@DirectUI@@UBEIXZ
dui70.dll.?GetByClassIndex@ClassInfoBase@DirectUI@@UAEPBUPropertyInfo@2@I@Z
dui70.dll.?OnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z
dui70.dll.?CreateAccNameLabel@HWNDHost@DirectUI@@IAEPAUHWND__@@PAU3@@Z
uxtheme.dll.EnableThemeDialogTexture
dui70.dll.?OnMessage@HWNDHost@DirectUI@@UAE_NIIJPAJ@Z
dui70.dll.?CreateHWND@CCBase@DirectUI@@UAEPAUHWND__@@PAU3@@Z
comctl32.dll.HIMAGELIST_QueryInterface
comctl32.dll.DrawShadowText
comctl32.dll.DrawSizeBox
comctl32.dll.DrawScrollBar
comctl32.dll.SizeBoxHwnd
comctl32.dll.ScrollBar_MouseMove
comctl32.dll.ScrollBar_Menu
comctl32.dll.HandleScrollCmd
comctl32.dll.DetachScrollBars
comctl32.dll.AttachScrollBars
comctl32.dll.CCSetScrollInfo
comctl32.dll.CCGetScrollInfo
comctl32.dll.CCEnableScrollBar
comctl32.dll.QuerySystemGestureStatus
uxtheme.dll.#49
uxtheme.dll.CloseThemeData
dui70.dll.?PostCreate@CCBase@DirectUI@@MAEXPAUHWND__@@@Z
dui70.dll.?IsContentProtected@Element@DirectUI@@UAE_NXZ
uxtheme.dll.GetThemeBool
duser.dll.GetGadgetFocus
uxtheme.dll.GetThemeBackgroundContentRect
uxtheme.dll.GetThemeTextMetrics
uxtheme.dll.GetThemePartSize
uxtheme.dll.GetThemeTextExtent
uxtheme.dll.GetThemeBackgroundExtent
ole32.dll.CoRegisterInitializeSpy
ole32.dll.CoRevokeInitializeSpy
duser.dll.SetGadgetFocus
duser.dll.DUserSendEvent
duser.dll.SetGadgetRect
ole32.dll.CoCreateInstance
comctl32.dll.SetWindowSubclass
comctl32.dll.DefSubclassProc
dui70.dll.?GetHWND@HWNDHost@DirectUI@@UAEPAUHWND__@@XZ
uxtheme.dll.#47
uxtheme.dll.BufferedPaintInit
uxtheme.dll.BeginBufferedPaint
uxtheme.dll.BufferedPaintRenderAnimation
uxtheme.dll.BeginBufferedAnimation
uxtheme.dll.IsThemeBackgroundPartiallyTransparent
uxtheme.dll.DrawThemeParentBackground
uxtheme.dll.DrawThemeBackground
uxtheme.dll.DrawThemeText
uxtheme.dll.EndBufferedAnimation
uxtheme.dll.GetThemeTransitionDuration
uxtheme.dll.GetBufferedPaintDC
uxtheme.dll.GetBufferedPaintTargetDC
uxtheme.dll.EndBufferedPaint
oleaut32.dll.SysAllocString
oleaut32.dll.SysStringLen
oleaut32.dll.SysFreeString
duser.dll.ForwardGadgetMessage
uxtheme.dll.GetThemeInt
duser.dll.DUserPostEvent
duser.dll.DisableContainerHwnd
uxtheme.dll.BufferedPaintUnInit
werui.dll.WerUIUpdateUIForState
duser.dll.DeleteHandle
duser.dll.DetachWndProc
comctl32.dll.RemoveWindowSubclass
dui70.dll.?OnUnHosted@HWNDHost@DirectUI@@MAEXPAVElement@2@@Z
dui70.dll.?MessageCallback@HWNDHost@DirectUI@@UAEIPAUtagGMSG@@@Z
dui70.dll.?HandleUiaDestroyListener@Element@DirectUI@@UAEXXZ
dui70.dll.?OnDestroy@HWNDHost@DirectUI@@UAEXXZ
uxtheme.dll.BufferedPaintStopAllAnimations
dui70.dll.??1CCBase@DirectUI@@UAE@XZ
uxtheme.dll.DrawThemeParentBackgroundEx
uxtheme.dll.GetThemeEnumValue
user32.dll.MsgWaitForMultipleObjects
winhttp.dll.WinHttpSetStatusCallback
winhttp.dll.WinHttpGetProxyForUrl
advapi32.dll.IsValidSid
advapi32.dll.GetLengthSid
advapi32.dll.CopySid
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGetHashParam
advapi32.dll.RegisterEventSourceW
advapi32.dll.ReportEventW
advapi32.dll.DeregisterEventSource
werui.dll.WerUITerminate
werui.dll.WerUIDelete
oleaut32.dll.#500
duser.dll.DUserFlushMessages
duser.dll.DUserFlushDeferredMessages
dui70.dll.UnInitThread
user32.dll.UnregisterMessagePumpHook
dui70.dll.UnInitProcessPriv
dui70.dll.?Release@ClassInfoBase@DirectUI@@UAEHXZ
dui70.dll.?GetGlobalIndex@ClassInfoBase@DirectUI@@UBEIXZ
dui70.dll.??1ClassInfoBase@DirectUI@@UAE@XZ
kernel32.dll.ReleaseActCtx
advapi32.dll.DuplicateToken

Execute Commands

dw20.exe -x -s 1272

Started Services

Nothing to display

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven06_64 Seven06_64 VirtualBox 2017-03-29 16:37:36 2017-03-29 16:40:25 169

2 HTTP Request(s) detected

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • Hostname: www.download.windowsupdate.com
  • IP Address: 8.253.39.30
  • Port: 80
  • Count: 6

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86401
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • Hostname: www.download.windowsupdate.com
  • IP Address: 8.253.39.30
  • Port: 80
  • Count: 6

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 86400
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

Request
HTTP GET: http://freegeoip.net/xml/
DNS: freegeoip.net (104.31.10.172)
IP: 158.69.242.138:80

Gianni Amato @ 2017-03-29 16:47:10