Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Options	Logs
FILE	batch	2026-06-29 12:43:43	2026-06-29 12:47:36	233s
Reports	JSON

Options

vnc_port=5900

Analysis Log

2026-06-28 14:55:57,985 [root] INFO: Date set to: 20260629T12:43:48, timeout set to: 200
2026-06-29 12:43:49,624 [root] DEBUG: Starting analyzer from: C:\2_6me6uj
2026-06-29 12:43:49,625 [root] DEBUG: Storing results at: C:\ngIpjVKr
2026-06-29 12:43:49,627 [root] DEBUG: Pipe server name: \\.\PIPE\CWnexHVb
2026-06-29 12:43:49,632 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-29 12:43:49,637 [root] INFO: analysis running as an admin
2026-06-29 12:43:49,640 [root] DEBUG: no analysis package configured, picking one for you
2026-06-29 12:43:49,663 [root] INFO: analysis package selected: "batch"
2026-06-29 12:43:49,669 [root] DEBUG: importing analysis package module: "modules.packages.batch"...
2026-06-29 12:43:50,274 [root] DEBUG: imported analysis package "batch"
2026-06-29 12:43:50,275 [root] DEBUG: initializing analysis package "batch"...
2026-06-29 12:43:50,276 [lib.common.common] INFO: no wrapping
2026-06-29 12:43:50,276 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-29 12:43:50,283 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\test.bat
2026-06-29 12:43:50,283 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll option
2026-06-29 12:43:50,284 [root] INFO: Analyzer: Package modules.packages.batch does not specify a dll_64 option
2026-06-29 12:43:50,284 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader option
2026-06-29 12:43:50,286 [root] INFO: Analyzer: Package modules.packages.batch does not specify a loader_64 option
2026-06-28 14:56:02,044 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-28 14:56:02,063 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-28 14:56:02,110 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-28 14:56:02,278 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-28 14:56:02,289 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2026-06-28 14:56:02,290 [lib.api.screenshot] ERROR: No module named 'PIL'
2026-06-28 14:56:02,290 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2026-06-28 14:56:02,295 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-28 14:56:02,296 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-28 14:56:02,296 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-28 14:56:02,298 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-28 14:56:02,298 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-28 14:56:02,308 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-28 14:56:02,308 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-28 14:56:02,308 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-28 14:56:02,309 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-28 14:56:02,309 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-28 14:56:02,309 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-28 14:56:02,939 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-28 14:56:02,940 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-28 14:56:02,943 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-28 14:56:02,943 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-28 14:56:02,944 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-28 14:56:02,945 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-28 14:56:02,945 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-28 14:56:02,949 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 4688)
2026-06-28 14:56:02,959 [modules.auxiliary.disguise] INFO: Disguising GUID to 783034a4-7eca-4edd-ac9e-1e8027d53a55
2026-06-28 14:56:02,959 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-28 14:56:02,960 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-28 14:56:02,960 [root] DEBUG: attempting to configure 'Human' from data
2026-06-28 14:56:02,960 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-28 14:56:02,961 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-28 14:56:02,961 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-28 14:56:02,962 [root] DEBUG: Initialized auxiliary module "Screenshots"
2026-06-28 14:56:02,962 [root] DEBUG: attempting to configure 'Screenshots' from data
2026-06-28 14:56:02,963 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2026-06-28 14:56:02,964 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2026-06-28 14:56:02,969 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2026-06-28 14:56:02,969 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2026-06-28 14:56:02,969 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-28 14:56:02,970 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-28 14:56:02,970 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-28 14:56:02,971 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-28 14:56:02,973 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-28 14:56:02,974 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-28 14:56:09,002 [root] INFO: Restarting WMI Service
2026-06-28 14:56:11,286 [root] DEBUG: package modules.packages.batch does not support configure, ignoring
2026-06-28 14:56:11,289 [root] WARNING: configuration error for package modules.packages.batch: error importing data.packages.batch: No module named 'data.packages'
2026-06-28 14:56:11,291 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-28 14:56:11,300 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\test.bat"" with pid 3636
2026-06-28 14:56:11,777 [lib.api.process] INFO: Monitor config for process 3636: C:\2_6me6uj\dll\3636.ini
2026-06-28 14:56:11,801 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:11,829 [root] DEBUG: Loader: Injecting process 3636 (thread 3868) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:11,833 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-28 14:56:11,835 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:11,839 [lib.api.process] INFO: Injected into 64-bit <Process 3636 cmd.exe>
2026-06-28 14:56:13,860 [lib.api.process] INFO: Successfully resumed process with pid 3636
2026-06-28 14:56:14,096 [root] DEBUG: 3636: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 14:56:14,097 [root] DEBUG: 3636: Disabling sleep skipping.
2026-06-28 14:56:14,098 [root] DEBUG: 3636: Dropped file limit defaulting to 100.
2026-06-28 14:56:14,132 [root] DEBUG: 3636: YaraInit: Compiled 44 rule files
2026-06-28 14:56:14,135 [root] DEBUG: 3636: YaraInit: Compiled rules saved to file C:\2_6me6uj\data\yara\capemon.yac
2026-06-28 14:56:14,200 [root] DEBUG: 3636: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 14:56:14,201 [root] DEBUG: 3636: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-28 14:56:14,206 [root] DEBUG: 3636: YaraScan hit: FindFixAndRun
2026-06-28 14:56:14,207 [root] DEBUG: 3636: Monitor initialised: 64-bit capemon loaded in process 3636 at 0x00007FF986960000, thread 3868, image base 0x00007FF79A450000, stack from 0x000000A0D6604000-0x000000A0D6700000
2026-06-28 14:56:14,208 [root] DEBUG: 3636: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\test.bat"
2026-06-28 14:56:14,228 [root] DEBUG: 3636: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-28 14:56:14,289 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-28 14:56:14,290 [root] DEBUG: 3636: set_hooks: Unable to hook LockResource
2026-06-28 14:56:14,307 [root] DEBUG: 3636: Hooked 630 out of 631 functions
2026-06-28 14:56:14,314 [root] DEBUG: 3636: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620
2026-06-28 14:56:14,317 [root] DEBUG: 3636: Syscall hook installed, syscall logging level 1
2026-06-28 14:56:14,345 [root] DEBUG: 3636: RestoreHeaders: Restored original import table.
2026-06-28 14:56:14,346 [root] INFO: Loaded monitor into process with pid 3636
2026-06-28 14:56:14,348 [root] DEBUG: 3636: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 3868).
2026-06-28 14:56:14,350 [root] DEBUG: 3636: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-28 14:56:14,360 [root] DEBUG: 3636: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)
2026-06-28 14:56:14,386 [root] DEBUG: 3636: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-28 14:56:14,391 [root] DEBUG: 3636: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-28 14:56:14,396 [root] DEBUG: 3636: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\SHCORE (0xad000 bytes).
2026-06-28 14:56:14,400 [root] DEBUG: 3636: CreateProcessHandler: Injection info set for new process 2108: C:\Windows\system32\cmd.exe, ImageBase: 0x00007FF79A450000
2026-06-28 14:56:14,401 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2108
2026-06-28 14:56:14,402 [lib.api.process] INFO: Monitor config for process 2108: C:\2_6me6uj\dll\2108.ini
2026-06-28 14:56:14,408 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:14,426 [root] DEBUG: Loader: Injecting process 2108 (thread 4448) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:14,428 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-28 14:56:14,429 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:14,432 [lib.api.process] INFO: Injected into 64-bit <Process 2108 cmd.exe>
2026-06-28 14:56:14,436 [root] INFO: Announced 64-bit process name: cmd.exe pid: 2108
2026-06-28 14:56:14,436 [lib.api.process] INFO: Monitor config for process 2108: C:\2_6me6uj\dll\2108.ini
2026-06-28 14:56:14,441 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:14,452 [root] DEBUG: Loader: Injecting process 2108 (thread 4448) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:14,453 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-28 14:56:14,455 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:14,459 [lib.api.process] INFO: Injected into 64-bit <Process 2108 cmd.exe>
2026-06-28 14:56:14,626 [root] DEBUG: 2108: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 14:56:14,628 [root] DEBUG: 2108: Dropped file limit defaulting to 100.
2026-06-28 14:56:14,632 [root] DEBUG: 2108: Disabling sleep skipping.
2026-06-28 14:56:14,635 [root] DEBUG: 2108: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-28 14:56:14,665 [root] DEBUG: 2108: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 14:56:14,666 [root] DEBUG: 2108: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-28 14:56:14,671 [root] DEBUG: 2108: YaraScan hit: FindFixAndRun
2026-06-28 14:56:14,672 [root] DEBUG: 2108: Monitor initialised: 64-bit capemon loaded in process 2108 at 0x00007FF986960000, thread 4448, image base 0x00007FF79A450000, stack from 0x000000AE2B404000-0x000000AE2B500000
2026-06-28 14:56:14,673 [root] DEBUG: 2108: Commandline: C:\Windows\system32\cmd.exe  /K "C:\Users\Rajesh\AppData\Local\Temp\test.bat"
2026-06-28 14:56:14,690 [root] DEBUG: 2108: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-28 14:56:14,743 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-28 14:56:14,746 [root] DEBUG: 2108: set_hooks: Unable to hook LockResource
2026-06-28 14:56:14,761 [root] DEBUG: 2108: Hooked 630 out of 631 functions
2026-06-28 14:56:14,824 [root] DEBUG: 2108: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620
2026-06-28 14:56:14,825 [root] DEBUG: 2108: Syscall hook installed, syscall logging level 1
2026-06-28 14:56:14,834 [root] DEBUG: 2108: RestoreHeaders: Restored original import table.
2026-06-28 14:56:14,835 [root] INFO: Loaded monitor into process with pid 2108
2026-06-28 14:56:14,837 [root] DEBUG: 2108: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 4448).
2026-06-28 14:56:14,839 [root] DEBUG: 2108: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-28 14:56:14,851 [root] DEBUG: 2108: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)
2026-06-28 14:56:14,882 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A4220000: C:\Windows\SYSTEM32\cmdext (0xc000 bytes).
2026-06-28 14:56:14,942 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-28 14:56:14,947 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-28 14:56:14,951 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\SHCORE (0xad000 bytes).
2026-06-28 14:56:14,954 [root] DEBUG: 2108: CreateProcessHandler: Injection info set for new process 4468: C:\Windows\system32\systeminfo.exe, ImageBase: 0x00007FF6573D0000
2026-06-28 14:56:14,955 [root] INFO: Announced 64-bit process name: systeminfo.exe pid: 4468
2026-06-28 14:56:14,956 [lib.api.process] INFO: Monitor config for process 4468: C:\2_6me6uj\dll\4468.ini
2026-06-28 14:56:14,960 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:14,975 [root] DEBUG: Loader: Injecting process 4468 (thread 1140) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:14,976 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-28 14:56:14,977 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:14,982 [lib.api.process] INFO: Injected into 64-bit <Process 4468 systeminfo.exe>
2026-06-28 14:56:14,984 [root] INFO: Announced 64-bit process name: systeminfo.exe pid: 4468
2026-06-28 14:56:14,985 [lib.api.process] INFO: Monitor config for process 4468: C:\2_6me6uj\dll\4468.ini
2026-06-28 14:56:14,987 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:14,998 [root] DEBUG: Loader: Injecting process 4468 (thread 1140) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:15,000 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-28 14:56:15,001 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:15,005 [lib.api.process] INFO: Injected into 64-bit <Process 4468 systeminfo.exe>
2026-06-28 14:56:15,025 [root] DEBUG: 4468: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 14:56:15,026 [root] DEBUG: 4468: Dropped file limit defaulting to 100.
2026-06-28 14:56:15,031 [root] DEBUG: 4468: Disabling sleep skipping.
2026-06-28 14:56:15,037 [root] DEBUG: 4468: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-28 14:56:15,060 [root] DEBUG: 4468: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 14:56:15,061 [root] DEBUG: 4468: YaraScan: Scanning 0x00007FF6573D0000, size 0x1e030
2026-06-28 14:56:15,065 [root] DEBUG: 4468: Monitor initialised: 64-bit capemon loaded in process 4468 at 0x00007FF986960000, thread 1140, image base 0x00007FF6573D0000, stack from 0x0000003381ED4000-0x0000003381EE0000
2026-06-28 14:56:15,066 [root] DEBUG: 4468: Commandline: systeminfo
2026-06-28 14:56:15,085 [root] DEBUG: 4468: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-28 14:56:15,141 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-28 14:56:15,143 [root] DEBUG: 4468: set_hooks: Unable to hook LockResource
2026-06-28 14:56:15,156 [root] DEBUG: 4468: Hooked 630 out of 631 functions
2026-06-28 14:56:15,160 [root] DEBUG: 4468: Syscall hook installed, syscall logging level 1
2026-06-28 14:56:15,170 [root] DEBUG: 4468: RestoreHeaders: Restored original import table.
2026-06-28 14:56:15,171 [root] INFO: Loaded monitor into process with pid 4468
2026-06-28 14:56:15,177 [root] DEBUG: 4468: caller_dispatch: Added region at 0x00007FF6573D0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF6573E1EA1, thread 1140).
2026-06-28 14:56:15,181 [root] DEBUG: 4468: YaraScan: Scanning 0x00007FF6573D0000, size 0x1e030
2026-06-28 14:56:15,185 [root] DEBUG: 4468: ProcessImageBase: Main module image at 0x00007FF6573D0000 unmodified (entropy change 0.000000e+00)
2026-06-28 14:56:15,191 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-28 14:56:15,192 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-28 14:56:15,204 [lib.api.process] INFO: Monitor config for process 756: C:\2_6me6uj\dll\756.ini
2026-06-28 14:56:15,207 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:15,225 [root] DEBUG: Loader: Injecting process 756 with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:15,231 [root] DEBUG: 756: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 14:56:15,232 [root] DEBUG: 756: Disabling sleep skipping.
2026-06-28 14:56:15,232 [root] DEBUG: 756: Dropped file limit defaulting to 100.
2026-06-28 14:56:15,236 [root] DEBUG: 756: Services hook set enabled
2026-06-28 14:56:15,243 [root] DEBUG: 756: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-28 14:56:15,263 [root] DEBUG: 756: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 14:56:15,264 [root] DEBUG: 756: Monitor initialised: 64-bit capemon loaded in process 756 at 0x00007FF986960000, thread 5016, image base 0x00007FF69D480000, stack from 0x00000036AC3F4000-0x00000036AC400000
2026-06-28 14:56:15,266 [root] DEBUG: 756: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p
2026-06-28 14:56:15,286 [root] DEBUG: 756: Hooked 69 out of 69 functions
2026-06-28 14:56:15,288 [root] INFO: Loaded monitor into process with pid 756
2026-06-28 14:56:15,289 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-06-28 14:56:15,290 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:15,293 [lib.api.process] INFO: Injected into 64-bit <Process 756 svchost.exe>
2026-06-28 14:56:17,306 [lib.api.process] INFO: Monitor config for process 3036: C:\2_6me6uj\dll\3036.ini
2026-06-28 14:56:17,311 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-28 14:56:17,326 [root] DEBUG: Loader: Injecting process 3036 with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:17,332 [root] DEBUG: 3036: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-28 14:56:17,334 [root] DEBUG: 3036: Disabling sleep skipping.
2026-06-28 14:56:17,335 [root] DEBUG: 3036: Dropped file limit defaulting to 100.
2026-06-28 14:56:17,337 [root] DEBUG: 3036: Services hook set enabled
2026-06-28 14:56:17,341 [root] DEBUG: 3036: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-28 14:56:17,365 [root] DEBUG: 3036: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-28 14:56:17,366 [root] DEBUG: 3036: Monitor initialised: 64-bit capemon loaded in process 3036 at 0x00007FF986960000, thread 3952, image base 0x00007FF69D480000, stack from 0x000000A3D10F5000-0x000000A3D1100000
2026-06-28 14:56:17,370 [root] DEBUG: 3036: Commandline: C:\Windows\system32\svchost.exe -k netsvcs -p
2026-06-28 14:56:17,392 [root] DEBUG: 3036: Hooked 69 out of 69 functions
2026-06-28 14:56:17,395 [root] INFO: Loaded monitor into process with pid 3036
2026-06-28 14:56:17,398 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-06-28 14:56:17,404 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-28 14:56:17,408 [lib.api.process] INFO: Injected into 64-bit <Process 3036 svchost.exe>
2026-06-29 05:44:12,738 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 05:44:12,746 [root] DEBUG: 4468: DLL loaded at 0x00007FF9A0F30000: C:\Windows\SYSTEM32\wbemcomn (0x92000 bytes).
2026-06-29 05:44:12,747 [root] DEBUG: 4468: DLL loaded at 0x00007FF97FC40000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-06-29 05:44:12,750 [root] DEBUG: 4468: Successfully installed hook on COM Object function WbemLocator_ConnectServer
2026-06-29 05:44:12,779 [root] DEBUG: 4468: DLL loaded at 0x00007FF97FC20000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-06-29 05:44:12,793 [root] DEBUG: 4468: DLL loaded at 0x00007FF99DC10000: C:\Windows\system32\wbem\fastprox (0x10b000 bytes).
2026-06-29 05:44:12,803 [root] DEBUG: 4468: DLL loaded at 0x00007FF99E360000: C:\Windows\SYSTEM32\amsi (0x19000 bytes).
2026-06-29 05:44:12,809 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecQuery
2026-06-29 05:44:12,810 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecQueryAsync
2026-06-29 05:44:12,812 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_CreateInstanceEnum
2026-06-29 05:44:12,815 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_CreateInstanceEnumAsync
2026-06-29 05:44:12,817 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_GetObjectW
2026-06-29 05:44:12,818 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_GetObjectAsync
2026-06-29 05:44:12,819 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecMethod
2026-06-29 05:44:12,821 [root] DEBUG: 4468: Successfully installed hook on COM Object function IWbemServices_ExecMethodAsync
2026-06-29 05:44:14,360 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 2868: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF712FE0000
2026-06-29 05:44:14,361 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2868
2026-06-29 05:44:14,362 [lib.api.process] INFO: Monitor config for process 2868: C:\2_6me6uj\dll\2868.ini
2026-06-29 05:44:15,644 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:44:15,661 [root] DEBUG: Loader: Injecting process 2868 (thread 3472) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:15,663 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:44:15,664 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:15,666 [lib.api.process] INFO: Injected into 64-bit <Process 2868 WmiPrvSE.exe>
2026-06-29 05:44:15,668 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 2868
2026-06-29 05:44:15,669 [lib.api.process] INFO: Monitor config for process 2868: C:\2_6me6uj\dll\2868.ini
2026-06-29 05:44:15,930 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:44:15,941 [root] DEBUG: Loader: Injecting process 2868 (thread 3472) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:15,942 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-06-29 05:44:15,943 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:15,946 [lib.api.process] INFO: Injected into 64-bit <Process 2868 WmiPrvSE.exe>
2026-06-29 05:44:15,962 [root] DEBUG: 2868: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 05:44:15,963 [root] DEBUG: 2868: Dropped file limit defaulting to 100.
2026-06-29 05:44:15,968 [root] DEBUG: 2868: Disabling sleep skipping.
2026-06-29 05:44:15,969 [root] DEBUG: 2868: Services hook set enabled
2026-06-29 05:44:15,975 [root] DEBUG: 2868: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-29 05:44:15,996 [root] DEBUG: 2868: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 05:44:15,997 [root] DEBUG: 2868: Monitor initialised: 64-bit capemon loaded in process 2868 at 0x00007FF986960000, thread 3472, image base 0x00007FF712FE0000, stack from 0x0000001D40890000-0x0000001D408A0000
2026-06-29 05:44:15,998 [root] DEBUG: 2868: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
2026-06-29 05:44:16,021 [root] DEBUG: 2868: Hooked 69 out of 69 functions
2026-06-29 05:44:16,031 [root] DEBUG: 2868: RestoreHeaders: Restored original import table.
2026-06-29 05:44:16,032 [root] INFO: Loaded monitor into process with pid 2868
2026-06-29 05:44:16,041 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 05:44:16,045 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 05:44:16,050 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 05:44:16,055 [root] DEBUG: 2868: DLL loaded at 0x00007FF97FC40000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-06-29 05:44:16,063 [root] DEBUG: 2868: DLL loaded at 0x00007FF97FC20000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-06-29 05:44:16,084 [root] DEBUG: 2868: DLL loaded at 0x00007FF99E310000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2026-06-29 05:44:16,110 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A7F80000: C:\Windows\SYSTEM32\USERENV (0x2e000 bytes).
2026-06-29 05:44:16,111 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A6E00000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-06-29 05:44:16,112 [root] DEBUG: 2868: DLL loaded at 0x00007FF9A0DA0000: C:\Windows\system32\wbem\esscli (0x7d000 bytes).
2026-06-29 05:44:16,113 [root] DEBUG: 2868: DLL loaded at 0x00007FF99E3D0000: C:\Windows\system32\wbem\stdprov (0x28000 bytes).
2026-06-29 05:44:17,049 [root] DEBUG: 4468: NtTerminateProcess hook: Attempting to dump process 4468
2026-06-29 05:44:17,050 [root] DEBUG: 4468: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:44:17,161 [root] INFO: Process with pid 4468 has terminated
2026-06-29 05:44:17,212 [root] INFO: Added new file to list with pid 2108 and path C:\Users\Rajesh\AppData\Local\Temp\information.txt
2026-06-29 05:44:17,294 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 05:44:17,334 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 05:44:17,387 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 05:44:17,495 [root] DEBUG: 2108: DLL loaded at 0x00007FF994050000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32 (0x29a000 bytes).
2026-06-29 05:44:17,598 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\PROPSYS (0xf6000 bytes).
2026-06-29 05:44:17,611 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 05:44:17,662 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A8050000: C:\Windows\system32\profapi (0x1f000 bytes).
2026-06-29 05:44:17,791 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A8110000: C:\Windows\System32\CFGMGR32 (0x4e000 bytes).
2026-06-29 05:44:17,795 [root] DEBUG: 2108: DLL loaded at 0x00007FF993730000: C:\Windows\system32\edputil (0x24000 bytes).
2026-06-29 05:44:17,836 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A1300000: C:\Windows\System32\Windows.StateRepositoryPS (0x146000 bytes).
2026-06-29 05:44:17,853 [root] DEBUG: 2108: DLL loaded at 0x00007FF9903B0000: C:\Windows\System32\Windows.UI.AppDefaults (0x4c000 bytes).
2026-06-29 05:44:17,933 [root] DEBUG: 2108: DLL loaded at 0x00007FF99F680000: C:\Windows\system32\iertutil (0x2b0000 bytes).
2026-06-29 05:44:17,935 [root] DEBUG: 2108: DLL loaded at 0x00007FF99F650000: C:\Windows\system32\srvcli (0x28000 bytes).
2026-06-29 05:44:17,938 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A75F0000: C:\Windows\system32\netutils (0xc000 bytes).
2026-06-29 05:44:17,941 [root] DEBUG: 2108: DLL loaded at 0x00007FF99F930000: C:\Windows\system32\urlmon (0x1eb000 bytes).
2026-06-29 05:44:17,951 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A7200000: C:\Windows\system32\msvcp110_win (0x8a000 bytes).
2026-06-29 05:44:17,954 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A35E0000: C:\Windows\SYSTEM32\policymanager (0xa0000 bytes).
2026-06-29 05:44:17,987 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\System32\wintypes (0x154000 bytes).
2026-06-29 05:44:18,002 [root] DEBUG: 2108: DLL loaded at 0x00007FF99E080000: C:\Windows\System32\Bcp47Langs (0x5c000 bytes).
2026-06-29 05:44:18,003 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6C60000: C:\Windows\System32\sppc (0x25000 bytes).
2026-06-29 05:44:18,005 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A6C90000: C:\Windows\System32\SLC (0x29000 bytes).
2026-06-29 05:44:18,008 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A7F80000: C:\Windows\System32\USERENV (0x2e000 bytes).
2026-06-29 05:44:18,009 [root] DEBUG: 2108: DLL loaded at 0x00007FF9971F0000: C:\Windows\System32\appresolver (0x90000 bytes).
2026-06-29 05:44:18,027 [root] DEBUG: 2108: DLL loaded at 0x00007FF99D480000: C:\Windows\System32\OneCoreCommonProxyStub (0x7d000 bytes).
2026-06-29 05:44:18,045 [root] DEBUG: 2108: DLL loaded at 0x00007FF99EEA0000: C:\Windows\System32\OneCoreUAPCommonProxyStub (0x798000 bytes).
2026-06-29 05:44:18,075 [root] DEBUG: 2108: CreateProcessHandler: Injection info set for new process 5432: C:\Windows\system32\NOTEPAD.EXE, ImageBase: 0x00007FF737DC0000
2026-06-29 05:44:18,076 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5432
2026-06-29 05:44:18,077 [lib.api.process] INFO: Monitor config for process 5432: C:\2_6me6uj\dll\5432.ini
2026-06-29 05:44:18,083 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:44:18,096 [root] DEBUG: Loader: Injecting process 5432 (thread 5436) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:18,097 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:44:18,098 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:18,101 [lib.api.process] INFO: Injected into 64-bit <Process 5432 notepad.exe>
2026-06-29 05:44:18,104 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5432
2026-06-29 05:44:18,105 [lib.api.process] INFO: Monitor config for process 5432: C:\2_6me6uj\dll\5432.ini
2026-06-29 05:44:18,109 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:44:18,118 [root] DEBUG: Loader: Injecting process 5432 (thread 5436) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:18,121 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:44:18,122 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:18,124 [lib.api.process] INFO: Injected into 64-bit <Process 5432 notepad.exe>
2026-06-29 05:44:18,127 [root] DEBUG: 2108: DLL loaded at 0x00007FF998030000: C:\Windows\system32\MPR (0x1d000 bytes).
2026-06-29 05:44:18,130 [root] DEBUG: 2108: DLL loaded at 0x00007FF9A31D0000: C:\Windows\SYSTEM32\pcacli (0x16000 bytes).
2026-06-29 05:44:18,167 [root] DEBUG: 5432: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 05:44:18,168 [root] DEBUG: 5432: Dropped file limit defaulting to 100.
2026-06-29 05:44:18,176 [root] DEBUG: 5432: Disabling sleep skipping.
2026-06-29 05:44:18,178 [root] DEBUG: 5432: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-29 05:44:18,198 [root] DEBUG: 5432: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 05:44:18,202 [root] DEBUG: 5432: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee
2026-06-29 05:44:18,207 [root] DEBUG: 5432: Monitor initialised: 64-bit capemon loaded in process 5432 at 0x00007FF986960000, thread 5436, image base 0x00007FF737DC0000, stack from 0x0000002E2B59F000-0x0000002E2B5B0000
2026-06-29 05:44:18,208 [root] DEBUG: 5432: Commandline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Rajesh\AppData\Local\Temp\information.txt
2026-06-29 05:44:18,229 [root] DEBUG: 5432: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 05:44:18,279 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 05:44:18,281 [root] DEBUG: 5432: set_hooks: Unable to hook LockResource
2026-06-29 05:44:18,294 [root] DEBUG: 5432: Hooked 630 out of 631 functions
2026-06-29 05:44:18,299 [root] DEBUG: 5432: Syscall hook installed, syscall logging level 1
2026-06-29 05:44:18,307 [root] DEBUG: 5432: RestoreHeaders: Restored original import table.
2026-06-29 05:44:18,309 [root] INFO: Loaded monitor into process with pid 5432
2026-06-29 05:44:18,318 [root] DEBUG: 5432: caller_dispatch: Added region at 0x00007FF737DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF737DE5842, thread 5436).
2026-06-29 05:44:18,319 [root] DEBUG: 5432: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee
2026-06-29 05:44:18,325 [root] DEBUG: 5432: ProcessImageBase: Main module image at 0x00007FF737DC0000 unmodified (entropy change 0.000000e+00)
2026-06-29 05:44:18,328 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 05:44:18,334 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 05:44:18,339 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 05:44:18,345 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 05:44:18,352 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A06E0000: C:\Windows\System32\MrmCoreR (0xf5000 bytes).
2026-06-29 05:44:18,378 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-29 05:44:18,379 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-29 05:44:18,388 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A9A10000: C:\Windows\System32\MSCTF (0x115000 bytes).
2026-06-29 05:44:18,424 [root] DEBUG: 5432: DLL loaded at 0x00007FF998F00000: C:\Windows\system32\TextShaping (0xac000 bytes).
2026-06-29 05:44:18,444 [root] DEBUG: 5432: DLL loaded at 0x00007FF998030000: C:\Windows\System32\MPR (0x1d000 bytes).
2026-06-29 05:44:18,446 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\SYSTEM32\wintypes (0x154000 bytes).
2026-06-29 05:44:18,448 [root] DEBUG: 5432: DLL loaded at 0x00007FF987D80000: C:\Windows\System32\efswrt (0xde000 bytes).
2026-06-29 05:44:18,457 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A10F0000: C:\Windows\System32\twinapi.appcore (0x201000 bytes).
2026-06-29 05:44:18,552 [root] DEBUG: 5432: DLL loaded at 0x00007FF992900000: C:\Windows\System32\oleacc (0x66000 bytes).
2026-06-29 05:44:18,621 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A6E00000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-06-29 05:44:18,622 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A57F0000: C:\Windows\System32\CoreMessaging (0xf2000 bytes).
2026-06-29 05:44:18,626 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A5490000: C:\Windows\System32\CoreUIComponents (0x35e000 bytes).
2026-06-29 05:44:18,647 [root] DEBUG: 5432: DLL loaded at 0x00007FF99BC00000: C:\Windows\SYSTEM32\textinputframework (0xf9000 bytes).
2026-06-29 05:44:18,686 [root] DEBUG: 5432: DLL loaded at 0x00007FF99F680000: C:\Windows\system32\iertutil (0x2b0000 bytes).
2026-06-29 05:44:18,689 [root] DEBUG: 5432: DLL loaded at 0x00007FF99F650000: C:\Windows\system32\srvcli (0x28000 bytes).
2026-06-29 05:44:18,690 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A75F0000: C:\Windows\system32\netutils (0xc000 bytes).
2026-06-29 05:44:18,698 [root] DEBUG: 5432: DLL loaded at 0x00007FF99F930000: C:\Windows\system32\urlmon (0x1eb000 bytes).
2026-06-29 05:44:18,720 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A9450000: C:\Windows\System32\COMDLG32 (0xda000 bytes).
2026-06-29 05:44:18,728 [root] DEBUG: 5432: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\PROPSYS (0xf6000 bytes).
2026-06-29 05:44:23,230 [root] DEBUG: 2108: NtTerminateProcess hook: Attempting to dump process 2108
2026-06-29 05:44:23,234 [root] DEBUG: 2108: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching
2026-06-29 05:44:23,248 [root] DEBUG: 2108: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.
2026-06-29 05:44:23,250 [root] DEBUG: 2108: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-06-29 05:44:23,251 [root] DEBUG: 2108: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.
2026-06-29 05:44:23,254 [root] DEBUG: 2108: DumpProcess: Module entry point VA is 0x00007FF79A468F50.
2026-06-29 05:44:23,275 [lib.common.results] INFO: Uploading file C:\ngIpjVKr\CAPE\2108_1053723441229162026 to procdump\238cf97018bf3c257a80f8509fc1efce6ac4a8bf5ff3a07dfbbdff994135f05f; Size is 403456; Max size: 100000000
2026-06-29 05:44:23,287 [root] DEBUG: 2108: DumpProcess: Module image dump success - dump size 0x62800.
2026-06-29 05:44:23,310 [root] INFO: Process with pid 2108 has terminated
2026-06-29 05:44:23,392 [root] DEBUG: 3636: NtTerminateProcess hook: Attempting to dump process 3636
2026-06-29 05:44:23,394 [root] DEBUG: 3636: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching
2026-06-29 05:44:23,396 [root] DEBUG: 3636: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.
2026-06-29 05:44:23,397 [root] DEBUG: 3636: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-06-29 05:44:23,400 [root] DEBUG: 3636: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.
2026-06-29 05:44:23,402 [root] DEBUG: 3636: DumpProcess: Module entry point VA is 0x00007FF79A468F50.
2026-06-29 05:44:23,411 [lib.common.results] INFO: Uploading file C:\ngIpjVKr\CAPE\3636_48993823441229162026 to procdump\87fc8ef8bc1a66ad7ebff4fa1fda65a6e8a58b6776da2bc87d16a0b8e29b097a; Size is 401920; Max size: 100000000
2026-06-29 05:44:23,421 [root] DEBUG: 3636: DumpProcess: Module image dump success - dump size 0x62200.
2026-06-29 05:44:23,440 [root] INFO: Process with pid 3636 has terminated
2026-06-29 05:44:46,391 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 5760: C:\Windows\system32\DllHost.exe, ImageBase: 0x00007FF6F8BE0000
2026-06-29 05:44:46,394 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 5760
2026-06-29 05:44:46,397 [lib.api.process] INFO: Monitor config for process 5760: C:\2_6me6uj\dll\5760.ini
2026-06-29 05:44:46,421 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:44:46,440 [root] DEBUG: Loader: Injecting process 5760 (thread 4664) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:46,442 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:44:46,445 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:46,451 [lib.api.process] INFO: Injected into 64-bit <Process 5760 dllhost.exe>
2026-06-29 05:44:46,454 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 5760
2026-06-29 05:44:46,455 [lib.api.process] INFO: Monitor config for process 5760: C:\2_6me6uj\dll\5760.ini
2026-06-29 05:44:46,467 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:44:46,485 [root] DEBUG: Loader: Injecting process 5760 (thread 4664) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:46,487 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:44:46,488 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:44:46,500 [lib.api.process] INFO: Injected into 64-bit <Process 5760 dllhost.exe>
2026-06-29 05:44:46,516 [root] DEBUG: 5760: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 05:44:46,517 [root] DEBUG: 5760: Dropped file limit defaulting to 100.
2026-06-29 05:44:46,535 [root] DEBUG: 5760: Disabling sleep skipping.
2026-06-29 05:44:46,546 [root] DEBUG: 5760: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-29 05:44:46,571 [root] DEBUG: 5760: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 05:44:46,576 [root] DEBUG: 5760: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026
2026-06-29 05:44:46,578 [root] DEBUG: 5760: Monitor initialised: 64-bit capemon loaded in process 5760 at 0x00007FF986960000, thread 4664, image base 0x00007FF6F8BE0000, stack from 0x000000AE04D44000-0x000000AE04D50000
2026-06-29 05:44:46,580 [root] DEBUG: 5760: Commandline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2026-06-29 05:44:46,702 [root] DEBUG: 5760: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 05:44:47,008 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 05:44:47,231 [root] DEBUG: 5760: set_hooks: Unable to hook LockResource
2026-06-29 05:44:47,278 [root] DEBUG: 5760: Hooked 630 out of 631 functions
2026-06-29 05:44:47,296 [root] DEBUG: 5760: Syscall hook installed, syscall logging level 1
2026-06-29 05:44:47,314 [root] DEBUG: 5760: RestoreHeaders: Restored original import table.
2026-06-29 05:44:47,315 [root] INFO: Loaded monitor into process with pid 5760
2026-06-29 05:44:47,317 [root] DEBUG: 5760: caller_dispatch: Added region at 0x00007FF6F8BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F8BE12F2, thread 4664).
2026-06-29 05:44:47,329 [root] DEBUG: 5760: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026
2026-06-29 05:44:47,332 [root] DEBUG: 5760: ProcessImageBase: Main module image at 0x00007FF6F8BE0000 unmodified (entropy change 0.000000e+00)
2026-06-29 05:44:47,344 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 05:44:47,348 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 05:44:47,362 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 05:44:47,395 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 05:44:47,438 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\shcore (0xad000 bytes).
2026-06-29 05:44:47,442 [root] DEBUG: 5760: DLL loaded at 0x00007FF992850000: C:\Windows\System32\thumbcache (0x66000 bytes).
2026-06-29 05:44:47,457 [root] DEBUG: 5760: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\propsys (0xf6000 bytes).
2026-06-29 05:44:52,532 [root] INFO: Process with pid 5760 has terminated
2026-06-29 05:44:52,534 [root] DEBUG: 5760: NtTerminateProcess hook: Attempting to dump process 5760
2026-06-29 05:44:52,536 [root] DEBUG: 5760: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:45:15,890 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 4440: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe, ImageBase: 0x00007FF620BA0000
2026-06-29 05:45:15,894 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 4440
2026-06-29 05:45:15,896 [lib.api.process] INFO: Monitor config for process 4440: C:\2_6me6uj\dll\4440.ini
2026-06-29 05:45:17,954 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:45:17,973 [root] DEBUG: Loader: Injecting process 4440 (thread 4536) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:17,975 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:45:17,976 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:17,982 [lib.api.process] INFO: Injected into 64-bit <Process 4440 ShellExperienceHost.exe>
2026-06-29 05:45:17,986 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 4440
2026-06-29 05:45:17,988 [lib.api.process] INFO: Monitor config for process 4440: C:\2_6me6uj\dll\4440.ini
2026-06-29 05:45:19,501 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:45:19,520 [root] DEBUG: Loader: Injecting process 4440 (thread 4536) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:19,522 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:45:19,523 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:19,530 [lib.api.process] INFO: Injected into 64-bit <Process 4440 ShellExperienceHost.exe>
2026-06-29 05:45:19,534 [root] INFO: Announced 64-bit process name: ShellExperienceHost.exe pid: 4440
2026-06-29 05:45:19,535 [lib.api.process] INFO: Monitor config for process 4440: C:\2_6me6uj\dll\4440.ini
2026-06-29 05:45:21,339 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:45:21,358 [root] DEBUG: Loader: Injecting process 4440 with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:21,376 [root] DEBUG: InjectDll: No thread ID supplied, initial thread ID 4536, handle 0x10c
2026-06-29 05:45:21,378 [root] DEBUG: InjectDllViaIAT: This image has already been patched.
2026-06-29 05:45:21,379 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:21,388 [lib.api.process] INFO: Injected into 64-bit <Process 4440 ShellExperienceHost.exe>
2026-06-29 05:45:44,366 [root] DEBUG: 2868: NtTerminateProcess hook: Attempting to dump process 2868
2026-06-29 05:45:44,368 [root] DEBUG: 2868: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:45:44,374 [root] INFO: Process with pid 2868 has terminated
2026-06-29 05:45:47,998 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 3904: C:\Windows\system32\DllHost.exe, ImageBase: 0x00007FF6F8BE0000
2026-06-29 05:45:48,179 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 3904
2026-06-29 05:45:48,195 [lib.api.process] INFO: Monitor config for process 3904: C:\2_6me6uj\dll\3904.ini
2026-06-29 05:45:48,205 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:45:48,220 [root] DEBUG: Loader: Injecting process 3904 (thread 4108) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:48,223 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:45:48,224 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:48,230 [lib.api.process] INFO: Injected into 64-bit <Process 3904 dllhost.exe>
2026-06-29 05:45:48,234 [root] INFO: Announced 64-bit process name: dllhost.exe pid: 3904
2026-06-29 05:45:48,237 [lib.api.process] INFO: Monitor config for process 3904: C:\2_6me6uj\dll\3904.ini
2026-06-29 05:45:48,244 [lib.api.process] INFO: 64-bit DLL to inject is C:\2_6me6uj\dll\pKwfPInu.dll, loader C:\2_6me6uj\bin\QfFFmdso.exe
2026-06-29 05:45:48,258 [root] DEBUG: Loader: Injecting process 3904 (thread 4108) with C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:48,260 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 05:45:48,261 [root] DEBUG: Successfully injected DLL C:\2_6me6uj\dll\pKwfPInu.dll.
2026-06-29 05:45:48,266 [lib.api.process] INFO: Injected into 64-bit <Process 3904 dllhost.exe>
2026-06-29 05:45:48,282 [root] DEBUG: 3904: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 05:45:48,284 [root] DEBUG: 3904: Dropped file limit defaulting to 100.
2026-06-29 05:45:48,289 [root] DEBUG: 3904: Disabling sleep skipping.
2026-06-29 05:45:48,295 [root] DEBUG: 3904: YaraInit: Compiled rules loaded from existing file C:\2_6me6uj\data\yara\capemon.yac
2026-06-29 05:45:48,318 [root] DEBUG: 3904: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 05:45:48,321 [root] DEBUG: 3904: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026
2026-06-29 05:45:48,324 [root] DEBUG: 3904: Monitor initialised: 64-bit capemon loaded in process 3904 at 0x00007FF986960000, thread 4108, image base 0x00007FF6F8BE0000, stack from 0x0000009DE78F4000-0x0000009DE7900000
2026-06-29 05:45:48,327 [root] DEBUG: 3904: Commandline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2026-06-29 05:45:48,343 [root] DEBUG: 3904: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 05:45:48,394 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 05:45:48,395 [root] DEBUG: 3904: set_hooks: Unable to hook LockResource
2026-06-29 05:45:48,409 [root] DEBUG: 3904: Hooked 630 out of 631 functions
2026-06-29 05:45:48,412 [root] DEBUG: 3904: Syscall hook installed, syscall logging level 1
2026-06-29 05:45:48,423 [root] DEBUG: 3904: RestoreHeaders: Restored original import table.
2026-06-29 05:45:48,424 [root] INFO: Loaded monitor into process with pid 3904
2026-06-29 05:45:48,428 [root] DEBUG: 3904: caller_dispatch: Added region at 0x00007FF6F8BE0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF6F8BE12F2, thread 4108).
2026-06-29 05:45:48,429 [root] DEBUG: 3904: YaraScan: Scanning 0x00007FF6F8BE0000, size 0x8026
2026-06-29 05:45:48,433 [root] DEBUG: 3904: ProcessImageBase: Main module image at 0x00007FF6F8BE0000 unmodified (entropy change 0.000000e+00)
2026-06-29 05:45:48,439 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 05:45:48,443 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 05:45:48,450 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 05:45:48,482 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 05:45:48,515 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\shcore (0xad000 bytes).
2026-06-29 05:45:48,517 [root] DEBUG: 3904: DLL loaded at 0x00007FF992850000: C:\Windows\System32\thumbcache (0x66000 bytes).
2026-06-29 05:45:48,582 [root] DEBUG: 3904: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\propsys (0xf6000 bytes).
2026-06-29 05:45:53,882 [root] INFO: Process with pid 3904 has terminated
2026-06-29 05:45:53,885 [root] DEBUG: 3904: NtTerminateProcess hook: Attempting to dump process 3904
2026-06-29 05:45:53,887 [root] DEBUG: 3904: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:47:27,753 [root] INFO: Analysis timeout hit, terminating analysis
2026-06-29 05:47:27,757 [lib.api.process] INFO: Terminate event set for process 756
2026-06-29 05:47:27,758 [root] DEBUG: 756: Terminate Event: Attempting to dump process 756
2026-06-29 05:47:27,760 [root] DEBUG: 756: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:47:27,766 [lib.api.process] INFO: Termination confirmed for process 756
2026-06-29 05:47:27,766 [root] INFO: Terminate event set for process 756
2026-06-29 05:47:27,767 [root] DEBUG: 756: Terminate Event: monitor shutdown complete for process 756
2026-06-29 05:47:27,769 [lib.api.process] INFO: Terminate event set for process 3036
2026-06-29 05:47:27,770 [root] DEBUG: 3036: Terminate Event: Attempting to dump process 3036
2026-06-29 05:47:27,772 [root] DEBUG: 3036: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:47:27,776 [lib.api.process] INFO: Termination confirmed for process 3036
2026-06-29 05:47:27,777 [root] INFO: Terminate event set for process 3036
2026-06-29 05:47:27,777 [lib.api.process] INFO: Terminate event set for process 5432
2026-06-29 05:47:27,779 [root] DEBUG: 3036: Terminate Event: monitor shutdown complete for process 3036
2026-06-29 05:47:27,783 [root] DEBUG: 5432: Terminate Event: Attempting to dump process 5432
2026-06-29 05:47:27,788 [root] DEBUG: 5432: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 05:47:27,802 [root] DEBUG: 5432: Terminate Event: Shutdown complete for process 5432 but failed to inform analyzer.
2026-06-29 05:47:32,783 [lib.api.process] INFO: Termination confirmed for process 5432
2026-06-29 05:47:32,784 [root] INFO: Terminate event set for process 5432
2026-06-29 05:47:32,786 [root] INFO: Created shutdown mutex
2026-06-29 05:47:33,787 [root] INFO: Shutting down package
2026-06-29 05:47:33,788 [root] INFO: Stopping auxiliary modules
2026-06-29 05:47:33,789 [root] INFO: Stopping auxiliary module: Browser
2026-06-29 05:47:33,790 [root] INFO: Stopping auxiliary module: Human
2026-06-29 05:47:34,820 [root] INFO: Stopping auxiliary module: Screenshots
2026-06-29 05:47:34,821 [root] INFO: Finishing auxiliary modules
2026-06-29 05:47:34,822 [root] INFO: Shutting down pipe server and dumping dropped files
2026-06-29 05:47:34,828 [lib.common.results] INFO: Uploading file C:\Users\Rajesh\AppData\Local\Temp\information.txt to files\1579f6235bdcda8ced8fb6c161a9cfa55c8dddca53970f9683236c9ceca581c3; Size is 2365; Max size: 100000000
2026-06-29 05:47:34,835 [root] WARNING: Folder at path "C:\ngIpjVKr\debugger" does not exist, skipping
2026-06-29 05:47:34,836 [root] WARNING: Folder at path "C:\ngIpjVKr\tlsdump" does not exist, skipping
2026-06-29 05:47:34,909 [root] WARNING: Monitor injection attempted but failed for process 4440
2026-06-29 05:47:34,910 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On	Route
win10	win10	KVM	2026-06-29 12:43:43	2026-06-29 12:47:36	`internet`

File Details

File Information

File Name	test.bat
File Type	ASCII text, with CRLF line terminators
File Size	51 bytes
MD5	3c81be5e67ce4c4974231d6a8dd5746e
SHA1	ad8f07c8528442ce0a9f4fce436ed795fdd0f924
SHA256	d5adc813fc59eb3112da0876d52643faf3b0ed8c54ae2ef70048269e683ce21e VT MWDB Bazaar
SHA3-384	9935c3f25f3cb57d9c15241ab33c52cd863acb88f465121be1f5c5c9ef6546685924b394179aeac5992d524098fa7e83
CRC32	5565FD64
TLSH	T1D8900293DD014A473C121B02928311014A2110063008E43A0C418481540EC012317A14
Ssdeep	3:gh2Z4MKLL7zYXI4MKLL7R:gh26MKjzGPMKjR

Tools: Extract: BinGraph Text

Extracted Text

systeminfo > information.txt
start information.txt

Processing 3.52s

3.135s CAPE
0.35s BehaviorAnalysis
0.022s NetworkAnalysis
0.01s AnalysisInfo
0.002s Debug

Signatures 0.35s

0.118s antiav_detectreg
0.039s infostealer_ftp
0.038s territorial_disputes_sigs
0.023s antianalysis_detectreg
0.022s infostealer_im
0.013s antivm_vbox_keys
0.009s antivm_vmware_keys
0.008s suspicious_command_tools
0.008s uses_windows_utilities
0.007s infostealer_mail
0.006s antivm_parallels_keys
0.006s antivm_xen_keys
0.006s ransomware_files
0.005s antivm_generic_diskreg
0.004s antiav_detectfile
0.004s antivm_vpc_keys
0.004s ransomware_extensions_known
0.003s masquerade_process_name
0.002s antianalysis_detectfile
0.002s antivm_bochs_keys
0.002s antivm_hyperv_keys
0.002s antivm_vbox_files
0.002s bypass_firewall
0.002s infostealer_bitcoin
0.001s antidebug_devices
0.001s antivm_generic_bios
0.001s antivm_vmware_files
0.001s ketrican_regkeys
0.001s browser_security
0.001s registry_credential_store_access
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s recon_fingerprint

Reporting 0.03s

0.03s JsonDump

Signatures

Network activity detected but not expressed in monitor API logs

ip: 173.194.76.94

ip: 108.177.15.139

ip: 40.126.31.131

ip: 108.177.15.94

ip: 74.125.206.84

ip: 66.102.1.138

ip: 74.125.206.138

ip: 74.125.133.95

ip: 142.251.150.119

ip: 142.251.168.139

ip: 142.251.168.100

ip: 74.125.206.101

ip: 74.125.71.94

ip: 142.251.16.94

Checks available memory

Queries the keyboard layout

Queries the computer locale (possible geofencing)

SetUnhandledExceptionFilter detected (possible anti-debug)

Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution

command: C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\test.bat"

Possible date expiration check, exits too soon after checking local time

process: cmd.exe, PID 2108

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

Queries process token information to check for Administrator privileges or UAC elevation status

Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software

behavioral_fips_reconnaissance: ["systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "dllhost.exe (PID: 3904) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5432) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "cmd.exe (PID: 2108) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "dllhost.exe (PID: 5760) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "systeminfo.exe (PID: 4468) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'"]

Queries the mount points and then resolves volume paths to enumerate storage devices

Creates a process in a suspended state, likely for injection

Resumed a thread in another process

thread_resumed: Process svchost.exe with process ID 756 resumed a thread in another process with the process ID 4440

Queries registry mount points to identify historical or connected removable/network drives

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data

Uses Windows utilities for basic functionality

command: C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\test.bat"

command: systeminfo

Queries the Volume Serial Number or Physical Hardware ID, possibly for anti-sandbox, victim profiling or environmental keying

Enumerated Anti-Malware Scan Interface (AMSI) providers, a potential precursor to AMSI bypass or EDR unhooking

amsi_enumeration: ["systeminfo.exe (PID: 4468) probed AMSI registry 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\'", "systeminfo.exe (PID: 4468) probed AMSI registry 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\AMSI\\Providers'", "systeminfo.exe (PID: 4468) probed AMSI registry 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\AMSI\\Providers\\{2781761E-28E0-4109-99FE-B9D127C57AFE}'"]

Created a process from a suspicious location

file: C:\Users\Rajesh\AppData\Local\Temp\information.txt

command: information.txt

Screenshots

Hosts

Direct	IP	Country Name	ASN
Y	173.194.76.94 [VT]	unknown	-
Y	108.177.15.139 [VT]	unknown	-
Y	40.126.31.131 [VT]	unknown	-
Y	108.177.15.94 [VT]	unknown	-
Y	74.125.206.84 [VT]	unknown	-
Y	66.102.1.138 [VT]	unknown	-
Y	74.125.206.138 [VT]	unknown	-
Y	74.125.133.95 [VT]	unknown	-
Y	142.251.150.119 [VT]	unknown	-
Y	142.251.168.139 [VT]	unknown	-
Y	142.251.168.100 [VT]	unknown	-
Y	74.125.206.101 [VT]	unknown	-
Y	74.125.71.94 [VT]	unknown	-
Y	142.251.16.94 [VT]	unknown	-

Summary

Accessed Files Modified Files Registry Keys Read Registry Keys Modified Registry Keys Resolved APIs Executed Commands Mutexes

C:\Users\Rajesh\AppData\Local\Temp
C:\Users
C:\Users\Rajesh
C:\Users\Rajesh\AppData
C:\Users\Rajesh\AppData\Local
C:\Users\Rajesh\AppData\Local\Temp\test.bat
C:\
C:\Windows\System32\cmdext.dll
C:\Users\Rajesh\AppData\Local\Temp\systeminfo.*
C:\Windows\System32\systeminfo.*
C:\Windows\System32\systeminfo.COM
C:\Windows\System32\systeminfo.EXE
C:\Users\Rajesh\AppData\Local\Temp\information.txt
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\Device\DeviceApi\CMApi
\??\MountPointManager
C:\Windows\System32\en-US\mlang.dll.mui
\??\PhysicalDrive0
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\S-1-5-21-3262678163-160926255-2192883574-1002.pckgdep
C:\ProgramData\Microsoft\Windows\AppRepository\Packages\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\S-1-5-18.pckgdep
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\System32\en-US\USER32.dll.mui
C:\Windows\System32\rpcss.dll
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\WindowsShell.Manifest
C:\Windows\System32\resources.pri
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\urlmon.dll
C:\Windows\System32\iertutil.dll
C:\Windows\System32\srvcli.dll
C:\Windows\System32\netutils.dll
C:\Windows\system32
C:\Windows

C:\Users\Rajesh\AppData\Local\Temp\information.txt
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_CURRENT_USER\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\AppID\systeminfo.exe
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\MIME\Database\Rfc1766
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Rfc1766\0409
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\22\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\mlang.dll,-4386
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
HKEY_CURRENT_USER\Software\Microsoft\Notepad
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfEscapement
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOrientation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfWeight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfItalic
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfUnderline
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfStrikeOut
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfCharSet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOutPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfClipPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfQuality
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily
HKEY_LOCAL_MACHINE\Software\Microsoft\Notepad\DefaultFonts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfFaceName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iDefaultEncoding
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\StatusBar
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fReverse
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrapAround
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMatchCase
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\searchString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\replaceString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szHeader
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szTrailer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginTop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginBottom
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginLeft
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginRight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMLE_is_broken
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\XAML
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault
HKEY_CURRENT_USER\Software\Classes\AppID\NOTEPAD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{C50898F6-C536-5F47-8583-8B2C2438A13B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_CLASSES_ROOT\.txt
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Keyboard Layout\Toggle
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_CURRENT_USER\Software\Classes\AppID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\MGOTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ProcessMitigationPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ProtectionLevel
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StateSeparation\RedirectionMap\Keys
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AccessPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_CURRENT_USER\Software\Classes\CLSID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\GipActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{75121952-E0D0-43E5-9380-1D80483ACF72}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{75121952-e0d0-43e5-9380-1d80483acf72}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{75121952-e0d0-43e5-9380-1d80483acf72}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}
HKEY_CURRENT_USER\Software\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\Elevation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Ids\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Rfc1766\0409
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\mlang.dll,-4386
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfEscapement
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOrientation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfWeight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfItalic
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfUnderline
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfStrikeOut
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfCharSet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOutPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfClipPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfQuality
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfFaceName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iDefaultEncoding
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\StatusBar
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fReverse
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrapAround
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMatchCase
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\searchString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\replaceString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szHeader
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szTrailer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginTop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginBottom
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginLeft
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginRight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMLE_is_broken
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.txt\Content Type
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LocalService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\DllSurrogate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\RunAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ActivateAtStorage
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ROTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AppIDFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\MGOTFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ProcessMitigationPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LaunchPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\LegacyImpersonationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\RemoteServerName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\SRPTrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\PreferredServerBitness
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\LoadUserSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ProtectionLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\GipActivityBypass
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{75121952-e0d0-43e5-9380-1d80483acf72}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\AppID

HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%SystemRoot%\system32\mlang.dll,-4386

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

C:\Windows\system32\cmd.exe /K "C:\Users\Rajesh\AppData\Local\Temp\test.bat"
systeminfo
information.txt
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Rajesh\AppData\Local\Temp\information.txt
C:\Users\Rajesh\AppData\Local\Temp\information.txt
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

Local\SM0:5432:304:WilStaging_02
Local\SM0:5432:120:WilError_03
Local\MSCTF.Asm.MutexDefault2
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault2
Local\SM0:5760:304:WilStaging_02
Local\SM0:3904:304:WilStaging_02

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Analysis Details

Options

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

Extracted Text

Statistics 3.89s

Signatures

Screenshots

Hosts

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP