Analysis Details
Category Package Started Completed Duration Options Logs
FILE generic 2026-06-29 19:35:56 2026-06-29 19:36:45 49s
Reports JSON
Options
vnc_port=5900
Analysis Log
2026-06-29 14:58:59,948 [root] INFO: Date set to: 20260629T19:36:00, timeout set to: 15
2026-06-29 19:36:00,470 [root] DEBUG: Starting analyzer from: C:\7d7wfxi0
2026-06-29 19:36:00,471 [root] DEBUG: Storing results at: C:\BxeBJc
2026-06-29 19:36:00,471 [root] DEBUG: Pipe server name: \\.\PIPE\QYkbIs
2026-06-29 19:36:00,471 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-29 19:36:00,472 [root] INFO: analysis running as an admin
2026-06-29 19:36:00,472 [root] DEBUG: no analysis package configured, picking one for you
2026-06-29 19:36:00,473 [root] INFO: analysis package selected: "generic"
2026-06-29 19:36:00,473 [root] DEBUG: importing analysis package module: "modules.packages.generic"...
2026-06-29 19:36:00,478 [root] DEBUG: imported analysis package "generic"
2026-06-29 19:36:00,479 [root] DEBUG: initializing analysis package "generic"...
2026-06-29 19:36:00,479 [lib.common.common] INFO: no wrapping
2026-06-29 19:36:00,480 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-29 19:36:00,480 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
2026-06-29 19:36:00,481 [root] INFO: Analyzer: Package modules.packages.generic does not specify a dll option
2026-06-29 19:36:00,481 [root] INFO: Analyzer: Package modules.packages.generic does not specify a dll_64 option
2026-06-29 19:36:00,482 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader option
2026-06-29 19:36:00,482 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader_64 option
2026-06-29 19:36:00,733 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-29 19:36:00,745 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-29 19:36:00,785 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-29 19:36:01,132 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-29 19:36:01,139 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-29 19:36:01,139 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-29 19:36:01,140 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-29 19:36:01,143 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-29 19:36:01,144 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-29 19:36:01,159 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-29 19:36:01,159 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-29 19:36:01,160 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-29 19:36:01,161 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-29 19:36:01,162 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-29 19:36:01,162 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-29 19:36:01,861 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-29 19:36:01,861 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-29 19:36:01,867 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-29 19:36:01,868 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-29 19:36:01,868 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-29 19:36:01,868 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-29 19:36:01,869 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-29 19:36:01,881 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 2624)
2026-06-29 19:36:01,886 [modules.auxiliary.disguise] INFO: Disguising GUID to aaf550a6-7a62-4bb8-9d95-1e7652f2d63b
2026-06-29 19:36:01,886 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-29 19:36:01,886 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-29 19:36:01,887 [root] DEBUG: attempting to configure 'Human' from data
2026-06-29 19:36:01,887 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-29 19:36:01,887 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-29 19:36:01,903 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-29 19:36:01,903 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-29 19:36:01,903 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-29 19:36:01,904 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-29 19:36:01,904 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-29 19:36:01,906 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-29 19:36:01,906 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-29 19:36:08,392 [root] INFO: Restarting WMI Service
2026-06-29 19:36:10,567 [root] DEBUG: package modules.packages.generic does not support configure, ignoring
2026-06-29 19:36:10,569 [root] WARNING: configuration error for package modules.packages.generic: error importing data.packages.generic: No module named 'data.packages'
2026-06-29 19:36:10,570 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-29 19:36:10,573 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"" with pid 3792
2026-06-29 19:36:10,830 [lib.api.process] INFO: Monitor config for process 3792: C:\7d7wfxi0\dll\3792.ini
2026-06-29 19:36:10,847 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:10,875 [root] DEBUG: Loader: Injecting process 3792 (thread 2248) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:10,999 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:11,001 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:11,008 [lib.api.process] INFO: Injected into 64-bit <Process 3792 cmd.exe>
2026-06-29 19:36:13,028 [lib.api.process] INFO: Successfully resumed process with pid 3792
2026-06-29 19:36:13,310 [root] DEBUG: 3792: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:13,317 [root] DEBUG: 3792: Disabling sleep skipping.
2026-06-29 19:36:13,318 [root] DEBUG: 3792: Dropped file limit defaulting to 100.
2026-06-29 19:36:13,352 [root] DEBUG: 3792: YaraInit: Compiled 44 rule files
2026-06-29 19:36:13,357 [root] DEBUG: 3792: YaraInit: Compiled rules saved to file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:13,428 [root] DEBUG: 3792: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:13,430 [root] DEBUG: 3792: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-29 19:36:13,437 [root] DEBUG: 3792: YaraScan hit: FindFixAndRun
2026-06-29 19:36:13,439 [root] DEBUG: 3792: Monitor initialised: 64-bit capemon loaded in process 3792 at 0x00007FF9870C0000, thread 2248, image base 0x00007FF79A450000, stack from 0x000000F098A04000-0x000000F098B00000
2026-06-29 19:36:13,440 [root] DEBUG: 3792: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"
2026-06-29 19:36:13,466 [root] DEBUG: 3792: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 19:36:13,535 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 19:36:13,536 [root] DEBUG: 3792: set_hooks: Unable to hook LockResource
2026-06-29 19:36:13,554 [root] DEBUG: 3792: Hooked 630 out of 631 functions
2026-06-29 19:36:13,561 [root] DEBUG: 3792: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620
2026-06-29 19:36:13,565 [root] DEBUG: 3792: Syscall hook installed, syscall logging level 1
2026-06-29 19:36:13,585 [root] DEBUG: 3792: RestoreHeaders: Restored original import table.
2026-06-29 19:36:13,586 [root] INFO: Loaded monitor into process with pid 3792
2026-06-29 19:36:13,588 [root] DEBUG: 3792: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 2248).
2026-06-29 19:36:13,591 [root] DEBUG: 3792: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-29 19:36:13,604 [root] DEBUG: 3792: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)
2026-06-29 19:36:13,634 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 19:36:13,637 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 19:36:13,657 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 19:36:13,676 [root] DEBUG: 3792: DLL loaded at 0x00007FF994050000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32 (0x29a000 bytes).
2026-06-29 19:36:13,681 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\SHCORE (0xad000 bytes).
2026-06-29 19:36:13,686 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-29 19:36:13,688 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-29 19:36:13,694 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\PROPSYS (0xf6000 bytes).
2026-06-29 19:36:13,717 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 19:36:13,752 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A8050000: C:\Windows\system32\profapi (0x1f000 bytes).
2026-06-29 19:36:13,922 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A8110000: C:\Windows\System32\CFGMGR32 (0x4e000 bytes).
2026-06-29 19:36:13,940 [root] DEBUG: 3792: DLL loaded at 0x00007FF993730000: C:\Windows\system32\edputil (0x24000 bytes).
2026-06-29 19:36:13,994 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A1300000: C:\Windows\System32\Windows.StateRepositoryPS (0x146000 bytes).
2026-06-29 19:36:14,016 [root] DEBUG: 3792: DLL loaded at 0x00007FF9903B0000: C:\Windows\System32\Windows.UI.AppDefaults (0x4c000 bytes).
2026-06-29 19:36:14,093 [root] DEBUG: 3792: DLL loaded at 0x00007FF99F680000: C:\Windows\system32\iertutil (0x2b0000 bytes).
2026-06-29 19:36:14,095 [root] DEBUG: 3792: DLL loaded at 0x00007FF99F650000: C:\Windows\system32\srvcli (0x28000 bytes).
2026-06-29 19:36:14,096 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A75F0000: C:\Windows\system32\netutils (0xc000 bytes).
2026-06-29 19:36:14,099 [root] DEBUG: 3792: DLL loaded at 0x00007FF99F930000: C:\Windows\system32\urlmon (0x1eb000 bytes).
2026-06-29 19:36:14,111 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A7200000: C:\Windows\system32\msvcp110_win (0x8a000 bytes).
2026-06-29 19:36:14,113 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A35E0000: C:\Windows\SYSTEM32\policymanager (0xa0000 bytes).
2026-06-29 19:36:14,148 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\System32\wintypes (0x154000 bytes).
2026-06-29 19:36:14,163 [root] DEBUG: 3792: DLL loaded at 0x00007FF99E080000: C:\Windows\System32\Bcp47Langs (0x5c000 bytes).
2026-06-29 19:36:14,164 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6C60000: C:\Windows\System32\sppc (0x25000 bytes).
2026-06-29 19:36:14,166 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6C90000: C:\Windows\System32\SLC (0x29000 bytes).
2026-06-29 19:36:14,167 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A7F80000: C:\Windows\System32\USERENV (0x2e000 bytes).
2026-06-29 19:36:14,168 [root] DEBUG: 3792: DLL loaded at 0x00007FF9971F0000: C:\Windows\System32\appresolver (0x90000 bytes).
2026-06-29 19:36:14,187 [root] DEBUG: 3792: DLL loaded at 0x00007FF99D480000: C:\Windows\System32\OneCoreCommonProxyStub (0x7d000 bytes).
2026-06-29 19:36:14,209 [root] DEBUG: 3792: DLL loaded at 0x00007FF99EEA0000: C:\Windows\System32\OneCoreUAPCommonProxyStub (0x798000 bytes).
2026-06-29 19:36:14,222 [lib.api.process] INFO: Monitor config for process 756: C:\7d7wfxi0\dll\756.ini
2026-06-29 19:36:14,227 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:14,241 [root] DEBUG: Loader: Injecting process 756 with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:14,250 [root] DEBUG: 756: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:14,251 [root] DEBUG: 756: Disabling sleep skipping.
2026-06-29 19:36:14,252 [root] DEBUG: 756: Dropped file limit defaulting to 100.
2026-06-29 19:36:14,256 [root] DEBUG: 756: Services hook set enabled
2026-06-29 19:36:14,262 [root] DEBUG: 756: YaraInit: Compiled rules loaded from existing file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:14,285 [root] DEBUG: 756: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:14,286 [root] DEBUG: 756: Monitor initialised: 64-bit capemon loaded in process 756 at 0x00007FF9870C0000, thread 1140, image base 0x00007FF69D480000, stack from 0x00000036AC4F4000-0x00000036AC500000
2026-06-29 19:36:14,288 [root] DEBUG: 756: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p
2026-06-29 19:36:14,313 [root] DEBUG: 756: Hooked 69 out of 69 functions
2026-06-29 19:36:14,316 [root] INFO: Loaded monitor into process with pid 756
2026-06-29 19:36:14,319 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-06-29 19:36:14,321 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:14,324 [lib.api.process] INFO: Injected into 64-bit <Process 756 svchost.exe>
2026-06-29 19:36:16,359 [root] DEBUG: 3792: CreateProcessHandler: Injection info set for new process 5060: C:\Windows\system32\NOTEPAD.EXE, ImageBase: 0x00007FF737DC0000
2026-06-29 19:36:16,361 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5060
2026-06-29 19:36:16,361 [lib.api.process] INFO: Monitor config for process 5060: C:\7d7wfxi0\dll\5060.ini
2026-06-29 19:36:16,366 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:16,378 [root] DEBUG: Loader: Injecting process 5060 (thread 3940) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,379 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:16,382 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,385 [lib.api.process] INFO: Injected into 64-bit <Process 5060 notepad.exe>
2026-06-29 19:36:16,388 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5060
2026-06-29 19:36:16,389 [lib.api.process] INFO: Monitor config for process 5060: C:\7d7wfxi0\dll\5060.ini
2026-06-29 19:36:16,391 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:16,402 [root] DEBUG: Loader: Injecting process 5060 (thread 3940) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,403 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:16,404 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,407 [lib.api.process] INFO: Injected into 64-bit <Process 5060 notepad.exe>
2026-06-29 19:36:16,411 [root] DEBUG: 3792: DLL loaded at 0x00007FF998030000: C:\Windows\system32\MPR (0x1d000 bytes).
2026-06-29 19:36:16,412 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A31D0000: C:\Windows\SYSTEM32\pcacli (0x16000 bytes).
2026-06-29 19:36:16,436 [root] DEBUG: 5060: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:16,437 [root] DEBUG: 5060: Dropped file limit defaulting to 100.
2026-06-29 19:36:16,450 [root] DEBUG: 5060: Disabling sleep skipping.
2026-06-29 19:36:16,453 [root] DEBUG: 5060: YaraInit: Compiled rules loaded from existing file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:16,538 [root] DEBUG: 5060: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:16,540 [root] DEBUG: 5060: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee
2026-06-29 19:36:16,545 [root] DEBUG: 5060: Monitor initialised: 64-bit capemon loaded in process 5060 at 0x00007FF9870C0000, thread 3940, image base 0x00007FF737DC0000, stack from 0x00000097E611F000-0x00000097E6130000
2026-06-29 19:36:16,546 [root] DEBUG: 5060: Commandline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
2026-06-29 19:36:16,568 [root] DEBUG: 5060: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 19:36:16,633 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 19:36:16,635 [root] DEBUG: 5060: set_hooks: Unable to hook LockResource
2026-06-29 19:36:16,650 [root] DEBUG: 5060: Hooked 630 out of 631 functions
2026-06-29 19:36:16,656 [root] DEBUG: 5060: Syscall hook installed, syscall logging level 1
2026-06-29 19:36:16,667 [root] DEBUG: 5060: RestoreHeaders: Restored original import table.
2026-06-29 19:36:16,668 [root] INFO: Loaded monitor into process with pid 5060
2026-06-29 19:36:16,679 [root] DEBUG: 5060: caller_dispatch: Added region at 0x00007FF737DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF737DE5842, thread 3940).
2026-06-29 19:36:16,681 [root] DEBUG: 5060: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee
2026-06-29 19:36:16,690 [root] DEBUG: 5060: ProcessImageBase: Main module image at 0x00007FF737DC0000 unmodified (entropy change 0.000000e+00)
2026-06-29 19:36:16,695 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 19:36:16,703 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 19:36:16,707 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 19:36:16,714 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 19:36:16,725 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A06E0000: C:\Windows\System32\MrmCoreR (0xf5000 bytes).
2026-06-29 19:36:16,764 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-29 19:36:16,765 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-29 19:36:16,776 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A9A10000: C:\Windows\System32\MSCTF (0x115000 bytes).
2026-06-29 19:36:16,830 [root] DEBUG: 5060: DLL loaded at 0x00007FF998F00000: C:\Windows\system32\TextShaping (0xac000 bytes).
2026-06-29 19:36:16,854 [root] DEBUG: 5060: DLL loaded at 0x00007FF998030000: C:\Windows\System32\MPR (0x1d000 bytes).
2026-06-29 19:36:16,856 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\SYSTEM32\wintypes (0x154000 bytes).
2026-06-29 19:36:16,857 [root] DEBUG: 5060: DLL loaded at 0x00007FF987B80000: C:\Windows\System32\efswrt (0xde000 bytes).
2026-06-29 19:36:16,867 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A10F0000: C:\Windows\System32\twinapi.appcore (0x201000 bytes).
2026-06-29 19:36:16,982 [root] DEBUG: 5060: DLL loaded at 0x00007FF992900000: C:\Windows\System32\oleacc (0x66000 bytes).
2026-06-29 19:36:17,099 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A6E00000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-06-29 19:36:17,102 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A57F0000: C:\Windows\System32\CoreMessaging (0xf2000 bytes).
2026-06-29 19:36:17,103 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A5490000: C:\Windows\System32\CoreUIComponents (0x35e000 bytes).
2026-06-29 19:36:17,104 [root] DEBUG: 5060: DLL loaded at 0x00007FF99BC00000: C:\Windows\SYSTEM32\textinputframework (0xf9000 bytes).
2026-06-29 19:36:17,191 [root] DEBUG: 5060: DLL loaded at 0x00007FF99F680000: C:\Windows\system32\iertutil (0x2b0000 bytes).
2026-06-29 19:36:17,193 [root] DEBUG: 5060: DLL loaded at 0x00007FF99F650000: C:\Windows\system32\srvcli (0x28000 bytes).
2026-06-29 19:36:17,196 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A75F0000: C:\Windows\system32\netutils (0xc000 bytes).
2026-06-29 19:36:17,200 [root] DEBUG: 5060: DLL loaded at 0x00007FF99F930000: C:\Windows\system32\urlmon (0x1eb000 bytes).
2026-06-29 19:36:17,237 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A9450000: C:\Windows\System32\COMDLG32 (0xda000 bytes).
2026-06-29 19:36:17,244 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\PROPSYS (0xf6000 bytes).
2026-06-29 19:36:27,999 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 1820: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF712FE0000
2026-06-29 19:36:28,001 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1820
2026-06-29 19:36:28,002 [lib.api.process] INFO: Monitor config for process 1820: C:\7d7wfxi0\dll\1820.ini
2026-06-29 19:36:28,251 [root] INFO: Analysis timeout hit, terminating analysis
2026-06-29 19:36:28,253 [lib.api.process] INFO: Terminate event set for process 3792
2026-06-29 19:36:28,254 [root] DEBUG: 3792: Terminate Event: Attempting to dump process 3792
2026-06-29 19:36:28,258 [root] DEBUG: 3792: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching
2026-06-29 19:36:28,259 [root] DEBUG: 3792: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.
2026-06-29 19:36:28,261 [root] DEBUG: 3792: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-06-29 19:36:28,262 [root] DEBUG: 3792: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.
2026-06-29 19:36:28,263 [root] DEBUG: 3792: DumpProcess: Module entry point VA is 0x00007FF79A468F50.
2026-06-29 19:36:28,286 [lib.common.results] INFO: Uploading file C:\BxeBJc\CAPE\3792_108242836230262026 to procdump\f4dd0d951a26f0fe9d8ea0afcbfb650ce05b3e9e3d31cfdc394da2f1fe8dc80d; Size is 401920; Max size: 100000000
2026-06-29 19:36:28,324 [root] DEBUG: 3792: DumpProcess: Module image dump success - dump size 0x62200.
2026-06-29 19:36:28,340 [root] DEBUG: 3792: Terminate Event: Shutdown complete for process 3792 but failed to inform analyzer.
2026-06-29 19:36:29,500 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:29,524 [root] DEBUG: Loader: Injecting process 1820 (thread 3596) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:29,527 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:29,530 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:29,535 [lib.api.process] INFO: Injected into 64-bit <Process 1820 WmiPrvSE.exe>
2026-06-29 19:36:29,561 [root] DEBUG: 1820: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:29,562 [root] DEBUG: 1820: Dropped file limit defaulting to 100.
2026-06-29 19:36:29,575 [root] DEBUG: 1820: Disabling sleep skipping.
2026-06-29 19:36:29,577 [root] DEBUG: 1820: YaraInit: Compiled rules loaded from existing file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:29,608 [root] DEBUG: 1820: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:29,614 [root] DEBUG: 1820: YaraScan: Scanning 0x00007FF712FE0000, size 0x7dcfe
2026-06-29 19:36:29,624 [root] DEBUG: 1820: Monitor initialised: 64-bit capemon loaded in process 1820 at 0x00007FF9870C0000, thread 3596, image base 0x00007FF712FE0000, stack from 0x0000002D0E470000-0x0000002D0E480000
2026-06-29 19:36:29,626 [root] DEBUG: 1820: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2026-06-29 19:36:29,653 [root] DEBUG: 1820: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 19:36:29,751 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 19:36:29,754 [root] DEBUG: 1820: set_hooks: Unable to hook LockResource
2026-06-29 19:36:29,769 [root] DEBUG: 1820: Hooked 630 out of 631 functions
2026-06-29 19:36:29,777 [root] DEBUG: 1820: Syscall hook installed, syscall logging level 1
2026-06-29 19:36:29,789 [root] DEBUG: 1820: RestoreHeaders: Restored original import table.
2026-06-29 19:36:29,790 [root] INFO: Loaded monitor into process with pid 1820
2026-06-29 19:36:29,793 [root] DEBUG: 1820: caller_dispatch: Added region at 0x00007FF712FE0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF712FF2CD1, thread 3596).
2026-06-29 19:36:29,795 [root] DEBUG: 1820: YaraScan: Scanning 0x00007FF712FE0000, size 0x7dcfe
2026-06-29 19:36:29,808 [root] DEBUG: 1820: ProcessImageBase: Main module image at 0x00007FF712FE0000 unmodified (entropy change 0.000000e+00)
2026-06-29 19:36:29,830 [root] DEBUG: 1820: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 19:36:29,833 [root] DEBUG: 1820: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 19:36:29,855 [root] DEBUG: 1820: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 19:36:29,867 [root] DEBUG: 1820: DLL loaded at 0x00007FF97FC40000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-06-29 19:36:29,890 [root] DEBUG: 1820: DLL loaded at 0x00007FF97FC20000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-06-29 19:36:29,955 [root] DEBUG: 1820: DLL loaded at 0x00007FF99E310000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2026-06-29 19:36:33,251 [lib.api.process] INFO: Termination confirmed for process 3792
2026-06-29 19:36:33,252 [root] INFO: Terminate event set for process 3792
2026-06-29 19:36:33,252 [lib.api.process] INFO: Terminate event set for process 756
2026-06-29 19:36:33,253 [root] DEBUG: 756: Terminate Event: Attempting to dump process 756
2026-06-29 19:36:33,255 [root] DEBUG: 756: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 19:36:33,260 [lib.api.process] INFO: Termination confirmed for process 756
2026-06-29 19:36:33,260 [root] DEBUG: 756: Terminate Event: monitor shutdown complete for process 756
2026-06-29 19:36:33,260 [root] INFO: Terminate event set for process 756
2026-06-29 19:36:33,261 [lib.api.process] INFO: Terminate event set for process 5060
2026-06-29 19:36:33,262 [root] DEBUG: 5060: Terminate Event: Attempting to dump process 5060
2026-06-29 19:36:33,264 [root] DEBUG: 5060: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 19:36:33,277 [root] DEBUG: 5060: Terminate Event: Shutdown complete for process 5060 but failed to inform analyzer.
2026-06-29 19:36:38,252 [lib.api.process] INFO: Termination confirmed for process 5060
2026-06-29 19:36:38,253 [root] INFO: Terminate event set for process 5060
2026-06-29 19:36:38,253 [lib.api.process] INFO: Terminate event set for process 1820
2026-06-29 19:36:38,254 [root] DEBUG: 1820: Terminate Event: Attempting to dump process 1820
2026-06-29 19:36:38,256 [root] DEBUG: 1820: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 19:36:38,265 [lib.api.process] INFO: Termination confirmed for process 1820
2026-06-29 19:36:38,266 [root] INFO: Terminate event set for process 1820
2026-06-29 19:36:38,266 [root] DEBUG: 1820: Terminate Event: monitor shutdown complete for process 1820
2026-06-29 19:36:38,266 [root] INFO: Created shutdown mutex
2026-06-29 19:36:39,276 [root] INFO: Shutting down package
2026-06-29 19:36:39,277 [root] INFO: Stopping auxiliary modules
2026-06-29 19:36:39,277 [root] INFO: Stopping auxiliary module: Browser
2026-06-29 19:36:39,278 [root] INFO: Stopping auxiliary module: Human
2026-06-29 19:36:39,699 [root] INFO: Finishing auxiliary modules
2026-06-29 19:36:39,700 [root] INFO: Shutting down pipe server and dumping dropped files
2026-06-29 19:36:39,705 [root] WARNING: Folder at path "C:\BxeBJc\debugger" does not exist, skipping
2026-06-29 19:36:39,709 [root] WARNING: Folder at path "C:\BxeBJc\tlsdump" does not exist, skipping
2026-06-29 19:36:39,711 [root] INFO: Analysis completed
Process Log

        
Pre-Script Log

        
During-Script Log

        
Machine Information
Name Label Manager Started On Shutdown On Route
win10 win10 KVM 2026-06-29 19:35:56 2026-06-29 19:36:44 internet
File Details
File Information
File Name
rufus.ini
File Type ASCII text, with CRLF line terminators
File Size 107 bytes
MD5 8a78a90f6c9c3b0da292006dd16b4cd1
SHA1 82c2a11d4ccba12662a05e3f60741338eba051a3
SHA256 eb5be587219b06d6b089f104095b98c119c73495a3e09c584b10d29defb112bd VT MWDB Bazaar
SHA3-384 b618a4c8b3a2dc0e9a983ff4171e854ce27f17a95e5409fb73874cb28eabcca7304d2feb1cf36e3c61f2253474e0830d
CRC32 324E6668
TLSH T1F4B012183F062CB736F7121C7D4208813DEE8D274B0BA421A6CAAC82010EC07C35A904
Ssdeep 3:5HQAFoSzWx1jXDJiFIvJmyFMu67MKii8p6cv:5BlzWx1jlm8myF967MKEp6e
Extracted Text
Locale = en-US
CommCheck64 = 7277031
UpdateCheckInterval = -1
WindowsUserExperienceOptions = 385810517
Processing 2.15s
  • 1.965s CAPE
  • 0.152s BehaviorAnalysis
  • 0.025s NetworkAnalysis
  • 0.009s AnalysisInfo
  • 0.001s Debug
Signatures 0.34s
  • 0.108s antiav_detectreg
  • 0.037s infostealer_ftp
  • 0.037s territorial_disputes_sigs
  • 0.023s antianalysis_detectreg
  • 0.021s infostealer_im
  • 0.012s antivm_vbox_keys
  • 0.008s antivm_vmware_keys
  • 0.007s antivm_parallels_keys
  • 0.007s infostealer_mail
  • 0.006s antivm_xen_keys
  • 0.006s network_dns_url_shortener
  • 0.006s ransomware_files
  • 0.004s antiav_detectfile
  • 0.004s antivm_generic_diskreg
  • 0.004s antivm_vpc_keys
  • 0.004s suspicious_tld
  • 0.004s ransomware_extensions_known
  • 0.004s suspicious_command_tools
  • 0.004s uses_windows_utilities
  • 0.003s network_dyndns
  • 0.002s antianalysis_detectfile
  • 0.002s antivm_bochs_keys
  • 0.002s antivm_hyperv_keys
  • 0.002s bypass_firewall
  • 0.002s infostealer_bitcoin
  • 0.002s masquerade_process_name
  • 0.001s network_torgateway
  • 0.001s antidebug_devices
  • 0.001s antivm_generic_bios
  • 0.001s antivm_vbox_files
  • 0.001s antivm_vmware_files
  • 0.001s ketrican_regkeys
  • 0.001s browser_security
  • 0.001s suspicious_browser_arguments
  • 0.001s registry_credential_store_access
  • 0.001s disables_backups
  • 0.001s disables_browser_warn
  • 0.001s disables_power_options
  • 0.001s network_dns_opennic
  • 0.001s network_dns_paste_site
  • 0.001s network_dns_temp_file_storage
  • 0.001s recon_fingerprint
Reporting 0.01s
  • 0.009s JsonDump
Signatures
ip: 108.177.15.94
ip: 64.233.167.101
ip: 142.251.14.94
ip: 142.251.16.94
ip: 172.253.157.95
ip: 151.101.206.172
ip: 20.190.159.23
domain: beacons.gcp.gvt2.com
regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
behavioral_fips_reconnaissance: ["notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'"]
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
file: C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
command: "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"
Hosts
Direct IP Country Name ASN
Y 108.177.15.94 [VT] unknown -
Y 64.233.167.101 [VT] unknown -
N 142.251.14.94 [VT] unknown -
Y 142.251.16.94 [VT] unknown -
Y 172.253.157.95 [VT] unknown -
Y 151.101.206.172 [VT] unknown -
Y 20.190.159.23 [VT] unknown -
DNS
Name Response Post-Analysis Lookup
beacons.gcp.gvt2.com [VT] CNAME beacons-handoff.gcp.gvt2.com [VT]
A 142.251.14.94 [VT]
142.251.14.94 [VT]
Summary
  • C:\Users\Rajesh\AppData\Local\Temp
  • C:\Users
  • C:\Users\Rajesh
  • C:\Users\Rajesh\AppData
  • C:\Users\Rajesh\AppData\Local
  • C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
  • C:\Windows\System32\kernel.appcore.dll
  • \Device\CNG
  • \Device\DeviceApi\CMApi
  • \??\MountPointManager
  • \??\PhysicalDrive0
  • C:\Windows\System32\wbem\WmiPrvSE.exe
  • C:\Windows\WindowsShell.Manifest
  • C:\Windows\System32\resources.pri
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\System32\TextShaping.dll
  • C:\Windows\System32\uxtheme.dll.Config
  • C:\Windows\System32\uxtheme.dll
  • C:\Windows\System32\textinputframework.dll
  • C:\Windows\System32\CoreUIComponents.dll
  • C:\Windows\System32\CoreMessaging.dll
  • C:\Windows\System32\ntmarta.dll
  • C:\Windows\System32\urlmon.dll
  • C:\Windows\System32\iertutil.dll
  • C:\Windows\System32\srvcli.dll
  • C:\Windows\System32\netutils.dll
  • C:\Windows\system32
  • C:\Windows
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • \??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
  • \??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
  • HKEY_CURRENT_USER
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
  • HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
  • HKEY_CURRENT_USER\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
  • HKEY_CURRENT_USER\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
  • HKEY_CURRENT_USER\Software\Classes
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Notepad
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfEscapement
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOrientation
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfWeight
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfItalic
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfUnderline
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfStrikeOut
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfCharSet
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOutPrecision
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfClipPrecision
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfQuality
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Notepad\DefaultFonts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfFaceName
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iPointSize
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrap
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iDefaultEncoding
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\StatusBar
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fReverse
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrapAround
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMatchCase
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\searchString
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\replaceString
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szHeader
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szTrailer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginTop
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginBottom
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginLeft
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginRight
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosY
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosX
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDX
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDY
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMLE_is_broken
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\CustomAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\Software\Microsoft\XAML
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
  • HKEY_CURRENT_USER\Software\Classes\AppID\NOTEPAD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
  • HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\Interface\{C50898F6-C536-5F47-8583-8B2C2438A13B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID
  • HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\Elevation
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Input
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
  • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
  • HKEY_CLASSES_ROOT\.ini
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ini\Content Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
  • HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Sink Transmit Buffer Size
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\DefaultRpcStackSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
  • HKEY_LOCAL_MACHINE\Software\Classes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
  • HKEY_CLASSES_ROOT\CLSID\{F4BA59CC-2506-45AE-84C8-78EA8D7F9B3E}\InProcServer32
  • HKEY_CLASSES_ROOT\CLSID\{F4BA59CC-2506-45AE-84C8-78EA8D7F9B3E}\LocalServer32
  • HKEY_CLASSES_ROOT\CLSID\{F4BA59CC-2506-45AE-84C8-78EA8D7F9B3E}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfEscapement
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOrientation
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfWeight
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfItalic
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfUnderline
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfStrikeOut
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfCharSet
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOutPrecision
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfClipPrecision
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfQuality
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfFaceName
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iPointSize
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrap
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iDefaultEncoding
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\StatusBar
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fReverse
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrapAround
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMatchCase
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\searchString
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\replaceString
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szHeader
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szTrailer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginTop
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginBottom
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginLeft
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginRight
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosY
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosX
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDX
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDY
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMLE_is_broken
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ini\Content Type
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Sink Transmit Buffer Size
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\DefaultRpcStackSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
  • ntdll.dll.RtlWow64GetCurrentMachine
  • ntdll.dll.RtlWow64IsWowGuestMachineSupported
  • "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"
  • "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
  • C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
  • C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  • Local\SM0:5060:304:WilStaging_02
  • Local\SM0:5060:120:WilError_03
  • Local\MSCTF.Asm.MutexDefault2
  • CicLoadWinStaWinSta0
  • Local\MSCTF.CtfMonitorInstMutexDefault2
  • Local\SM0:1820:304:WilStaging_02

No results found.

No behavioral analysis data available.

Sorry! No strace.
Sorry! No tracee.
Hosts
No hosts contacted.
TCP Connections
No TCP connections recorded.
UDP Connections
No UDP connections recorded.
DNS Requests
No domains contacted.
HTTP Requests
No HTTP(s) requests performed.
SMTP Traffic
No SMTP traffic performed.
IRC Traffic
No IRC requests performed.
ICMP Traffic
No ICMP traffic performed.
CIF Results
No CIF Results
Suricata Alerts
No Suricata Alerts
Suricata TLS
No Suricata TLS
Suricata HTTP
No Suricata HTTP
Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.