Analysis Report · CAPE Sandbox

Analysis Details

Category	Package	Started	Completed	Duration	Options	Logs
FILE	generic	2026-06-29 19:35:56	2026-06-29 19:36:45	49s
Reports	JSON

Options

vnc_port=5900

Analysis Log

2026-06-29 14:58:59,948 [root] INFO: Date set to: 20260629T19:36:00, timeout set to: 15
2026-06-29 19:36:00,470 [root] DEBUG: Starting analyzer from: C:\7d7wfxi0
2026-06-29 19:36:00,471 [root] DEBUG: Storing results at: C:\BxeBJc
2026-06-29 19:36:00,471 [root] DEBUG: Pipe server name: \\.\PIPE\QYkbIs
2026-06-29 19:36:00,471 [root] DEBUG: Python path: C:\Users\Rajesh\AppData\Local\Programs\Python\Python314
2026-06-29 19:36:00,472 [root] INFO: analysis running as an admin
2026-06-29 19:36:00,472 [root] DEBUG: no analysis package configured, picking one for you
2026-06-29 19:36:00,473 [root] INFO: analysis package selected: "generic"
2026-06-29 19:36:00,473 [root] DEBUG: importing analysis package module: "modules.packages.generic"...
2026-06-29 19:36:00,478 [root] DEBUG: imported analysis package "generic"
2026-06-29 19:36:00,479 [root] DEBUG: initializing analysis package "generic"...
2026-06-29 19:36:00,479 [lib.common.common] INFO: no wrapping
2026-06-29 19:36:00,480 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-29 19:36:00,480 [root] DEBUG: New location of moved file: C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
2026-06-29 19:36:00,481 [root] INFO: Analyzer: Package modules.packages.generic does not specify a dll option
2026-06-29 19:36:00,481 [root] INFO: Analyzer: Package modules.packages.generic does not specify a dll_64 option
2026-06-29 19:36:00,482 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader option
2026-06-29 19:36:00,482 [root] INFO: Analyzer: Package modules.packages.generic does not specify a loader_64 option
2026-06-29 19:36:00,733 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2026-06-29 19:36:00,745 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2026-06-29 19:36:00,785 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2026-06-29 19:36:01,132 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2026-06-29 19:36:01,139 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2026-06-29 19:36:01,139 [root] DEBUG: Initialized auxiliary module "Browser"
2026-06-29 19:36:01,140 [root] DEBUG: attempting to configure 'Browser' from data
2026-06-29 19:36:01,143 [root] DEBUG: module Browser does not support data configuration, ignoring
2026-06-29 19:36:01,144 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2026-06-29 19:36:01,159 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2026-06-29 19:36:01,159 [root] DEBUG: Initialized auxiliary module "DigiSig"
2026-06-29 19:36:01,160 [root] DEBUG: attempting to configure 'DigiSig' from data
2026-06-29 19:36:01,161 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2026-06-29 19:36:01,162 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2026-06-29 19:36:01,162 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2026-06-29 19:36:01,861 [modules.auxiliary.digisig] DEBUG: File has an invalid signature
2026-06-29 19:36:01,861 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2026-06-29 19:36:01,867 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2026-06-29 19:36:01,868 [root] DEBUG: Initialized auxiliary module "Disguise"
2026-06-29 19:36:01,868 [root] DEBUG: attempting to configure 'Disguise' from data
2026-06-29 19:36:01,868 [root] DEBUG: module Disguise does not support data configuration, ignoring
2026-06-29 19:36:01,869 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2026-06-29 19:36:01,881 [modules.auxiliary.disguise] INFO: Launched background process notepad.exe hidden (PID: 2624)
2026-06-29 19:36:01,886 [modules.auxiliary.disguise] INFO: Disguising GUID to aaf550a6-7a62-4bb8-9d95-1e7652f2d63b
2026-06-29 19:36:01,886 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2026-06-29 19:36:01,886 [root] DEBUG: Initialized auxiliary module "Human"
2026-06-29 19:36:01,887 [root] DEBUG: attempting to configure 'Human' from data
2026-06-29 19:36:01,887 [root] DEBUG: module Human does not support data configuration, ignoring
2026-06-29 19:36:01,887 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2026-06-29 19:36:01,903 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2026-06-29 19:36:01,903 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2026-06-29 19:36:01,903 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2026-06-29 19:36:01,904 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2026-06-29 19:36:01,904 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2026-06-29 19:36:01,906 [modules.auxiliary.tlsdump] WARNING: Unable to find lsass.exe process
2026-06-29 19:36:01,906 [root] DEBUG: Started auxiliary module modules.auxiliary.tlsdump
2026-06-29 19:36:08,392 [root] INFO: Restarting WMI Service
2026-06-29 19:36:10,567 [root] DEBUG: package modules.packages.generic does not support configure, ignoring
2026-06-29 19:36:10,569 [root] WARNING: configuration error for package modules.packages.generic: error importing data.packages.generic: No module named 'data.packages'
2026-06-29 19:36:10,570 [lib.core.compound] INFO: C:\Users\Rajesh\AppData\Local\Temp already exists, skipping creation
2026-06-29 19:36:10,573 [lib.api.process] INFO: Successfully executed process from path "C:\Windows\system32\cmd.exe" with arguments "/c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"" with pid 3792
2026-06-29 19:36:10,830 [lib.api.process] INFO: Monitor config for process 3792: C:\7d7wfxi0\dll\3792.ini
2026-06-29 19:36:10,847 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:10,875 [root] DEBUG: Loader: Injecting process 3792 (thread 2248) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:10,999 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:11,001 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:11,008 [lib.api.process] INFO: Injected into 64-bit <Process 3792 cmd.exe>
2026-06-29 19:36:13,028 [lib.api.process] INFO: Successfully resumed process with pid 3792
2026-06-29 19:36:13,310 [root] DEBUG: 3792: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:13,317 [root] DEBUG: 3792: Disabling sleep skipping.
2026-06-29 19:36:13,318 [root] DEBUG: 3792: Dropped file limit defaulting to 100.
2026-06-29 19:36:13,352 [root] DEBUG: 3792: YaraInit: Compiled 44 rule files
2026-06-29 19:36:13,357 [root] DEBUG: 3792: YaraInit: Compiled rules saved to file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:13,428 [root] DEBUG: 3792: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:13,430 [root] DEBUG: 3792: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-29 19:36:13,437 [root] DEBUG: 3792: YaraScan hit: FindFixAndRun
2026-06-29 19:36:13,439 [root] DEBUG: 3792: Monitor initialised: 64-bit capemon loaded in process 3792 at 0x00007FF9870C0000, thread 2248, image base 0x00007FF79A450000, stack from 0x000000F098A04000-0x000000F098B00000
2026-06-29 19:36:13,440 [root] DEBUG: 3792: Commandline: "C:\Windows\system32\cmd.exe" /c start /wait "" "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"
2026-06-29 19:36:13,466 [root] DEBUG: 3792: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 19:36:13,535 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 19:36:13,536 [root] DEBUG: 3792: set_hooks: Unable to hook LockResource
2026-06-29 19:36:13,554 [root] DEBUG: 3792: Hooked 630 out of 631 functions
2026-06-29 19:36:13,561 [root] DEBUG: 3792: set_hooks_exe: Hooked FindFixAndRun at 0x00007FF79A45C620
2026-06-29 19:36:13,565 [root] DEBUG: 3792: Syscall hook installed, syscall logging level 1
2026-06-29 19:36:13,585 [root] DEBUG: 3792: RestoreHeaders: Restored original import table.
2026-06-29 19:36:13,586 [root] INFO: Loaded monitor into process with pid 3792
2026-06-29 19:36:13,588 [root] DEBUG: 3792: caller_dispatch: Added region at 0x00007FF79A450000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF79A4693C1, thread 2248).
2026-06-29 19:36:13,591 [root] DEBUG: 3792: YaraScan: Scanning 0x00007FF79A450000, size 0x6630a
2026-06-29 19:36:13,604 [root] DEBUG: 3792: ProcessImageBase: Main module image at 0x00007FF79A450000 unmodified (entropy change 0.000000e+00)
2026-06-29 19:36:13,634 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 19:36:13,637 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 19:36:13,657 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 19:36:13,676 [root] DEBUG: 3792: DLL loaded at 0x00007FF994050000: C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e\comctl32 (0x29a000 bytes).
2026-06-29 19:36:13,681 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A9D30000: C:\Windows\System32\SHCORE (0xad000 bytes).
2026-06-29 19:36:13,686 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-29 19:36:13,688 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-29 19:36:13,694 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\PROPSYS (0xf6000 bytes).
2026-06-29 19:36:13,717 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 19:36:13,752 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A8050000: C:\Windows\system32\profapi (0x1f000 bytes).
2026-06-29 19:36:13,922 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A8110000: C:\Windows\System32\CFGMGR32 (0x4e000 bytes).
2026-06-29 19:36:13,940 [root] DEBUG: 3792: DLL loaded at 0x00007FF993730000: C:\Windows\system32\edputil (0x24000 bytes).
2026-06-29 19:36:13,994 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A1300000: C:\Windows\System32\Windows.StateRepositoryPS (0x146000 bytes).
2026-06-29 19:36:14,016 [root] DEBUG: 3792: DLL loaded at 0x00007FF9903B0000: C:\Windows\System32\Windows.UI.AppDefaults (0x4c000 bytes).
2026-06-29 19:36:14,093 [root] DEBUG: 3792: DLL loaded at 0x00007FF99F680000: C:\Windows\system32\iertutil (0x2b0000 bytes).
2026-06-29 19:36:14,095 [root] DEBUG: 3792: DLL loaded at 0x00007FF99F650000: C:\Windows\system32\srvcli (0x28000 bytes).
2026-06-29 19:36:14,096 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A75F0000: C:\Windows\system32\netutils (0xc000 bytes).
2026-06-29 19:36:14,099 [root] DEBUG: 3792: DLL loaded at 0x00007FF99F930000: C:\Windows\system32\urlmon (0x1eb000 bytes).
2026-06-29 19:36:14,111 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A7200000: C:\Windows\system32\msvcp110_win (0x8a000 bytes).
2026-06-29 19:36:14,113 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A35E0000: C:\Windows\SYSTEM32\policymanager (0xa0000 bytes).
2026-06-29 19:36:14,148 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\System32\wintypes (0x154000 bytes).
2026-06-29 19:36:14,163 [root] DEBUG: 3792: DLL loaded at 0x00007FF99E080000: C:\Windows\System32\Bcp47Langs (0x5c000 bytes).
2026-06-29 19:36:14,164 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6C60000: C:\Windows\System32\sppc (0x25000 bytes).
2026-06-29 19:36:14,166 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A6C90000: C:\Windows\System32\SLC (0x29000 bytes).
2026-06-29 19:36:14,167 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A7F80000: C:\Windows\System32\USERENV (0x2e000 bytes).
2026-06-29 19:36:14,168 [root] DEBUG: 3792: DLL loaded at 0x00007FF9971F0000: C:\Windows\System32\appresolver (0x90000 bytes).
2026-06-29 19:36:14,187 [root] DEBUG: 3792: DLL loaded at 0x00007FF99D480000: C:\Windows\System32\OneCoreCommonProxyStub (0x7d000 bytes).
2026-06-29 19:36:14,209 [root] DEBUG: 3792: DLL loaded at 0x00007FF99EEA0000: C:\Windows\System32\OneCoreUAPCommonProxyStub (0x798000 bytes).
2026-06-29 19:36:14,222 [lib.api.process] INFO: Monitor config for process 756: C:\7d7wfxi0\dll\756.ini
2026-06-29 19:36:14,227 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:14,241 [root] DEBUG: Loader: Injecting process 756 with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:14,250 [root] DEBUG: 756: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:14,251 [root] DEBUG: 756: Disabling sleep skipping.
2026-06-29 19:36:14,252 [root] DEBUG: 756: Dropped file limit defaulting to 100.
2026-06-29 19:36:14,256 [root] DEBUG: 756: Services hook set enabled
2026-06-29 19:36:14,262 [root] DEBUG: 756: YaraInit: Compiled rules loaded from existing file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:14,285 [root] DEBUG: 756: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:14,286 [root] DEBUG: 756: Monitor initialised: 64-bit capemon loaded in process 756 at 0x00007FF9870C0000, thread 1140, image base 0x00007FF69D480000, stack from 0x00000036AC4F4000-0x00000036AC500000
2026-06-29 19:36:14,288 [root] DEBUG: 756: Commandline: C:\Windows\system32\svchost.exe -k DcomLaunch -p
2026-06-29 19:36:14,313 [root] DEBUG: 756: Hooked 69 out of 69 functions
2026-06-29 19:36:14,316 [root] INFO: Loaded monitor into process with pid 756
2026-06-29 19:36:14,319 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2026-06-29 19:36:14,321 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:14,324 [lib.api.process] INFO: Injected into 64-bit <Process 756 svchost.exe>
2026-06-29 19:36:16,359 [root] DEBUG: 3792: CreateProcessHandler: Injection info set for new process 5060: C:\Windows\system32\NOTEPAD.EXE, ImageBase: 0x00007FF737DC0000
2026-06-29 19:36:16,361 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5060
2026-06-29 19:36:16,361 [lib.api.process] INFO: Monitor config for process 5060: C:\7d7wfxi0\dll\5060.ini
2026-06-29 19:36:16,366 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:16,378 [root] DEBUG: Loader: Injecting process 5060 (thread 3940) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,379 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:16,382 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,385 [lib.api.process] INFO: Injected into 64-bit <Process 5060 notepad.exe>
2026-06-29 19:36:16,388 [root] INFO: Announced 64-bit process name: notepad.exe pid: 5060
2026-06-29 19:36:16,389 [lib.api.process] INFO: Monitor config for process 5060: C:\7d7wfxi0\dll\5060.ini
2026-06-29 19:36:16,391 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:16,402 [root] DEBUG: Loader: Injecting process 5060 (thread 3940) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,403 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:16,404 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:16,407 [lib.api.process] INFO: Injected into 64-bit <Process 5060 notepad.exe>
2026-06-29 19:36:16,411 [root] DEBUG: 3792: DLL loaded at 0x00007FF998030000: C:\Windows\system32\MPR (0x1d000 bytes).
2026-06-29 19:36:16,412 [root] DEBUG: 3792: DLL loaded at 0x00007FF9A31D0000: C:\Windows\SYSTEM32\pcacli (0x16000 bytes).
2026-06-29 19:36:16,436 [root] DEBUG: 5060: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:16,437 [root] DEBUG: 5060: Dropped file limit defaulting to 100.
2026-06-29 19:36:16,450 [root] DEBUG: 5060: Disabling sleep skipping.
2026-06-29 19:36:16,453 [root] DEBUG: 5060: YaraInit: Compiled rules loaded from existing file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:16,538 [root] DEBUG: 5060: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:16,540 [root] DEBUG: 5060: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee
2026-06-29 19:36:16,545 [root] DEBUG: 5060: Monitor initialised: 64-bit capemon loaded in process 5060 at 0x00007FF9870C0000, thread 3940, image base 0x00007FF737DC0000, stack from 0x00000097E611F000-0x00000097E6130000
2026-06-29 19:36:16,546 [root] DEBUG: 5060: Commandline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
2026-06-29 19:36:16,568 [root] DEBUG: 5060: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 19:36:16,633 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 19:36:16,635 [root] DEBUG: 5060: set_hooks: Unable to hook LockResource
2026-06-29 19:36:16,650 [root] DEBUG: 5060: Hooked 630 out of 631 functions
2026-06-29 19:36:16,656 [root] DEBUG: 5060: Syscall hook installed, syscall logging level 1
2026-06-29 19:36:16,667 [root] DEBUG: 5060: RestoreHeaders: Restored original import table.
2026-06-29 19:36:16,668 [root] INFO: Loaded monitor into process with pid 5060
2026-06-29 19:36:16,679 [root] DEBUG: 5060: caller_dispatch: Added region at 0x00007FF737DC0000 to tracked regions list (ntdll::NtAllocateVirtualMemory returns to 0x00007FF737DE5842, thread 3940).
2026-06-29 19:36:16,681 [root] DEBUG: 5060: YaraScan: Scanning 0x00007FF737DC0000, size 0x392ee
2026-06-29 19:36:16,690 [root] DEBUG: 5060: ProcessImageBase: Main module image at 0x00007FF737DC0000 unmodified (entropy change 0.000000e+00)
2026-06-29 19:36:16,695 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 19:36:16,703 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 19:36:16,707 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A5B50000: C:\Windows\system32\uxtheme (0x9e000 bytes).
2026-06-29 19:36:16,714 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 19:36:16,725 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A06E0000: C:\Windows\System32\MrmCoreR (0xf5000 bytes).
2026-06-29 19:36:16,764 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A7A90000: C:\Windows\system32\Wldp (0x2c000 bytes).
2026-06-29 19:36:16,765 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A6230000: C:\Windows\SYSTEM32\windows.storage (0x790000 bytes).
2026-06-29 19:36:16,776 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A9A10000: C:\Windows\System32\MSCTF (0x115000 bytes).
2026-06-29 19:36:16,830 [root] DEBUG: 5060: DLL loaded at 0x00007FF998F00000: C:\Windows\system32\TextShaping (0xac000 bytes).
2026-06-29 19:36:16,854 [root] DEBUG: 5060: DLL loaded at 0x00007FF998030000: C:\Windows\System32\MPR (0x1d000 bytes).
2026-06-29 19:36:16,856 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A4DC0000: C:\Windows\SYSTEM32\wintypes (0x154000 bytes).
2026-06-29 19:36:16,857 [root] DEBUG: 5060: DLL loaded at 0x00007FF987B80000: C:\Windows\System32\efswrt (0xde000 bytes).
2026-06-29 19:36:16,867 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A10F0000: C:\Windows\System32\twinapi.appcore (0x201000 bytes).
2026-06-29 19:36:16,982 [root] DEBUG: 5060: DLL loaded at 0x00007FF992900000: C:\Windows\System32\oleacc (0x66000 bytes).
2026-06-29 19:36:17,099 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A6E00000: C:\Windows\SYSTEM32\ntmarta (0x33000 bytes).
2026-06-29 19:36:17,102 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A57F0000: C:\Windows\System32\CoreMessaging (0xf2000 bytes).
2026-06-29 19:36:17,103 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A5490000: C:\Windows\System32\CoreUIComponents (0x35e000 bytes).
2026-06-29 19:36:17,104 [root] DEBUG: 5060: DLL loaded at 0x00007FF99BC00000: C:\Windows\SYSTEM32\textinputframework (0xf9000 bytes).
2026-06-29 19:36:17,191 [root] DEBUG: 5060: DLL loaded at 0x00007FF99F680000: C:\Windows\system32\iertutil (0x2b0000 bytes).
2026-06-29 19:36:17,193 [root] DEBUG: 5060: DLL loaded at 0x00007FF99F650000: C:\Windows\system32\srvcli (0x28000 bytes).
2026-06-29 19:36:17,196 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A75F0000: C:\Windows\system32\netutils (0xc000 bytes).
2026-06-29 19:36:17,200 [root] DEBUG: 5060: DLL loaded at 0x00007FF99F930000: C:\Windows\system32\urlmon (0x1eb000 bytes).
2026-06-29 19:36:17,237 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A9450000: C:\Windows\System32\COMDLG32 (0xda000 bytes).
2026-06-29 19:36:17,244 [root] DEBUG: 5060: DLL loaded at 0x00007FF9A2720000: C:\Windows\system32\PROPSYS (0xf6000 bytes).
2026-06-29 19:36:27,999 [root] DEBUG: 756: CreateProcessHandler: Injection info set for new process 1820: C:\Windows\system32\wbem\wmiprvse.exe, ImageBase: 0x00007FF712FE0000
2026-06-29 19:36:28,001 [root] INFO: Announced 64-bit process name: WmiPrvSE.exe pid: 1820
2026-06-29 19:36:28,002 [lib.api.process] INFO: Monitor config for process 1820: C:\7d7wfxi0\dll\1820.ini
2026-06-29 19:36:28,251 [root] INFO: Analysis timeout hit, terminating analysis
2026-06-29 19:36:28,253 [lib.api.process] INFO: Terminate event set for process 3792
2026-06-29 19:36:28,254 [root] DEBUG: 3792: Terminate Event: Attempting to dump process 3792
2026-06-29 19:36:28,258 [root] DEBUG: 3792: VerifyCodeSection: Executable code does not match, 0xb620 of 0x30ef9 matching
2026-06-29 19:36:28,259 [root] DEBUG: 3792: DoProcessDump: Code modification detected, dumping Imagebase at 0x00007FF79A450000.
2026-06-29 19:36:28,261 [root] DEBUG: 3792: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2026-06-29 19:36:28,262 [root] DEBUG: 3792: DumpProcess: Instantiating PeParser with address: 0x00007FF79A450000.
2026-06-29 19:36:28,263 [root] DEBUG: 3792: DumpProcess: Module entry point VA is 0x00007FF79A468F50.
2026-06-29 19:36:28,286 [lib.common.results] INFO: Uploading file C:\BxeBJc\CAPE\3792_108242836230262026 to procdump\f4dd0d951a26f0fe9d8ea0afcbfb650ce05b3e9e3d31cfdc394da2f1fe8dc80d; Size is 401920; Max size: 100000000
2026-06-29 19:36:28,324 [root] DEBUG: 3792: DumpProcess: Module image dump success - dump size 0x62200.
2026-06-29 19:36:28,340 [root] DEBUG: 3792: Terminate Event: Shutdown complete for process 3792 but failed to inform analyzer.
2026-06-29 19:36:29,500 [lib.api.process] INFO: 64-bit DLL to inject is C:\7d7wfxi0\dll\XVaHDaL.dll, loader C:\7d7wfxi0\bin\OzgDrRsD.exe
2026-06-29 19:36:29,524 [root] DEBUG: Loader: Injecting process 1820 (thread 3596) with C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:29,527 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2026-06-29 19:36:29,530 [root] DEBUG: Successfully injected DLL C:\7d7wfxi0\dll\XVaHDaL.dll.
2026-06-29 19:36:29,535 [lib.api.process] INFO: Injected into 64-bit <Process 1820 WmiPrvSE.exe>
2026-06-29 19:36:29,561 [root] DEBUG: 1820: Python path set to 'C:\Users\Rajesh\AppData\Local\Programs\Python\Python314'.
2026-06-29 19:36:29,562 [root] DEBUG: 1820: Dropped file limit defaulting to 100.
2026-06-29 19:36:29,575 [root] DEBUG: 1820: Disabling sleep skipping.
2026-06-29 19:36:29,577 [root] DEBUG: 1820: YaraInit: Compiled rules loaded from existing file C:\7d7wfxi0\data\yara\capemon.yac
2026-06-29 19:36:29,608 [root] DEBUG: 1820: RtlInsertInvertedFunctionTable 0x00007FF9AAA0090E, LdrpInvertedFunctionTableSRWLock 0x00007FF9AAB5B4F0
2026-06-29 19:36:29,614 [root] DEBUG: 1820: YaraScan: Scanning 0x00007FF712FE0000, size 0x7dcfe
2026-06-29 19:36:29,624 [root] DEBUG: 1820: Monitor initialised: 64-bit capemon loaded in process 1820 at 0x00007FF9870C0000, thread 3596, image base 0x00007FF712FE0000, stack from 0x0000002D0E470000-0x0000002D0E480000
2026-06-29 19:36:29,626 [root] DEBUG: 1820: Commandline: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2026-06-29 19:36:29,653 [root] DEBUG: 1820: hook_api: LdrpCallInitRoutine export address 0x00007FF9AAA099BC obtained via GetFunctionAddress
2026-06-29 19:36:29,751 [root] WARNING: b'Unable to create trampoline for LockResource, hook type 2'
2026-06-29 19:36:29,754 [root] DEBUG: 1820: set_hooks: Unable to hook LockResource
2026-06-29 19:36:29,769 [root] DEBUG: 1820: Hooked 630 out of 631 functions
2026-06-29 19:36:29,777 [root] DEBUG: 1820: Syscall hook installed, syscall logging level 1
2026-06-29 19:36:29,789 [root] DEBUG: 1820: RestoreHeaders: Restored original import table.
2026-06-29 19:36:29,790 [root] INFO: Loaded monitor into process with pid 1820
2026-06-29 19:36:29,793 [root] DEBUG: 1820: caller_dispatch: Added region at 0x00007FF712FE0000 to tracked regions list (kernel32::SetUnhandledExceptionFilter returns to 0x00007FF712FF2CD1, thread 3596).
2026-06-29 19:36:29,795 [root] DEBUG: 1820: YaraScan: Scanning 0x00007FF712FE0000, size 0x7dcfe
2026-06-29 19:36:29,808 [root] DEBUG: 1820: ProcessImageBase: Main module image at 0x00007FF712FE0000 unmodified (entropy change 0.000000e+00)
2026-06-29 19:36:29,830 [root] DEBUG: 1820: DLL loaded at 0x00007FF9A6030000: C:\Windows\SYSTEM32\kernel.appcore (0x12000 bytes).
2026-06-29 19:36:29,833 [root] DEBUG: 1820: DLL loaded at 0x00007FF9A8700000: C:\Windows\System32\bcryptPrimitives (0x83000 bytes).
2026-06-29 19:36:29,855 [root] DEBUG: 1820: DLL loaded at 0x00007FF9A9600000: C:\Windows\System32\clbcatq (0xa9000 bytes).
2026-06-29 19:36:29,867 [root] DEBUG: 1820: DLL loaded at 0x00007FF97FC40000: C:\Windows\system32\wbem\wbemprox (0x11000 bytes).
2026-06-29 19:36:29,890 [root] DEBUG: 1820: DLL loaded at 0x00007FF97FC20000: C:\Windows\system32\wbem\wbemsvc (0x14000 bytes).
2026-06-29 19:36:29,955 [root] DEBUG: 1820: DLL loaded at 0x00007FF99E310000: C:\Windows\system32\wbem\wmiutils (0x28000 bytes).
2026-06-29 19:36:33,251 [lib.api.process] INFO: Termination confirmed for process 3792
2026-06-29 19:36:33,252 [root] INFO: Terminate event set for process 3792
2026-06-29 19:36:33,252 [lib.api.process] INFO: Terminate event set for process 756
2026-06-29 19:36:33,253 [root] DEBUG: 756: Terminate Event: Attempting to dump process 756
2026-06-29 19:36:33,255 [root] DEBUG: 756: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 19:36:33,260 [lib.api.process] INFO: Termination confirmed for process 756
2026-06-29 19:36:33,260 [root] DEBUG: 756: Terminate Event: monitor shutdown complete for process 756
2026-06-29 19:36:33,260 [root] INFO: Terminate event set for process 756
2026-06-29 19:36:33,261 [lib.api.process] INFO: Terminate event set for process 5060
2026-06-29 19:36:33,262 [root] DEBUG: 5060: Terminate Event: Attempting to dump process 5060
2026-06-29 19:36:33,264 [root] DEBUG: 5060: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 19:36:33,277 [root] DEBUG: 5060: Terminate Event: Shutdown complete for process 5060 but failed to inform analyzer.
2026-06-29 19:36:38,252 [lib.api.process] INFO: Termination confirmed for process 5060
2026-06-29 19:36:38,253 [root] INFO: Terminate event set for process 5060
2026-06-29 19:36:38,253 [lib.api.process] INFO: Terminate event set for process 1820
2026-06-29 19:36:38,254 [root] DEBUG: 1820: Terminate Event: Attempting to dump process 1820
2026-06-29 19:36:38,256 [root] DEBUG: 1820: DoProcessDump: Skipping process dump as code is identical on disk.
2026-06-29 19:36:38,265 [lib.api.process] INFO: Termination confirmed for process 1820
2026-06-29 19:36:38,266 [root] INFO: Terminate event set for process 1820
2026-06-29 19:36:38,266 [root] DEBUG: 1820: Terminate Event: monitor shutdown complete for process 1820
2026-06-29 19:36:38,266 [root] INFO: Created shutdown mutex
2026-06-29 19:36:39,276 [root] INFO: Shutting down package
2026-06-29 19:36:39,277 [root] INFO: Stopping auxiliary modules
2026-06-29 19:36:39,277 [root] INFO: Stopping auxiliary module: Browser
2026-06-29 19:36:39,278 [root] INFO: Stopping auxiliary module: Human
2026-06-29 19:36:39,699 [root] INFO: Finishing auxiliary modules
2026-06-29 19:36:39,700 [root] INFO: Shutting down pipe server and dumping dropped files
2026-06-29 19:36:39,705 [root] WARNING: Folder at path "C:\BxeBJc\debugger" does not exist, skipping
2026-06-29 19:36:39,709 [root] WARNING: Folder at path "C:\BxeBJc\tlsdump" does not exist, skipping
2026-06-29 19:36:39,711 [root] INFO: Analysis completed

Process Log

Pre-Script Log

During-Script Log

Machine Information

Name	Label	Manager	Started On	Shutdown On	Route
win10	win10	KVM	2026-06-29 19:35:56	2026-06-29 19:36:44	`internet`

File Details

File Information

File Name	rufus.ini
File Type	ASCII text, with CRLF line terminators
File Size	107 bytes
MD5	8a78a90f6c9c3b0da292006dd16b4cd1
SHA1	82c2a11d4ccba12662a05e3f60741338eba051a3
SHA256	eb5be587219b06d6b089f104095b98c119c73495a3e09c584b10d29defb112bd VT MWDB Bazaar
SHA3-384	b618a4c8b3a2dc0e9a983ff4171e854ce27f17a95e5409fb73874cb28eabcca7304d2feb1cf36e3c61f2253474e0830d
CRC32	324E6668
TLSH	T1F4B012183F062CB736F7121C7D4208813DEE8D274B0BA421A6CAAC82010EC07C35A904
Ssdeep	3:5HQAFoSzWx1jXDJiFIvJmyFMu67MKii8p6cv:5BlzWx1jlm8myF967MKEp6e

Tools: Extract: BinGraph Text

Extracted Text

Locale = en-US
CommCheck64 = 7277031
UpdateCheckInterval = -1
WindowsUserExperienceOptions = 385810517

Processing 2.15s

1.965s CAPE
0.152s BehaviorAnalysis
0.025s NetworkAnalysis
0.009s AnalysisInfo
0.001s Debug

Signatures 0.34s

0.108s antiav_detectreg
0.037s infostealer_ftp
0.037s territorial_disputes_sigs
0.023s antianalysis_detectreg
0.021s infostealer_im
0.012s antivm_vbox_keys
0.008s antivm_vmware_keys
0.007s antivm_parallels_keys
0.007s infostealer_mail
0.006s antivm_xen_keys
0.006s network_dns_url_shortener
0.006s ransomware_files
0.004s antiav_detectfile
0.004s antivm_generic_diskreg
0.004s antivm_vpc_keys
0.004s suspicious_tld
0.004s ransomware_extensions_known
0.004s suspicious_command_tools
0.004s uses_windows_utilities
0.003s network_dyndns
0.002s antianalysis_detectfile
0.002s antivm_bochs_keys
0.002s antivm_hyperv_keys
0.002s bypass_firewall
0.002s infostealer_bitcoin
0.002s masquerade_process_name
0.001s network_torgateway
0.001s antidebug_devices
0.001s antivm_generic_bios
0.001s antivm_vbox_files
0.001s antivm_vmware_files
0.001s ketrican_regkeys
0.001s browser_security
0.001s suspicious_browser_arguments
0.001s registry_credential_store_access
0.001s disables_backups
0.001s disables_browser_warn
0.001s disables_power_options
0.001s network_dns_opennic
0.001s network_dns_paste_site
0.001s network_dns_temp_file_storage
0.001s recon_fingerprint

Reporting 0.01s

0.009s JsonDump

Signatures

Network activity detected but not expressed in monitor API logs

ip: 108.177.15.94

ip: 64.233.167.101

ip: 142.251.14.94

ip: 142.251.16.94

ip: 172.253.157.95

ip: 151.101.206.172

ip: 20.190.159.23

domain: beacons.gcp.gvt2.com

Checks available memory

Queries the keyboard layout

Queries the computer locale (possible geofencing)

SetUnhandledExceptionFilter detected (possible anti-debug)

Checks system language via registry key (possible geofencing)

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US

regkey: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US

Queries process token information to check for Administrator privileges or UAC elevation status

Queried the FIPS cryptography policy, can be used to adapt C2 network encryption or by legitimate encryption software

behavioral_fips_reconnaissance: ["notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa\\FipsAlgorithmPolicy'", "notepad.exe (PID: 5060) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\MDMEnabled'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'", "WmiPrvSE.exe (PID: 1820) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\Enabled'", "cmd.exe (PID: 3792) probed FIPS encryption policy at 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy\\STE'"]

Queries the mount points and then resolves volume paths to enumerate storage devices

Creates a process in a suspended state, likely for injection

Queries registry mount points to identify historical or connected removable/network drives

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation

mount_point_key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data

Created a process from a suspicious location

file: C:\Users\Rajesh\AppData\Local\Temp\rufus.ini

command: "C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"

Screenshots

Hosts

Direct	IP	Country Name	ASN
Y	108.177.15.94 [VT]	unknown	-
Y	64.233.167.101 [VT]	unknown	-
N	142.251.14.94 [VT]	unknown	-
Y	142.251.16.94 [VT]	unknown	-
Y	172.253.157.95 [VT]	unknown	-
Y	151.101.206.172 [VT]	unknown	-
Y	20.190.159.23 [VT]	unknown	-

DNS

Name	Response	Post-Analysis Lookup
beacons.gcp.gvt2.com [VT]	CNAME beacons-handoff.gcp.gvt2.com [VT] A 142.251.14.94 [VT]	142.251.14.94 [VT]

Summary

Accessed Files Modified Files Registry Keys Read Registry Keys Resolved APIs Executed Commands Mutexes

C:\Users\Rajesh\AppData\Local\Temp
C:\Users
C:\Users\Rajesh
C:\Users\Rajesh\AppData
C:\Users\Rajesh\AppData\Local
C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
C:\Windows\System32\kernel.appcore.dll
\Device\CNG
\Device\DeviceApi\CMApi
\??\MountPointManager
\??\PhysicalDrive0
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Windows\WindowsShell.Manifest
C:\Windows\System32\resources.pri
C:\Windows\Fonts\staticcache.dat
C:\Windows\System32\TextShaping.dll
C:\Windows\System32\uxtheme.dll.Config
C:\Windows\System32\uxtheme.dll
C:\Windows\System32\textinputframework.dll
C:\Windows\System32\CoreUIComponents.dll
C:\Windows\System32\CoreMessaging.dll
C:\Windows\System32\ntmarta.dll
C:\Windows\System32\urlmon.dll
C:\Windows\System32\iertutil.dll
C:\Windows\System32\srvcli.dll
C:\Windows\System32\netutils.dll
C:\Windows\system32
C:\Windows
C:\Windows\Globalization\Sorting\sortdefault.nls
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM

\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_CURRENT_USER\Software\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_CURRENT_USER\Software\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Scaling
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Mrt\_Merged
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\Software\Microsoft\Notepad
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfEscapement
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOrientation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfWeight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfItalic
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfUnderline
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfStrikeOut
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfCharSet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOutPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfClipPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfQuality
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily
HKEY_LOCAL_MACHINE\Software\Microsoft\Notepad\DefaultFonts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfFaceName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iDefaultEncoding
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\StatusBar
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fReverse
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrapAround
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMatchCase
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\searchString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\replaceString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szHeader
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szTrailer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginTop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginBottom
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginLeft
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginRight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMLE_is_broken
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\XAML
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_CURRENT_USER\Software\Classes\AppID\NOTEPAD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\Interface\{C50898F6-C536-5F47-8583-8B2C2438A13B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659A23-5884-4D1B-9CF6-67D6F4F90B36}
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID
HKEY_CURRENT_USER\Software\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\NOTEPAD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AppCompatClassName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_CLASSES_ROOT\.ini
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ini\Content Type
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Consolas
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{F4BA59CC-2506-45AE-84C8-78EA8D7F9B3E}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{F4BA59CC-2506-45AE-84C8-78EA8D7F9B3E}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{F4BA59CC-2506-45AE-84C8-78EA8D7F9B3E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-100000000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-300300000000}\Generation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Data
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1e1ae7a-0000-0000-0000-10e008000000}\Generation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Resources.Core.ResourceManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfEscapement
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOrientation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfWeight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfItalic
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfUnderline
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfStrikeOut
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfCharSet
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfOutPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfClipPrecision
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfQuality
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfPitchAndFamily
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\lfFaceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Notepad\DefaultFonts\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\lfFaceName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iPointSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iDefaultEncoding
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\StatusBar
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fSaveWindowPositions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWindowsOnlyEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fPasteOriginalEOL
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fReverse
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fWrapAround
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMatchCase
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\searchString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\replaceString
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szHeader
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\szTrailer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginTop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginBottom
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginLeft
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iMarginRight
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDX
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\iWindowPosDY
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Notepad\fMLE_is_broken
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManager\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Security.EnterpriseData.ProtectionPolicyManagerPrivatePT\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.ApplicationModel.Core.CoreApplication\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Collections.PropertySet\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\XAML\OneCoreTransformsEnabledByDefault
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{c50898f6-c536-5f47-8583-8b2c2438a13b}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\RunBinaryControlHostProcessInSeparateAppContainer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ini\Content Type
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

"C:\Users\Rajesh\AppData\Local\Temp\rufus.ini"
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
C:\Users\Rajesh\AppData\Local\Temp\rufus.ini
C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Local\SM0:5060:304:WilStaging_02
Local\SM0:5060:120:WilError_03
Local\MSCTF.Asm.MutexDefault2
CicLoadWinStaWinSta0
Local\MSCTF.CtfMonitorInstMutexDefault2
Local\SM0:1820:304:WilStaging_02

No results found.

No behavioral analysis data available.

Sorry! No strace.

Sorry! No tracee.

Hosts (0)
DNS (0)

Hosts

No hosts contacted.

TCP Connections

No TCP connections recorded.

UDP Connections

No UDP connections recorded.

DNS Requests

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP Traffic

No SMTP traffic performed.

IRC Traffic

No IRC requests performed.

ICMP Traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

No dropped files found.

Sorry! No process dumps.

Analysis Details

Options

Analysis Log

Process Log

Pre-Script Log

During-Script Log

Machine Information

File Details

File Information

Extracted Text

Statistics 2.50s

Signatures

Screenshots

Hosts

DNS

Summary

Hosts

TCP Connections

UDP Connections

DNS Requests

HTTP Requests

SMTP Traffic

IRC Traffic

ICMP Traffic

CIF Results

Suricata Alerts

Suricata TLS

Suricata HTTP