'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-11-08 22:34:52.679289 2016-11-08 22:37:54.857260 182 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-11-08 22:34:53 2016-11-08 22:37:54

File Details

File name e375ab29aa7148444e2a5fd2d27ba82cf2101a54.zip
File size 1158 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 CEFCEDAD
MD5 02a1175ada399e1d6b559846e70cf635
SHA1 e375ab29aa7148444e2a5fd2d27ba82cf2101a54
SHA256 852df2894a4243ded906b66659cf3d3b241ed546a57054947ef832efb5364b10
SHA512 4b01b5beb905e8d7d41ce436444242248fd256e4264c9cf1fe0d5eb0a6208999b06e75693378b998413395983166e7ca3a0e9316f9e1cb338de6f5bcf444b806
Ssdeep 24:95i3pBsNFrLmBIuYkcDFpdk9sZezdZ7jinHer4isqdn3:95i3pBsNFrLHuZgFosZezd5jxxsun3
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-11-08 18:52:59
Detection Rate: 6/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=2, VT[1478644865]=100): Snort Events=1, AV Events=2
Total Score=125

SNORT EVENTS:
ET POLICY PE EXE or DLL Windows file download HTTP

CLAMAV DETECTED:
Sanesecurity.Malware.26447.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - NRV_F46A13_.js: Sanesecurity.Malware.26447.JsHeur.UNOFFICIAL FOUND

Dropped File/Buffer Yara Signatures:
bbb6f2788c01994c3287dbd629d9e20e2e0d3f4b [BUFFER]: shellcode

Signatures

antivm_queries_computername details
recon_fingerprint details
antivm_memory_available details
dumped_buffer details
creates_doc details
antivm_network_adapters details
antivm_vbox_files details
Windows_Proxy_Tinkering details
network_wscript_downloader details
persistence_ads details
antiav_detectfile details
exploit_heapspray details
malicious_document_urls details
network_document_file details
network_downloader_exe details
antivm_vbox_devices details
antivm_vbox_files details
modifies_files details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

0624c5c106a384d4_gizcrygs-7am0-fjp8-54bc-b316da93866b.thor

0701acb104ed950f_gizcrygs-7am0-fjp8-56b5-caae2e672f28.thor

6facd2a6c351bb97_gizcrygs-7am0-fjp8-7e32-9897a5d47d02.thor

e2abd93a6deaa4fa_gizcrygs-7am0-fjp8-137c-161c6582086d.thor

c874cc22a113737f_gizcrygs-7am0-fjp8-140a-6d5a9a43cd76.thor

83619f8ff8ca9666_gizcrygs-7am0-fjp8-4b67-27359cb6bce5.thor

b617839bf541ab10_gizcrygs-7am0-fjp8-43a2-a4930d690729.thor

c91ff84cb8132f74_gizcrygs-7am0-fjp8-12d4-5dd31b731d7e.thor

2536b304ab45a78e_gizcrygs-7am0-fjp8-e539-de733d013637.thor

d11969eaafa4a4b5_gizcrygs-7am0-fjp8-4e13-10016a4c2467.thor

166ff5458d1eca1c_gizcrygs-7am0-fjp8-f187-d11cfb0e1b9e.thor

5f6152006dc8a1ad_gizcrygs-7am0-fjp8-8292-468d7dea0a9c.thor

d7421b1cfee8755c_gizcrygs-7am0-fjp8-b132-ad40ccb50a41.thor

79cce9deedd8ec44_gizcrygs-7am0-fjp8-4f9b-0497b4f6714c.thor

b5ca179a9e2ccb85_gizcrygs-7am0-fjp8-542d-3ab9ec927538.thor

7837663c05feba53_gizcrygs-7am0-fjp8-8412-2276315340c4.thor

fc5d4127ce235608_gizcrygs-7am0-fjp8-5877-e85f16b9a1d9.thor

e12027c2ead87ebb_gizcrygs-7am0-fjp8-fdb9-bf5c368ffe55.thor

4cce188340d87876_gizcrygs-7am0-fjp8-bfd3-35d056577a86.thor

abc2f3d7fd4759d4_gizcrygs-7am0-fjp8-14a5-59eeb93d2eb3.thor

61df75707787548d_7tzc21z5[1]

5c8144e62d124ada_gizcrygs-7am0-fjp8-bfab-2059342c71f5.thor

4da4157a98209e40_gizcrygs-7am0-fjp8-869d-72ab9f76791d.thor

c3479fb3d5bd843e_gizcrygs-7am0-fjp8-deef-84e6f64172e3.thor

8f43eb5658647db8_gizcrygs-7am0-fjp8-0f6c-a2094c95d1f4.thor

0887bf4ce426d978_gizcrygs-7am0-fjp8-3110-5bee4baee7e8.thor

7ea56cce04754405_gizcrygs-7am0-fjp8-707a-89bfd28352f8.thor

780f821d76164512_gizcrygs-7am0-fjp8-1c26-5b9f411ce58c.thor

d04c48046b3b963f_gizcrygs-7am0-fjp8-b77d-acd9a66e1086.thor

2339febb888360d9_gizcrygs-7am0-fjp8-d8e8-ce966a8f25be.thor

6f489e0dbefc9357_gizcrygs-7am0-fjp8-a9d5-1c3892c9204a.thor

acd8c15ab7414550_gizcrygs-7am0-fjp8-2849-1ac97d75ea8f.thor

16e5148574eaf9e8_gizcrygs-7am0-fjp8-3329-de6041971fe1.thor

3ad772c8524434ee_gizcrygs-7am0-fjp8-1fa7-953de43c6004.thor

5e482b42a5f07463_gizcrygs-7am0-fjp8-b22b-34474420f84c.thor

541fc9d78c663c9c_gizcrygs-7am0-fjp8-0711-7573dd997e21.thor

1c4f31cf71804eb4_gizcrygs-7am0-fjp8-f23f-2af78f337714.thor

2f31037f0e55710d_gizcrygs-7am0-fjp8-218f-ea17568e63ee.thor

68c421b1026a450b_gizcrygs-7am0-fjp8-289b-37a251f9e3fc.thor

44ac3584915f9082_gizcrygs-7am0-fjp8-2dff-d12f593bd1c8.thor

7966572413bf936b_gizcrygs-7am0-fjp8-693c-31ae6a4f1b4b.thor

0675371405fe97a8_gizcrygs-7am0-fjp8-706f-5ff6d0b21259.thor

d515d8f922626e03_gizcrygs-7am0-fjp8-2bd3-44f1f8c2a125.thor

5d3f2c46bedda8a6_gizcrygs-7am0-fjp8-2025-9d37c6d53f40.thor

0a06122f8e2f0f36_gizcrygs-7am0-fjp8-f2f3-712e84fce801.thor

dbf241498ee34c9d_gizcrygs-7am0-fjp8-5805-a80c0ab119ed.thor

78ea61e2bc3025bb_gizcrygs-7am0-fjp8-2a02-f94cdc692b59.thor

d59cba2b44c9e5de_gizcrygs-7am0-fjp8-5531-ffa8f309ea90.thor

9e5ca5c7c8e718f8_gizcrygs-7am0-fjp8-8423-fc81c7324879.thor

4c15815823e028c0_gizcrygs-7am0-fjp8-7e32-6282e2d9d366.thor

9e3e9458f9382e73_gizcrygs-7am0-fjp8-ec56-676b892d0c08.thor

18ec29d24f2324e0_gizcrygs-7am0-fjp8-8096-711b41a977b0.thor

9cb1df3f2dd7a0fb_gizcrygs-7am0-fjp8-791e-0ef01902b52f.thor

54536cb5e41594ff_gizcrygs-7am0-fjp8-4e12-5204ce862d0e.thor

87a64b77ccea1a87__9_what_is.html

281525e7f6595dcc_gizcrygs-7am0-fjp8-7d1c-1b01e78c00ee.thor

NRV_F46A13_.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Windows\System32\wshom.ocx
  • C:\Users\Harry Dresden\AppData\Local\Temp\NRV_F46A13_.js
  • C:\Windows\System32\wscript.exe
  • C:\Windows\System32\msxml3.dll
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\cleandesktop.py.txt
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\line.jpg
  • c:\Python27\Lib\test\keycert3.pem
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Desert.jpg
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\ZgfjvwOzskdomSa.txt
  • c:\Python27\include\intrcheck.h
  • c:\Python27\Lib\test\https_svn_python_org_root.pem
  • c:\Python27\Lib\test\ssl_cert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Fastest PDF Search and Index.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect your PDF files with AD RMS.bmp
  • c:\Python27\include\Python-ast.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\nor.js
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\blank.gif
  • c:\Python27\include\pymacconfig.h
  • \\?\PIPE\browser
  • c:\Python27\include\pythonrun.h
  • c:\Python27\include\pymem.h
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\cacert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_over_bg.jpg
  • c:\6cdeacda242012e0e5b593e657\1040\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1043\eula.rtf
  • c:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your mobile apps.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\Profile.xml
  • c:\Python27\include\pythread.h
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\gIXupfUedFRGQkkxIQ.doc
  • c:\6cdeacda242012e0e5b593e657\2070\eula.rtf
  • c:\Python27\include\iterobject.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Create PDF from Office-convert PDF to office.bmp
  • c:\6cdeacda242012e0e5b593e657\1042\eula.rtf
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  • c:\Python27\include\listobject.h
  • c:\Python27\Lib\test\keycert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\history.txt
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\nHRWXLmNpRr.docm
  • c:\6cdeacda242012e0e5b593e657\1044\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Powerful Word Processor.bmp
  • c:\Python27\Lib\test\badcert.pem
  • c:\Python27\Lib\test\wrongcert.pem
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\mLcDAbyptAVJRncOt.docm
  • c:\Python27\include\Python.h
  • c:\6cdeacda242012e0e5b593e657\1045\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1053\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1041\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View PDFs on mobile devices.bmp
  • c:\Python27\include\intobject.h
  • c:\Python27\include\pystate.h
  • c:\Python27\Lib\test\ssl_key.pem
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\UcqOzshCNma.docm
  • c:\Python27\Lib\test\keycert.passwd.pem
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\NuFcJuZyeQAwJX.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\version.xml
  • c:\6cdeacda242012e0e5b593e657\1036\eula.rtf
  • \\?\PIPE\wkssvc
  • c:\Python27\include\pymath.h
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Koala.jpg
  • c:\6cdeacda242012e0e5b593e657\1038\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\2052\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\content_showbg.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\show_con_bg.jpg
  • c:\Python27\Lib\test\ssl_key.passwd.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Edit and reflow paragraphs in PDF files.bmp
  • c:\Python27\Lib\test\keycert2.pem
  • c:\Python27\include\py_curses.h
  • c:\Python27\Lib\test\keycert4.pem
  • c:\Python27\include\pyport.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Integrate PDF into your mobile apps.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_move_bg.jpg
  • c:\6cdeacda242012e0e5b593e657\1037\eula.rtf
  • c:\Python27\include\pystrcmp.h
  • c:\Python27\Lib\test\pycacert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\top_tb_bg.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ProfileRibbon.xml
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\big-hero-6-2.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\tab.png
  • c:\6cdeacda242012e0e5b593e657\1046\eula.rtf
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  • c:\6cdeacda242012e0e5b593e657\1049\eula.rtf
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\McMjAsrLqWi.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal create pdf from scanner documents.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\history_winbg.jpg
  • c:\6cdeacda242012e0e5b593e657\3082\eula.rtf
  • c:\Python27\include\pystrtod.h
  • c:\Python27\Lib\test\badkey.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\DD_belatedPNG.js
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\iymEEadGHvJt.docx
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\qKxBUvAWjTJHw.pptx
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Design form fields easily.bmp
  • c:\Python27\Lib\test\nokia.pem
  • c:\rsyssxjnka\bin\cert.p12
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect Sensitive PDF Documents.bmp
  • \\?\PIPE\lsarpc
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\body_bg.jpg
  • c:\Python27\Lib\test\nullbytecert.pem
  • c:\Python27\Lib\test\dh1024.pem
  • c:\Python27\include\pymactoolbox.h
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  • c:\6cdeacda242012e0e5b593e657\1055\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Edit and reflow paragraphs in PDF files.bmp
  • c:\Python27\Lib\test\sha256.pem
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View and annotate PDFs.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your application.bmp
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y\7tzc21z5[1]
  • C:\Users\Harry Dresden\AppData\Local\Temp\LE0Ap74Z.dll
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\cleandesktop.py.txt
  • c:\6cdeacda242012e0e5b593e657\1044\_11_WHAT_is.html
  • c:\6cdeacda242012e0e5b593e657\1042\_9_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\line.jpg
  • c:\Python27\Lib\test\keycert3.pem
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Desert.jpg
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\ZgfjvwOzskdomSa.txt
  • c:\Python27\include\intrcheck.h
  • c:\Python27\Lib\test\https_svn_python_org_root.pem
  • c:\Python27\Lib\test\ssl_cert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Fastest PDF Search and Index.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect your PDF files with AD RMS.bmp
  • c:\Python27\include\Python-ast.h
  • c:\6cdeacda242012e0e5b593e657\1049\_14_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\nor.js
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\blank.gif
  • c:\6cdeacda242012e0e5b593e657\1053\_15_WHAT_is.html
  • c:\Python27\include\pymacconfig.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Edit and reflow paragraphs in PDF files.bmp
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\_2_WHAT_is.html
  • \\?\PIPE\browser
  • c:\Python27\include\pythonrun.h
  • c:\rsyssxjnka\bin\_2_WHAT_is.html
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\cacert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_over_bg.jpg
  • c:\6cdeacda242012e0e5b593e657\1040\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1043\eula.rtf
  • c:\Python27\Lib\test\nullcert.pem
  • c:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your mobile apps.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\Profile.xml
  • c:\Python27\include\pythread.h
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\gIXupfUedFRGQkkxIQ.doc
  • c:\6cdeacda242012e0e5b593e657\2070\eula.rtf
  • c:\Python27\include\iterobject.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Create PDF from Office-convert PDF to office.bmp
  • c:\6cdeacda242012e0e5b593e657\1042\eula.rtf
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  • c:\Python27\include\listobject.h
  • c:\Python27\Lib\test\keycert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\history.txt
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\nHRWXLmNpRr.docm
  • c:\6cdeacda242012e0e5b593e657\1044\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1046\_13_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Powerful Word Processor.bmp
  • c:\6cdeacda242012e0e5b593e657\1038\_6_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\_1_WHAT_is.html
  • c:\Python27\Lib\test\_0_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\_7_WHAT_is.html
  • c:\6cdeacda242012e0e5b593e657\2070\_18_WHAT_is.html
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\_1_WHAT_is.html
  • c:\Python27\Lib\test\badcert.pem
  • c:\Python27\Lib\test\wrongcert.pem
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\mLcDAbyptAVJRncOt.docm
  • c:\Python27\include\Python.h
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\_0_WHAT_is.html
  • c:\6cdeacda242012e0e5b593e657\1045\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\2052\_17_WHAT_is.html
  • c:\6cdeacda242012e0e5b593e657\1053\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1041\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View PDFs on mobile devices.bmp
  • c:\6cdeacda242012e0e5b593e657\1045\_12_WHAT_is.html
  • c:\Python27\include\intobject.h
  • c:\Python27\include\pystate.h
  • c:\Python27\Lib\test\ssl_key.pem
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\UcqOzshCNma.docm
  • c:\Python27\Lib\test\keycert.passwd.pem
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\NuFcJuZyeQAwJX.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\version.xml
  • c:\6cdeacda242012e0e5b593e657\1036\eula.rtf
  • \\?\PIPE\wkssvc
  • c:\Python27\include\pymath.h
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Koala.jpg
  • c:\6cdeacda242012e0e5b593e657\1038\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\2052\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\content_showbg.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\show_con_bg.jpg
  • c:\Python27\Lib\test\ssl_key.passwd.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Edit and reflow paragraphs in PDF files.bmp
  • c:\Python27\Lib\test\keycert2.pem
  • c:\Python27\include\py_curses.h
  • c:\Python27\Lib\test\keycert4.pem
  • c:\6cdeacda242012e0e5b593e657\1043\_10_WHAT_is.html
  • c:\Python27\include\pyport.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_move_bg.jpg
  • c:\6cdeacda242012e0e5b593e657\1037\eula.rtf
  • c:\Python27\include\pystrcmp.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\_3_WHAT_is.html
  • c:\Python27\Lib\test\pycacert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\top_tb_bg.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ProfileRibbon.xml
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\big-hero-6-2.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\tab.png
  • c:\6cdeacda242012e0e5b593e657\1046\eula.rtf
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  • c:\6cdeacda242012e0e5b593e657\1049\eula.rtf
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\McMjAsrLqWi.rtf
  • c:\6cdeacda242012e0e5b593e657\1055\_16_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal create pdf from scanner documents.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\history_winbg.jpg
  • c:\6cdeacda242012e0e5b593e657\3082\eula.rtf
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\_5_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\_6_WHAT_is.html
  • c:\Python27\include\pystrtod.h
  • c:\6cdeacda242012e0e5b593e657\1037\_5_WHAT_is.html
  • c:\6cdeacda242012e0e5b593e657\1036\_3_WHAT_is.html
  • c:\Python27\Lib\test\badkey.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\DD_belatedPNG.js
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\iymEEadGHvJt.docx
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\qKxBUvAWjTJHw.pptx
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Design form fields easily.bmp
  • c:\Python27\Lib\test\nokia.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\_4_WHAT_is.html
  • c:\rsyssxjnka\bin\cert.p12
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect Sensitive PDF Documents.bmp
  • \\?\PIPE\lsarpc
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\body_bg.jpg
  • c:\Python27\Lib\test\nullbytecert.pem
  • c:\Python27\include\pymem.h
  • c:\Python27\Lib\test\dh1024.pem
  • c:\Python27\include\pymactoolbox.h
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  • c:\6cdeacda242012e0e5b593e657\1055\eula.rtf
  • c:\6cdeacda242012e0e5b593e657\1041\_8_WHAT_is.html
  • c:\Python27\include\_4_WHAT_is.html
  • c:\Python27\Lib\test\sha256.pem
  • c:\6cdeacda242012e0e5b593e657\3082\_19_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  • c:\6cdeacda242012e0e5b593e657\1040\_7_WHAT_is.html
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Integrate PDF into your mobile apps.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View and annotate PDFs.bmp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your application.bmp
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\Windows\System32\wshom.ocx
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\SysWOW64\rundll32.exe
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Users\Harry Dresden\Desktop\desktop.ini
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\NRV_F46A13_.js
  • C:\Windows\System32\wscript.exe
  • C:\Windows\
  • C:\Windows\SysWOW64\
  • c:\Python27\Lib\ctypes
  • UNC\SHARDREALM\Users\Harry Dresden\Documents
  • c:\Users\Default\Links
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages
  • c:\Python27\include\pymacconfig.h
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\ZgfjvwOzskdomSa.txt
  • c:\Python27\Lib\site-packages\pip\_vendor\colorama
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources
  • c:\Python27\DLLs
  • c:\Python27\Lib\site-packages\pip\_vendor\cachecontrol
  • c:\rsyssxjnka\lib\api
  • UNC\SHARDREALM\Users\Harry Dresden\Favorites\Links for United States
  • c:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode
  • c:\ProgramData\Adobe\Setup
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\content_showbg.jpg
  • c:\ProgramData\Microsoft\Assistance\Client\1.0\en-US
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages
  • UNC\SHARDREALM\Users\Harry Dresden\OneDrive
  • c:\Users\Harry Dresden\OneDrive
  • c:\ProgramData\Microsoft\PlayReady\Cache\S-1-5-21-3416602863-1947377224-293699093-1001
  • c:\Users\Public\Libraries
  • \\?\PIPE\browser
  • c:\Python27\Lib\test\tracedmodules
  • c:\ProgramData\Adobe\ARM
  • c:\Python27\tcl\tcl8.5\tzdata\Indian
  • c:\Users\Public
  • c:\6cdeacda242012e0e5b593e657\1043\eula.rtf
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Queue
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource
  • c:\Python27\Lib
  • \??\VBoxMiniRdrDN
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\tab.png
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your mobile apps.bmp
  • c:\ProgramData
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • c:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}
  • c:\Python27\Lib\site-packages\pip
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\A5
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\A6
  • c:\Python27\Lib\ctypes\macholib
  • c:\ProgramData\Adobe\Acrobat\11.0\Replicate\Security
  • c:\6cdeacda242012e0e5b593e657\1042\eula.rtf
  • c:\inetpub\history\CFGHISTORY_0000000004\schema
  • c:\Python27\Lib\unittest\test
  • c:\ProgramData\Microsoft\PlayReady
  • c:\Python27\Lib\xml\dom
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00
  • c:\Python27\Lib\site-packages\pip\models
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\history.txt
  • UNC\SHARDREALM\Users\Public\Foxit Software
  • c:\ProgramData\Adobe\Acrobat\11.0\Replicate
  • c:\Python27\Tools\i18n
  • c:\Python27\tcl\tcl8\8.4
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog
  • c:\ProgramData\Microsoft\Crypto\Keys
  • UNC\SHARDREALM\Users\Public\Music\Sample Music
  • c:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319
  • c:\Python27\Lib\ctypes\test
  • c:\Users\Harry Dresden\Searches
  • c:\Python27\Lib\test\badcert.pem
  • c:\ProgramData\Adobe\ARM\S
  • c:\Python27\Lib\ensurepip
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\mLcDAbyptAVJRncOt.docm
  • UNC\SHARDREALM\Users
  • c:\Python27\tcl\tcl8.5\tzdata\Canada
  • c:\Python27\Lib\test\wrongcert.pem
  • c:\Users\Harry Dresden\Downloads
  • c:\ProgramData\Microsoft\eHome
  • c:\Python27\tcl\tk8.5\demos\images
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images
  • c:\Python27\Lib\test\cjkencodings
  • c:\inetpub\wwwroot\aspnet_client\system_web
  • UNC\SHARDREALM\Users\Public\Music
  • c:\Python27\tcl\tcl8.5\tzdata\America\Kentucky
  • c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\UcqOzshCNma.docm
  • c:\Python27\Lib\test\keycert.passwd.pem
  • c:\Python27\tcl\tix8.4.3
  • c:\6cdeacda242012e0e5b593e657\1036\eula.rtf
  • c:\ProgramData\Microsoft\RAC\PublishedData
  • UNC\SHARDREALM\Users\Harry Dresden\Links
  • c:\inetpub\history\CFGHISTORY_0000000005
  • c:\inetpub\history\CFGHISTORY_0000000004
  • c:\inetpub\history\CFGHISTORY_0000000001
  • c:\inetpub\history\CFGHISTORY_0000000003
  • c:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204
  • c:\Users\Harry Dresden\Favorites\Links for United States
  • c:\Python27\Lib\lib2to3\tests\data\fixers
  • c:\Python27\tcl\tcl8.5\tzdata\US
  • c:\Python27\tcl\tcl8.5\tzdata
  • UNC\SHARDREALM\Users\Public\Videos
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal create pdf from scanner documents.bmp
  • c:\Python27\include\pyport.h
  • c:\6cdeacda242012e0e5b593e657\1045\eula.rtf
  • UNC\SHARDREALM\Users\Public\Documents
  • c:\Python27\Lib\email
  • c:\Python27\tcl\tix8.4.3\demos\samples
  • c:\Python27\Lib\lib-tk\test\test_tkinter
  • c:\6cdeacda242012e0e5b593e657\1053\eula.rtf
  • UNC\SHARDREALM\Users\Harry Dresden\Music
  • c:\Python27\Tools\webchecker
  • c:\Python27\tcl\tcl8.5\tzdata\America\North_Dakota
  • c:\Python27\Lib\test\crashers
  • c:\ProgramData\Microsoft\Windows Defender\LocalCopy
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ProfileRibbon.xml
  • c:\Users\Harry Dresden\Contacts
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\E0
  • c:\PerfLogs
  • UNC\SHARDREALM\Users\Public\Libraries
  • c:\
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\treebuilders
  • c:\Python27\tcl\tcl8\8.5
  • UNC\SHARDREALM\Users\Default\Desktop
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\DD_belatedPNG.js
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\history_winbg.jpg
  • c:\6cdeacda242012e0e5b593e657\3082\eula.rtf
  • c:\Python27\libs
  • c:\ProgramData\Microsoft\ClickToRun\MachineData
  • c:\Python27\include\pystrtod.h
  • c:\ProgramData\Microsoft\Assistance
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Results
  • c:\Users\Harry Dresden\Videos
  • c:\Python27\Lib\pydoc_data
  • UNC\SHARDREALM\Users\Default\Music
  • c:\ProgramData\Microsoft\Crypto\DSS
  • c:\ProgramData\Adobe\Acrobat
  • c:\Python27\tcl\tcl8.5\tzdata\Atlantic
  • c:\ProgramData\NovaTech Network\NovaBench\3.0.2.0
  • c:\ProgramData\Microsoft\Network
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\1A
  • c:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger
  • c:\Users\Default\Downloads
  • c:\Python27\Lib\xml
  • c:\Python27\tcl\tcl8.5\tzdata\Australia
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\17
  • c:\Python27\tcl\tk8.5
  • c:\ProgramData\Microsoft\PlayReady\Cache
  • c:\6cdeacda242012e0e5b593e657\3082
  • c:\Python27\Lib\site-packages\pip\compat
  • c:\Python27\Lib\test\leakers
  • c:\Python27\tcl\tcl8\8.4\platform
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images
  • c:\ProgramData\regid.1991-06.com.microsoft
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\filters
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\x-none.16
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\DD
  • c:\Python27\Tools\pynche\X
  • c:\Python27\Tools\Scripts
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\35
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore
  • c:\Python27\Lib\test\nokia.pem
  • c:\6cdeacda242012e0e5b593e657\1040\eula.rtf
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\line.jpg
  • c:\Python27\tcl\tk8.5\images
  • c:\ProgramData\Microsoft\DRM
  • UNC\SHARDREALM\Users\Harry Dresden\Videos
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US
  • c:\Python27\Lib\idlelib\idle_test
  • c:\Python27\Lib\test\https_svn_python_org_root.pem
  • c:\Python27\include
  • c:\Python27\Lib\test\nullcert.pem
  • c:\Python27\Lib\site-packages\setuptools
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect your PDF files with AD RMS.bmp
  • c:\6cdeacda242012e0e5b593e657\1029
  • c:\6cdeacda242012e0e5b593e657\1028
  • c:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}
  • c:\Python27\Lib\site-packages\pip\commands
  • c:\Python27\Lib\lib2to3\tests\data\fixers\myfixes
  • c:\6cdeacda242012e0e5b593e657\1025
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us
  • UNC\SHARDREALM\Users\Default\Favorites
  • c:\Python27\Lib\email\test\data
  • c:\ProgramData\Microsoft\Windows Defender\Support
  • c:\ProgramData\WebEx\WebEx
  • c:\6cdeacda242012e0e5b593e657\2052
  • UNC\SHARDREALM\Users\Default\Saved Games
  • c:\Python27\tcl\tcl8.5\opt0.4
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases
  • c:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US
  • c:\Python27\tcl\tcl8.5\encoding
  • c:\ProgramData\Microsoft\Diagnosis\ETLLogs
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\gIXupfUedFRGQkkxIQ.doc
  • c:\Python27\Lib\msilib
  • c:\ProgramData\Microsoft\WwanSvc\Profiles
  • UNC\SHARDREALM\Users\Harry Dresden\Contacts
  • c:\rsyssxjnka\lib\common
  • c:\Python27\Lib\encodings
  • c:\Python27\Lib\site-packages\pip\_vendor\distlib\_backport
  • c:\ProgramData\Microsoft\Assistance\Client
  • UNC\SHARDREALM\Users\Default\Pictures
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\95
  • c:\6cdeacda242012e0e5b593e657\1046\eula.rtf
  • c:\Python27\Lib\site-packages\_markerlib
  • c:\ProgramData\Microsoft\Diagnosis\LocalTraceStore
  • c:\inetpub\custerr
  • c:\inetpub\custerr\en-US
  • c:\Python27\Lib\site-packages\pip\_vendor\cachecontrol\caches
  • c:\ProgramData\Microsoft\Crypto\RSA
  • c:\Python27\tcl\tk8.5\ttk
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\01
  • c:\Users\Default\Favorites
  • c:\inetpub\history
  • c:\ProgramData\Microsoft\Windows NT
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\chardet
  • c:\ProgramData\Microsoft\Vault
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData
  • UNC\SHARDREALM\Users\Harry Dresden\Pictures
  • c:\6cdeacda242012e0e5b593e657\2052\eula.rtf
  • C:\Windows\SysWOW64\en-US\VssTrace.DLL.mui
  • UNC\SHARDREALM\Users\Default\Videos
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages
  • UNC\SHARDREALM\Users\Harry Dresden
  • c:\ProgramData\Mozilla\logs
  • c:\ProgramData\Microsoft\Search\Data\Applications
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\70
  • c:\Python27\tcl\tcl8.5\tzdata\Mexico
  • c:\Python27\Lib\importlib
  • c:\ProgramData\Microsoft\Crypto
  • c:\ProgramData\NovaTech Network\NovaBench\3.0.2.0\media
  • c:\Python27\tcl\tcl8.5
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Koala.jpg
  • c:\Python27\tcl\tcl8.5\tzdata\Africa
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Create PDF from Office-convert PDF to office.bmp
  • c:\ProgramData\McAfee
  • c:\Python27\Lib\site-packages\pip\vcs
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Edit and reflow paragraphs in PDF files.bmp
  • c:\Python27\Lib\bsddb\test
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\43
  • c:\Python27\Lib\test\keycert2.pem
  • UNC\SHARDREALM\Users\Public\Recorded TV
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\F7
  • c:\Python27\include\py_curses.h
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\F3
  • c:\Python27\Lib\xml\parsers
  • c:\Python27\Lib\test\keycert4.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Integrate PDF into your mobile apps.bmp
  • c:\Python27\tcl\tcl8.5\msgs
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_move_bg.jpg
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Inbox
  • c:\rsyssxjnka\lib
  • c:\Users\Harry Dresden
  • c:\ProgramData\Microsoft\Windows Defender
  • c:\ProgramData\McAfee\MCLOGS\Common\jxpiinstall
  • c:\ProgramData\Microsoft\Windows Defender\Quarantine
  • c:\Users\Public\Favorites
  • c:\Python27\Lib\site-packages\pkg_resources\_vendor
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Penguins.jpg
  • c:\ProgramData\Microsoft\Office
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\big-hero-6-2.jpg
  • UNC\SHARDREALM\Users\Public
  • c:\ProgramData\NovaTech Network\NovaBench
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Tulips.jpg
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\McMjAsrLqWi.rtf
  • c:\Python27\Lib\site-packages\pip\_vendor\_markerlib
  • c:\Python27\tcl\reg1.2
  • c:\Users\ruiner
  • c:\Python27\Lib\xml\etree
  • c:\ProgramData\Microsoft\Media Player
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl
  • c:\Users\Public\Videos\Sample Videos
  • UNC\SHARDREALM\Users\Harry Dresden\Favorites
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\01
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\util
  • c:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\qKxBUvAWjTJHw.pptx
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Design form fields easily.bmp
  • c:\Python27\tcl\tcl8.5\tzdata\Antarctica
  • c:\Python27\Lib\xml\sax
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\trie
  • c:\Users\Harry Dresden\Desktop
  • c:\Users\Public\Recorded TV
  • c:\ProgramData\Microsoft\Office\Heartbeat
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\42
  • c:\Python27\tcl\tcl8.5\tzdata\Etc
  • c:\Python27\Lib\bsddb
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\47
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\95
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups
  • c:\Python27\Lib\wsgiref
  • c:\6cdeacda242012e0e5b593e657\1044\eula.rtf
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\contrib
  • c:\ProgramData\Microsoft\User Account Pictures
  • c:\ProgramData\Sun\Java\Java Update
  • c:\Python27\Lib\test\sha256.pem
  • c:\Users
  • c:\rsyssxjnka\lib\core
  • c:\Users\Default\Saved Games
  • c:\Python27\Lib\site-packages\pip\_vendor\pkg_resources
  • c:\inetpub\history\CFGHISTORY_0000000005\schema
  • c:\inetpub
  • c:\Users\Default
  • c:\Python27\tcl\tcl8.5\tzdata\Pacific
  • c:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog
  • c:\Python27\tcl\tk8.5\msgs
  • c:\Python27\tcl\tcl8.5\tzdata\America
  • c:\ProgramData\Microsoft\Diagnosis\DownloadedSettings
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\{98101498-C465-4F51-8751-D1919E97D29D}
  • c:\inetpub\wwwroot
  • c:\Python27\Lib\multiprocessing\dummy
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your application.bmp
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}
  • c:\ProgramData\Microsoft\MF
  • c:\Python27\Lib\test
  • c:\Python27\Lib\test\keycert3.pem
  • c:\Users\Public\Downloads
  • c:\Python27\Lib\site-packages
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage
  • c:\ProgramData\Microsoft\Device Stage\Task
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Fastest PDF Search and Index.bmp
  • c:\Python27\Lib\unittest
  • c:\6cdeacda242012e0e5b593e657\Graphics
  • c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}
  • c:\Python27\Lib\test\capath
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\blank.gif
  • c:\Recovery
  • c:\ProgramData\Microsoft\Device Stage
  • c:\Python27\tcl\tk8.5\demos
  • c:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18
  • UNC\SHARDREALM\Users\Public\Desktop
  • c:\ProgramData\Microsoft\Assistance\Client\1.0
  • c:\Python27\include\pythonrun.h
  • c:\ProgramData\Oracle
  • c:\Python27\Lib\distutils\tests
  • c:\Python27\Lib\logging
  • c:\ProgramData\Microsoft\RAC
  • c:\Python27\Lib\site-packages\pip\req
  • c:\Users\Harry Dresden\Links
  • c:\ProgramData\Microsoft\DeviceSync
  • c:\Python27\Doc
  • c:\Users\Public\Pictures
  • c:\Python27\tcl\tix8.4.3\demos\bitmaps
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\Profile.xml
  • c:\Python27\Lib\site-packages\pip\_vendor\requests
  • c:\Python27\Lib\compiler
  • c:\Python27\Scripts
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\47
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\42
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\17
  • c:\Users\Public\Recorded TV\Sample Media
  • c:\Python27\Lib\test\keycert.pem
  • c:\rsyssxjnka\modules\auxiliary
  • c:\Python27\tcl\dde1.3
  • c:\Python27\tcl\tcl8.5\tzdata\SystemV
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\nHRWXLmNpRr.docm
  • c:\ProgramData\NovaTech Network
  • \\?\PIPE\lsarpc
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Powerful Word Processor.bmp
  • UNC\SHARDREALM\Users\ruiner
  • c:\ProgramData\Sun\Java
  • c:\Python27\Lib\test\ssl_cert.pem
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js
  • c:\ProgramData\Microsoft\Diagnosis\AsimovUploader
  • c:\rsyssxjnka\modules\packages
  • c:\Python27\tcl\tcl8.5\tzdata\Chile
  • c:\ProgramData\Microsoft\ClickToRun\UserData
  • c:\Python27\Lib\test\xmltestdata
  • c:\ProgramData\Microsoft\WPD
  • c:\Python27\Lib\site-packages\pip\_vendor
  • c:\ProgramData\Sun
  • c:\Python27\include\Python.h
  • UNC\SHARDREALM\Users\Default\Documents
  • c:\6cdeacda242012e0e5b593e657\1041\eula.rtf
  • c:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View PDFs on mobile devices.bmp
  • c:\rsyssxjnka\modules
  • c:\Python27\include\pystate.h
  • c:\Users\Default\Desktop
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\1A
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\treewalkers
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\version.xml
  • c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}
  • c:\ProgramData\Microsoft\WwanSvc
  • \\?\PIPE\wkssvc
  • c:\ProgramData\Microsoft\Event Viewer\Views
  • c:\Python27\Lib\json\tests
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\serializer
  • c:\Python27\Tools
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\css
  • c:\ProgramData\Microsoft\IlsCache
  • c:\Python27\Lib\lib-tk
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Store
  • c:\ProgramData\Microsoft\Windows NT\MSFax\SentItems
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\nor.js
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\en-us.16
  • c:\Python27\Lib\site-packages\pip\operations
  • c:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox
  • c:\Python27\Lib\site-packages\pip\_vendor\lockfile
  • c:\Python27\Lib\curses
  • c:\6cdeacda242012e0e5b593e657\1037\eula.rtf
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures
  • c:\Python27\include\pystrcmp.h
  • c:\Python27\Lib\test\pycacert.pem
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\top_tb_bg.jpg
  • c:\Python27\include\pymactoolbox.h
  • c:\Python27\Lib\test\badkey.pem
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Integration
  • c:\Users\Default\Music
  • c:\Python27\Lib\email\mime
  • c:\Users\Harry Dresden\Music
  • c:\6cdeacda242012e0e5b593e657\1053
  • c:\6cdeacda242012e0e5b593e657\1055
  • UNC\SHARDREALM\Users\Public\Favorites
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3
  • c:\Python27\tcl\tcl8.5\tzdata\Asia
  • UNC\SHARDREALM\Users\Public\Downloads
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\css
  • c:\Python27\Lib\multiprocessing
  • c:\Users\Default\Documents
  • c:\Python27\Tools\pynche
  • c:\Users\Public\Desktop
  • c:\ProgramData\Microsoft\User Account Pictures\Default Pictures
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads
  • c:\Python27\Lib\lib-tk\test\test_ttk
  • c:\Users\Harry Dresden\Documents
  • c:\ProgramData\McAfee\MCLOGS\Common
  • UNC\SHARDREALM\Users\Harry Dresden\Favorites\Links
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect Sensitive PDF Documents.bmp
  • c:\ProgramData\Microsoft\IdentityCRL
  • c:\ProgramData\WebEx\WebEx\12_1324
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\iymEEadGHvJt.docx
  • c:\Python27\Lib\site-packages\pip\utils
  • c:\Python27\Lib\distutils\command
  • c:\Users\Harry Dresden\Saved Games
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Edit and reflow paragraphs in PDF files.bmp
  • UNC\SHARDREALM\Users\Default
  • UNC\SHARDREALM\Users\Public\Recorded TV\Sample Media
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_over_bg.jpg
  • c:\Python27
  • c:\Python27\Lib\hotshot
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader
  • UNC\SHARDREALM\Users\Harry Dresden\Downloads\cleandesktop.py.txt
  • c:\Python27\Tools\versioncheck
  • c:\Python27\tcl\tcl8.5\tzdata\Arctic
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\F7
  • c:\Users\Public\Music
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\F3
  • c:\Python27\Lib\test\audiodata
  • c:\rsyssxjnka\bin\cert.p12
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Desert.jpg
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\treeadapters
  • c:\Python27\include\intrcheck.h
  • c:\ProgramData\Microsoft\Network\Connections
  • c:\Python27\Lib\sqlite3
  • c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
  • UNC\SHARDREALM\Users\Public\Pictures
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\43
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js
  • UNC\SHARDREALM\Users\Default\Downloads
  • UNC\SHARDREALM\Users\Default\Links
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
  • c:\ProgramData\Microsoft\Diagnosis
  • c:\Python27\Lib\distutils
  • c:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\tests
  • c:\Python27\Lib\idlelib\Icons
  • c:\ProgramData\Microsoft\Device Stage\Device
  • c:\Python27\Lib\site-packages\pip\_vendor\distlib
  • c:\Python27\Lib\test\subprocessdata
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\35
  • c:\Python27\include\pymem.h
  • c:\inetpub\wwwroot\aspnet_client
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\cacert.pem
  • c:\ProgramData\Microsoft\Network\Downloader
  • c:\Users\Public\Foxit Software
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick
  • c:\ProgramData\Microsoft\Windows NT\MSScan
  • c:\Python27\Lib\lib2to3\tests
  • c:\Python27\Lib\site-packages\pip-7.0.1.dist-info
  • c:\Python27\Lib\test\selfsigned_pythontestdotnet.pem
  • c:\ProgramData\Microsoft OneDrive\setup
  • c:\ProgramData\Microsoft\Crypto\DSS\MachineKeys
  • c:\6cdeacda242012e0e5b593e657\2070\eula.rtf
  • c:\Python27\Lib\site-packages\pkg_resources
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement
  • c:\Python27\Lib\site-packages\setuptools-16.0.dist-info
  • c:\Python27\include\Python-ast.h
  • c:\Python27\tcl\tcl8.5\tzdata\Brazil
  • c:\Users\Harry Dresden\Favorites\Links
  • c:\Python27\Lib\test\imghdrdata
  • c:\Python27\include\iterobject.h
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates
  • UNC\SHARDREALM\Users\Harry Dresden\Saved Games
  • c:\ProgramData\Microsoft\RAC\Outbound
  • c:\inetpub\history\CFGHISTORY_0000000002
  • c:\Python27\include\listobject.h
  • c:\ProgramData\Microsoft\NetFramework
  • c:\ProgramData\Adobe\ARM\Reader_11.0.10
  • c:\ProgramData\Microsoft
  • c:\Users\Public\Pictures\Sample Pictures
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service
  • c:\Users\Default\Videos
  • c:\ProgramData\Microsoft\Search\Data
  • c:\Python27\tcl
  • c:\Python27\Lib\json
  • c:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US
  • c:\Python27\include\pythread.h
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement
  • c:\Python27\Lib\lib2to3\fixes
  • c:\Python27\tcl\tix8.4.3\bitmaps
  • c:\Python27\Lib\site-packages\setuptools\command
  • c:\6cdeacda242012e0e5b593e657
  • c:\Python27\tcl\tcl8.5\tzdata\America\Indiana
  • c:\6cdeacda242012e0e5b593e657\2070
  • c:\Users\Public\Videos
  • c:\Python27\Lib\test\decimaltestdata
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\DD
  • c:\ProgramData\Microsoft\Diagnosis\UIF
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\A6
  • c:\Python27\tcl\tcl8.5\tzdata\Europe
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\A5
  • c:\Python27\Lib\lib2to3
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default
  • c:\Python27\include\intobject.h
  • c:\ProgramData\Microsoft\Event Viewer
  • c:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
  • c:\Python27\Lib\test\ssl_key.pem
  • c:\ProgramData\Microsoft\ClickToRun
  • c:\Python27\tcl\tix8.4.3\pref
  • UNC\SHARDREALM\Users\Harry Dresden\Desktop\NuFcJuZyeQAwJX.rtf
  • c:\ProgramData\Adobe\ARM\S\5521
  • c:\Python27\tcl\tcl8.5\http1.0
  • c:\Python27\include\pymath.h
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start
  • c:\6cdeacda242012e0e5b593e657\1038\eula.rtf
  • c:\ProgramData\Adobe\Acrobat\11.0
  • c:\Python27\Lib\ensurepip\_bundled
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\show_con_bg.jpg
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us
  • c:\Python27\Lib\test\ssl_key.passwd.pem
  • c:\Users\Public\Music\Sample Music
  • c:\Python27\tcl\tcl8
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager
  • c:\Python27\Lib\lib2to3\tests\data
  • c:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\70
  • c:\ProgramData\Microsoft OneDrive
  • UNC\SHARDREALM\Users\Harry Dresden\Searches
  • c:\Python27\tcl\tcl8.5\tzdata\America\Argentina
  • c:\Recovery\015e7760-d44b-11e0-8947-954f09601788
  • c:\Python27\Lib\idlelib
  • c:\PerfLogs\Admin
  • c:\Python27\Lib\site-packages\pip\_vendor\progress
  • c:\Users\Harry Dresden\Pictures
  • c:\ProgramData\Microsoft\Diagnosis\Sideload
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages\ssl_match_hostname
  • c:\Users\Harry Dresden\Favorites
  • c:\ProgramData\Passmark
  • c:\Python27\Lib\lib-tk\test
  • c:\6cdeacda242012e0e5b593e657\1049\eula.rtf
  • c:\ProgramData\Adobe
  • c:\Users\Public\Foxit Software\Foxit Reader
  • c:\ProgramData\Microsoft\Search
  • c:\ProgramData\Passmark\PerformanceTest
  • UNC\SHARDREALM\Users\Public\Videos\Sample Videos
  • c:\ProgramData\Microsoft\NetFramework\BreadcrumbStore
  • c:\Python27\Lib\email\test
  • c:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}
  • c:\ProgramData\WebEx
  • c:\inetpub\wwwroot\msmq
  • c:\Python27\tcl\tix8.4.3\demos
  • c:\Python27\Lib\site-packages\pkg_resources\_vendor\packaging
  • c:\ProgramData\McAfee\MCLOGS
  • c:\Users\Default\Pictures
  • c:\6cdeacda242012e0e5b593e657\1049
  • c:\Users\Public\Documents
  • c:\6cdeacda242012e0e5b593e657\1046
  • c:\6cdeacda242012e0e5b593e657\1045
  • c:\6cdeacda242012e0e5b593e657\1044
  • c:\6cdeacda242012e0e5b593e657\1043
  • c:\6cdeacda242012e0e5b593e657\1042
  • c:\6cdeacda242012e0e5b593e657\1041
  • c:\6cdeacda242012e0e5b593e657\1040
  • c:\Python27\Lib\site-packages\pip\_vendor\packaging
  • c:\ProgramData\Microsoft\eHome\logs
  • c:\ProgramData\Microsoft\Windows Defender\Scans
  • c:\ProgramData\Microsoft\Windows NT\MSFax
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\body_bg.jpg
  • c:\Python27\Lib\test\nullbytecert.pem
  • c:\Python27\Lib\sqlite3\test
  • c:\Python27\Lib\test\dh1024.pem
  • c:\ProgramData\Mozilla
  • UNC\SHARDREALM\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
  • c:\6cdeacda242012e0e5b593e657\1055\eula.rtf
  • c:\rsyssxjnka\bin
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\E0
  • UNC\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View and annotate PDFs.bmp
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates
  • c:\Python27\Lib\lib2to3\pgen2
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History
  • c:\rsyssxjnka
  • c:\ProgramData\Microsoft\RAC\StateData
  • c:\6cdeacda242012e0e5b593e657\1038
  • c:\ProgramData\Microsoft\DRM\Server
  • c:\6cdeacda242012e0e5b593e657\1032
  • c:\6cdeacda242012e0e5b593e657\1033
  • c:\6cdeacda242012e0e5b593e657\1030
  • c:\6cdeacda242012e0e5b593e657\1031
  • c:\6cdeacda242012e0e5b593e657\1036
  • c:\6cdeacda242012e0e5b593e657\1037
  • c:\6cdeacda242012e0e5b593e657\1035
File-Moved
  • \\SHARDREALM\Users\Harry Dresden\Desktop\nHRWXLmNpRr.docm -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-A476-D14627E67AC3.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Fastest PDF Search and Index.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-F4E4-F3A7515F08AD.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View PDFs on mobile devices.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-A8F6-4D7CC1EC8604.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\show_con_bg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-5263-6A426C9C6DE0.thor
  • c:\Python27\Lib\test\sha256.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-F2F3-712E84FCE801.thor
  • c:\Python27\Lib\test\ssl_key.passwd.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-54BC-B316DA93866B.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\McMjAsrLqWi.rtf -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-5ED3-20CD20A62557.thor
  • c:\Python27\include\pythonrun.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-5531-FFA8F309EA90.thor
  • c:\Python27\Lib\test\dh1024.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-8412-2276315340C4.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Integrate PDF into your mobile apps.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-D695-979A5EA22C52.thor
  • c:\Python27\include\Python.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-D8E8-CE966A8F25BE.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Koala.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-85EB-7FB61C0075B0.thor
  • c:\Python27\include\py_curses.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-1C26-5B9F411CE58C.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\iymEEadGHvJt.docx -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-FE11-B1E08043832D.thor
  • c:\Python27\include\listobject.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-3110-5BEE4BAEE7E8.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Penguins.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-CCBD-54653455DC68.thor
  • c:\Python27\Lib\test\wrongcert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-707A-89BFD28352F8.thor
  • c:\6cdeacda242012e0e5b593e657\1053\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1053\GIZCRYGS-7AM0-FJP8-56B5-CAAE2E672F28.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\body_bg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-C939-10AD359576E5.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect your PDF files with AD RMS.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-E6F1-FDADDB3CC42F.thor
  • \\SHARDREALM\Users\Harry Dresden\Downloads\cleandesktop.py.txt -> \\SHARDREALM\Users\Harry Dresden\Downloads\GIZCRYGS-7AM0-FJP8-18D8-D96CF71954E5.thor
  • c:\Python27\include\pyport.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-E539-DE733D013637.thor
  • c:\Python27\Lib\test\keycert.passwd.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-791E-0EF01902B52F.thor
  • c:\6cdeacda242012e0e5b593e657\1043\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1043\GIZCRYGS-7AM0-FJP8-0711-7573DD997E21.thor
  • c:\Python27\include\pythread.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-8096-711B41A977B0.thor
  • c:\Python27\Lib\test\pycacert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-2BD3-44F1F8C2A125.thor
  • c:\Python27\Lib\test\ssl_key.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-8423-FC81C7324879.thor
  • c:\6cdeacda242012e0e5b593e657\1049\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1049\GIZCRYGS-7AM0-FJP8-4F9B-0497B4F6714C.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\line.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-10C6-32F4F5559AC0.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\gIXupfUedFRGQkkxIQ.doc -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-5434-024C65FABFBD.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Desert.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-4435-42C5085DCBE0.thor
  • c:\6cdeacda242012e0e5b593e657\1042\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1042\GIZCRYGS-7AM0-FJP8-706F-5FF6D0B21259.thor
  • c:\6cdeacda242012e0e5b593e657\1040\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1040\GIZCRYGS-7AM0-FJP8-BFAB-2059342C71F5.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ProfileRibbon.xml -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-6F2F-E7755B8FFBF1.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\version.xml -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\GIZCRYGS-7AM0-FJP8-C948-306A230488CD.thor
  • c:\6cdeacda242012e0e5b593e657\1037\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1037\GIZCRYGS-7AM0-FJP8-2025-9D37C6D53F40.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Protect Sensitive PDF Documents.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-664E-2B965A30F3BD.thor
  • c:\Python27\include\intobject.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-542D-3AB9EC927538.thor
  • c:\6cdeacda242012e0e5b593e657\1045\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1045\GIZCRYGS-7AM0-FJP8-DEEF-84E6F64172E3.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Design form fields easily.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-6A2A-382FCBC1A994.thor
  • c:\6cdeacda242012e0e5b593e657\1046\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1046\GIZCRYGS-7AM0-FJP8-BFD3-35D056577A86.thor
  • c:\Python27\include\pymath.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-B132-AD40CCB50A41.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-5E8F-1A51AA6519D4.thor
  • c:\Python27\include\Python-ast.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-12D4-5DD31B731D7E.thor
  • c:\6cdeacda242012e0e5b593e657\2052\eula.rtf -> c:\6cdeacda242012e0e5b593e657\2052\GIZCRYGS-7AM0-FJP8-137C-161C6582086D.thor
  • c:\Python27\Lib\test\keycert4.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-4E13-10016A4C2467.thor
  • c:\Python27\Lib\test\nullbytecert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-3329-DE6041971FE1.thor
  • c:\rsyssxjnka\bin\cert.p12 -> c:\rsyssxjnka\bin\GIZCRYGS-7AM0-FJP8-140A-6D5A9A43CD76.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal create pdf from scanner documents.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-5D29-D694D7A58A16.thor
  • c:\6cdeacda242012e0e5b593e657\1038\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1038\GIZCRYGS-7AM0-FJP8-869D-72AB9F76791D.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\tab.png -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-8910-D73D357AE1F6.thor
  • c:\Python27\include\pystrtod.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-4B67-27359CB6BCE5.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\mLcDAbyptAVJRncOt.docm -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-055F-C915C35C24A4.thor
  • c:\Python27\Lib\test\keycert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-1FA7-953DE43C6004.thor
  • c:\6cdeacda242012e0e5b593e657\3082\eula.rtf -> c:\6cdeacda242012e0e5b593e657\3082\GIZCRYGS-7AM0-FJP8-2A02-F94CDC692B59.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\history.txt -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\GIZCRYGS-7AM0-FJP8-AAA1-F00F2BE27DFA.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-58E1-B1F5836897B1.thor
  • c:\6cdeacda242012e0e5b593e657\1044\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1044\GIZCRYGS-7AM0-FJP8-7E32-6282E2D9D366.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_over_bg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-5296-04FE59F1DEB7.thor
  • c:\Python27\Lib\test\selfsigned_pythontestdotnet.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-693C-31AE6A4F1B4B.thor
  • c:\Python27\Lib\test\nokia.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-5877-E85F16B9A1D9.thor
  • c:\Python27\Lib\test\badkey.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-8292-468D7DEA0A9C.thor
  • c:\Python27\include\pystrcmp.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-A9D5-1C3892C9204A.thor
  • c:\Python27\Lib\test\badcert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-F23F-2AF78F337714.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Tulips.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-E0F1-8D339E5AA6DF.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\nor.js -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\GIZCRYGS-7AM0-FJP8-B8DD-BF87D37A7537.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\DD_belatedPNG.js -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\GIZCRYGS-7AM0-FJP8-A852-94C1662E1D03.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\NuFcJuZyeQAwJX.rtf -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-2EEA-D40C92F8C818.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Create PDF from Office-convert PDF to office.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-68ED-A670FC477E7A.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\ZgfjvwOzskdomSa.txt -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-E3A5-1BB14E388FB5.thor
  • c:\Python27\include\pystate.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-4E12-5204CE862D0E.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\blank.gif -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\GIZCRYGS-7AM0-FJP8-4E9D-B7B68F47815F.thor
  • c:\6cdeacda242012e0e5b593e657\1036\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1036\GIZCRYGS-7AM0-FJP8-FDB9-BF5C368FFE55.thor
  • c:\Python27\Lib\test\nullcert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-218F-EA17568E63EE.thor
  • c:\Python27\include\pymacconfig.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-5805-A80C0AB119ED.thor
  • c:\6cdeacda242012e0e5b593e657\1041\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1041\GIZCRYGS-7AM0-FJP8-B22B-34474420F84C.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-A220-CFED54599395.thor
  • c:\6cdeacda242012e0e5b593e657\1055\eula.rtf -> c:\6cdeacda242012e0e5b593e657\1055\GIZCRYGS-7AM0-FJP8-F187-D11CFB0E1B9E.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\history_winbg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-AB79-72FA5C72FBCB.thor
  • c:\Python27\include\pymem.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-0F6C-A2094C95D1F4.thor
  • \\SHARDREALM\Users\Harry Dresden\Downloads\big-hero-6-2.jpg -> \\SHARDREALM\Users\Harry Dresden\Downloads\GIZCRYGS-7AM0-FJP8-7136-7999788AED39.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\top_tb_bg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-07B2-05A648C3609B.thor
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg -> \\SHARDREALM\Users\Public\Pictures\Sample Pictures\GIZCRYGS-7AM0-FJP8-2746-6D7D939391B2.thor
  • c:\Python27\Lib\test\keycert2.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-289B-37A251F9E3FC.thor
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\cacert.pem -> c:\Python27\Lib\site-packages\pip\_vendor\requests\GIZCRYGS-7AM0-FJP8-2849-1AC97D75EA8F.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\right_move_bg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-1DC7-A34D33BA673D.thor
  • c:\Python27\Lib\test\https_svn_python_org_root.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-EC56-676B892D0C08.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\qKxBUvAWjTJHw.pptx -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-B738-44B4B8E2171A.thor
  • c:\Python27\include\iterobject.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-7D1C-1B01E78C00EE.thor
  • c:\Python27\Lib\test\keycert3.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-2DFF-D12F593BD1C8.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Powerful Word Processor.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-784D-E8BCC9A0DE09.thor
  • \\SHARDREALM\Users\Harry Dresden\Desktop\UcqOzshCNma.docm -> \\SHARDREALM\Users\Harry Dresden\Desktop\GIZCRYGS-7AM0-FJP8-2317-24BA302FFA7C.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\normal Edit and reflow paragraphs in PDF files.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-2238-132285614AE5.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\Profile.xml -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-7013-84EF852321D7.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon View and annotate PDFs.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-409F-B9C9C26253BC.thor
  • c:\6cdeacda242012e0e5b593e657\2070\eula.rtf -> c:\6cdeacda242012e0e5b593e657\2070\GIZCRYGS-7AM0-FJP8-43A2-A4930D690729.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\content_showbg.jpg -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\GIZCRYGS-7AM0-FJP8-859F-840CDE2D8D67.thor
  • c:\Python27\include\intrcheck.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-B77D-ACD9A66E1086.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Edit and reflow paragraphs in PDF files.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-7141-11536B023F0D.thor
  • c:\Python27\Lib\test\ssl_cert.pem -> c:\Python27\Lib\test\GIZCRYGS-7AM0-FJP8-7E32-9897A5D47D02.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your mobile apps.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-3875-FA2E8E2EC7CB.thor
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\ribbon Integrate PDF into your application.bmp -> \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\GIZCRYGS-7AM0-FJP8-4409-320537A63D69.thor
  • c:\Python27\include\pymactoolbox.h -> c:\Python27\include\GIZCRYGS-7AM0-FJP8-14A5-59EEB93D2EB3.thor
Network-Connects Host
  • fadyacor.com
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Caches
Directory-Enumerated
  • c:\Python27\Lib\site-packages\pip\*
  • c:\Python27\tcl\tcl8\8.5\*
  • c:\ProgramData\Sun\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\*
  • c:\Python27\tcl\tk8.5\demos\images\*
  • c:\Users\ruiner\*
  • c:\Recovery\015e7760-d44b-11e0-8947-954f09601788\*
  • c:\PerfLogs\*
  • c:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\*
  • c:\ProgramData\Passmark\*
  • c:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\*
  • c:\Python27\Tools\pynche\X\*
  • c:\Users\Public\Music\Sample Music\*
  • c:\Python27\Lib\importlib\*
  • c:\Python27\tcl\tcl8.5\http1.0\*
  • c:\Python27\Lib\bsddb\*
  • \\SHARDREALM\Users\Harry Dresden\Pictures\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\17\*
  • c:\inetpub\wwwroot\aspnet_client\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\43\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog\*
  • c:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\tests\*
  • c:\Python27\tcl\tk8.5\ttk\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\*
  • c:\Users\Default\Saved Games\*
  • c:\Python27\tcl\tcl8.5\tzdata\Africa\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\*
  • c:\Python27\Tools\i18n\*
  • c:\ProgramData\Microsoft\ClickToRun\*
  • c:\Python27\Lib\site-packages\pip\_vendor\lockfile\*
  • c:\ProgramData\*
  • c:\6cdeacda242012e0e5b593e657\Graphics\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\treebuilders\*
  • c:\Python27\Lib\compiler\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\*
  • c:\Python27\Lib\unittest\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\35\*
  • c:\Python27\Lib\test\capath\*
  • c:\Users\Harry Dresden\OneDrive\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\*
  • c:\ProgramData\Adobe\Acrobat\11.0\*
  • c:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\*
  • c:\Python27\tcl\tcl8.5\*
  • c:\Python27\Lib\unittest\test\*
  • c:\inetpub\wwwroot\aspnet_client\system_web\4_0_30319\*
  • c:\Users\Public\Videos\Sample Videos\*
  • c:\ProgramData\Microsoft\Network\Connections\*
  • c:\Users\Public\Recorded TV\*
  • c:\Users\Harry Dresden\Contacts\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\42\*
  • c:\Python27\tcl\tk8.5\msgs\*
  • c:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\*
  • c:\Python27\tcl\tcl8.5\tzdata\Atlantic\*
  • c:\Python27\tcl\tcl8.5\tzdata\Europe\*
  • c:\ProgramData\WebEx\WebEx\*
  • c:\Python27\tcl\tk8.5\demos\*
  • c:\ProgramData\Microsoft\Windows Defender\*
  • c:\ProgramData\Microsoft\PlayReady\Cache\*
  • c:\Python27\Lib\site-packages\pip\_vendor\distlib\_backport\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\01\*
  • c:\inetpub\history\CFGHISTORY_0000000005\*
  • c:\Python27\tcl\tix8.4.3\demos\samples\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\SentItems\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\treewalkers\*
  • \\SHARDREALM\Users\Harry Dresden\Favorites\*
  • c:\ProgramData\Microsoft\PlayReady\Cache\S-1-5-21-3416602863-1947377224-293699093-1001\*
  • c:\6cdeacda242012e0e5b593e657\1037\*
  • c:\Python27\Lib\pydoc_data\*
  • c:\Users\Default\Pictures\*
  • \\SHARDREALM\Users\Default\Links\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\*
  • \\SHARDREALM\Users\Public\Music\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\serializer\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\95\*
  • c:\inetpub\custerr\*
  • c:\6cdeacda242012e0e5b593e657\1033\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\47\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages\*
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\*
  • \\SHARDREALM\Users\Harry Dresden\Links\*
  • c:\Python27\Scripts\*
  • c:\Users\Public\Desktop\*
  • \\SHARDREALM\Users\Harry Dresden\Videos\*
  • c:\ProgramData\Microsoft\Network\Downloader\*
  • c:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\*
  • c:\Python27\Tools\pynche\*
  • c:\Python27\Lib\email\test\*
  • c:\ProgramData\Mozilla\logs\*
  • c:\ProgramData\Microsoft\IdentityCRL\*
  • c:\ProgramData\Microsoft\WPD\*
  • c:\ProgramData\Microsoft\Diagnosis\LocalTraceStore\*
  • c:\ProgramData\Microsoft\Event Viewer\*
  • c:\Users\Harry Dresden\Favorites\Links for United States\*
  • c:\Users\Default\*
  • c:\ProgramData\Sun\Java\Java Update\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\17\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\43\*
  • c:\Python27\tcl\dde1.3\*
  • c:\Python27\Lib\ensurepip\_bundled\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\95\*
  • c:\PerfLogs\Admin\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\treeadapters\*
  • c:\Python27\Lib\idlelib\*
  • c:\Python27\Lib\site-packages\pip\models\*
  • c:\inetpub\*
  • \\SHARDREALM\Users\Harry Dresden\Music\*
  • c:\Users\Harry Dresden\Saved Games\*
  • c:\inetpub\wwwroot\msmq\*
  • c:\ProgramData\Microsoft\DRM\*
  • c:\ProgramData\Microsoft\Crypto\RSA\*
  • c:\rsyssxjnka\modules\auxiliary\*
  • c:\rsyssxjnka\modules\packages\*
  • c:\6cdeacda242012e0e5b593e657\1025\*
  • c:\Python27\Lib\test\crashers\*
  • c:\ProgramData\Microsoft\Search\Data\Applications\*
  • c:\Python27\Lib\ctypes\test\*
  • c:\Users\Public\Libraries\*
  • c:\ProgramData\Microsoft\Device Stage\*
  • \\SHARDREALM\Users\Harry Dresden\Searches\*
  • c:\ProgramData\Microsoft\Windows NT\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\01\*
  • c:\Python27\Lib\site-packages\setuptools-16.0.dist-info\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\*
  • \\SHARDREALM\Users\Public\Videos\Sample Videos\*
  • c:\Python27\Lib\xml\etree\*
  • c:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\F3\*
  • c:\Python27\Lib\test\*
  • c:\ProgramData\Adobe\Acrobat\11.0\Replicate\Security\*
  • \\SHARDREALM\Users\Public\Libraries\*
  • c:\Python27\Lib\ctypes\macholib\*
  • c:\Python27\Lib\msilib\*
  • c:\Python27\Lib\site-packages\pip\_vendor\distlib\*
  • \\SHARDREALM\Users\Harry Dresden\Desktop\*
  • c:\6cdeacda242012e0e5b593e657\1035\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\DD\*
  • \\SHARDREALM\Users\Harry Dresden\Contacts\*
  • c:\ProgramData\Adobe\ARM\S\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\70\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\*
  • c:\Users\Default\Videos\*
  • c:\ProgramData\McAfee\MCLOGS\Common\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\js\*
  • c:\Users\Default\Documents\*
  • c:\6cdeacda242012e0e5b593e657\1031\*
  • c:\Python27\tcl\tcl8.5\tzdata\Pacific\*
  • \\SHARDREALM\Users\*
  • c:\Python27\tcl\tcl8.5\tzdata\America\North_Dakota\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\*
  • c:\Python27\tcl\tcl8.5\tzdata\Etc\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\DD\*
  • c:\ProgramData\Adobe\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\*
  • c:\inetpub\history\CFGHISTORY_0000000001\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\chardet\*
  • \\SHARDREALM\Users\Default\Music\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\A6\*
  • c:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\*
  • \\SHARDREALM\Users\Default\Favorites\*
  • c:\Python27\Tools\webchecker\*
  • c:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\A5\*
  • c:\ProgramData\Adobe\Acrobat\11.0\Replicate\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\*
  • c:\rsyssxjnka\*
  • c:\ProgramData\NovaTech Network\NovaBench\*
  • \\SHARDREALM\Users\Public\Music\Sample Music\*
  • c:\Users\Harry Dresden\Favorites\Links\*
  • c:\ProgramData\Microsoft\Assistance\*
  • c:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\*
  • c:\inetpub\wwwroot\*
  • c:\Users\Harry Dresden\*
  • c:\Python27\tcl\tcl8.5\tzdata\Antarctica\*
  • c:\Python27\Lib\site-packages\pip\_vendor\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\E0\*
  • c:\ProgramData\Adobe\ARM\S\5521\*
  • \\SHARDREALM\Users\Public\Foxit Software\*
  • c:\Users\Public\Downloads\*
  • c:\6cdeacda242012e0e5b593e657\2070\*
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\x-none.16\*
  • c:\Python27\Lib\test\cjkencodings\*
  • c:\ProgramData\Microsoft\Assistance\Client\1.0\*
  • c:\ProgramData\Microsoft\Windows Defender\Support\*
  • c:\Python27\Lib\site-packages\pip\operations\*
  • \\SHARDREALM\Users\Harry Dresden\*
  • c:\ProgramData\Microsoft\MF\*
  • c:\6cdeacda242012e0e5b593e657\1029\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\Integration\ShortcutBackups\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\1A\*
  • c:\Python27\Lib\distutils\tests\*
  • c:\ProgramData\Microsoft\Office\*
  • c:\Users\Public\Music\*
  • c:\ProgramData\Microsoft\ClickToRun\MachineData\*
  • c:\6cdeacda242012e0e5b593e657\1045\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\css\*
  • c:\Users\Harry Dresden\Desktop\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\*
  • c:\ProgramData\Microsoft\Crypto\*
  • \\SHARDREALM\Users\Public\Recorded TV\Sample Media\*
  • c:\Users\Public\Pictures\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\42\*
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\*
  • c:\Python27\include\*
  • c:\Python27\Lib\lib2to3\tests\data\fixers\*
  • c:\Python27\Lib\encodings\*
  • c:\Python27\Lib\site-packages\setuptools\*
  • c:\Python27\Lib\test\tracedmodules\*
  • c:\ProgramData\Microsoft\DRM\Server\*
  • c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\*
  • c:\Python27\tcl\tcl8.5\tzdata\SystemV\*
  • c:\6cdeacda242012e0e5b593e657\1049\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\*
  • c:\Users\Harry Dresden\Music\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\*
  • c:\Python27\tcl\tcl8.5\tzdata\Mexico\*
  • c:\ProgramData\Microsoft\RAC\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\*
  • c:\ProgramData\Microsoft\WwanSvc\*
  • c:\Python27\tcl\tcl8.5\tzdata\Arctic\*
  • c:\ProgramData\Oracle\*
  • c:\rsyssxjnka\lib\common\*
  • c:\ProgramData\NovaTech Network\NovaBench\3.0.2.0\media\*
  • c:\ProgramData\Microsoft\Windows Defender\Quarantine\*
  • \\SHARDREALM\Users\Default\Pictures\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Queue\*
  • c:\ProgramData\Microsoft\RAC\Outbound\*
  • c:\ProgramData\WebEx\*
  • c:\inetpub\history\CFGHISTORY_0000000003\*
  • c:\Python27\Lib\site-packages\setuptools\command\*
  • c:\Python27\tcl\tcl8.5\tzdata\Indian\*
  • c:\ProgramData\Microsoft\Event Viewer\Views\*
  • c:\Users\Default\Favorites\*
  • c:\*
  • c:\Users\Default\Desktop\*
  • \\SHARDREALM\Users\Default\Desktop\*
  • c:\ProgramData\Microsoft\eHome\logs\*
  • c:\ProgramData\Microsoft\Network\*
  • c:\Python27\tcl\tcl8.5\tzdata\America\Kentucky\*
  • \\SHARDREALM\Users\Harry Dresden\Favorites\Links\*
  • c:\Python27\Lib\lib-tk\test\test_ttk\*
  • c:\Python27\tcl\tcl8.5\tzdata\US\*
  • c:\ProgramData\Microsoft\ClickToRun\UserData\*
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\*
  • c:\Users\Public\Pictures\Sample Pictures\*
  • c:\Python27\tcl\tcl8.5\msgs\*
  • c:\6cdeacda242012e0e5b593e657\1041\*
  • c:\Users\Default\Downloads\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\packages\ssl_match_hostname\*
  • c:\Users\Harry Dresden\Links\*
  • \\SHARDREALM\Users\Harry Dresden\Favorites\Links for United States\*
  • c:\Python27\DLLs\*
  • \\SHARDREALM\Users\Default\Documents\*
  • c:\ProgramData\Microsoft\User Account Pictures\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\contrib\*
  • c:\Python27\tcl\tcl8.5\tzdata\Asia\*
  • c:\Users\Harry Dresden\Downloads\*
  • c:\Python27\tcl\tcl8.5\opt0.4\*
  • c:\ProgramData\Mozilla\*
  • c:\Users\Public\Videos\*
  • c:\Python27\tcl\tcl8\8.4\*
  • c:\6cdeacda242012e0e5b593e657\1055\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\70\*
  • c:\rsyssxjnka\lib\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\*
  • c:\Python27\Tools\versioncheck\*
  • c:\Python27\tcl\reg1.2\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\F7\*
  • c:\Python27\Lib\xml\dom\*
  • c:\Python27\Lib\lib2to3\tests\data\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\*
  • c:\Python27\tcl\tcl8.5\encoding\*
  • c:\ProgramData\McAfee\*
  • c:\ProgramData\Microsoft\Diagnosis\AsimovUploader\*
  • c:\ProgramData\Microsoft\Diagnosis\ETLLogs\ShutdownLogger\*
  • c:\ProgramData\Microsoft\User Account Pictures\Default Pictures\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\47\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\*
  • \\SHARDREALM\Users\Public\Documents\*
  • c:\Python27\Lib\xml\parsers\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\*
  • c:\6cdeacda242012e0e5b593e657\1038\*
  • c:\Python27\tcl\tix8.4.3\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\trie\*
  • c:\Python27\tcl\tcl8.5\tzdata\Canada\*
  • c:\ProgramData\NovaTech Network\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\*
  • c:\Python27\tcl\tcl8\*
  • c:\6cdeacda242012e0e5b593e657\1053\*
  • c:\Users\Default\Music\*
  • c:\Python27\Lib\test\decimaltestdata\*
  • c:\Python27\Lib\test\xmltestdata\*
  • \\SHARDREALM\Users\Public\Desktop\*
  • c:\ProgramData\Passmark\PerformanceTest\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\*
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\*
  • \\SHARDREALM\Users\Harry Dresden\OneDrive\*
  • c:\ProgramData\Adobe\ARM\*
  • c:\ProgramData\Microsoft\Diagnosis\ETLLogs\*
  • \\SHARDREALM\Users\Harry Dresden\Documents\*
  • c:\6cdeacda242012e0e5b593e657\2052\*
  • c:\Python27\Lib\logging\*
  • c:\ProgramData\Microsoft\eHome\*
  • c:\Users\Public\*
  • c:\6cdeacda242012e0e5b593e657\1043\*
  • c:\Python27\Lib\site-packages\*
  • c:\rsyssxjnka\modules\*
  • c:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\*
  • c:\ProgramData\Microsoft\Diagnosis\UIF\*
  • c:\Users\Harry Dresden\Searches\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\advertisement\*
  • c:\Python27\tcl\tk8.5\*
  • \\SHARDREALM\Users\Public\*
  • c:\Python27\Lib\xml\sax\*
  • c:\ProgramData\Microsoft\Device Stage\Device\*
  • c:\ProgramData\Microsoft\Vault\*
  • c:\rsyssxjnka\lib\core\*
  • c:\Users\Default\Links\*
  • c:\Python27\Lib\json\tests\*
  • c:\Python27\libs\*
  • c:\6cdeacda242012e0e5b593e657\1028\*
  • c:\Python27\Lib\lib-tk\test\test_tkinter\*
  • c:\ProgramData\Microsoft OneDrive\*
  • c:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\*
  • c:\Python27\Lib\ctypes\*
  • c:\Users\Public\Recorded TV\Sample Media\*
  • \\SHARDREALM\Users\Harry Dresden\Downloads\*
  • c:\Python27\*
  • c:\ProgramData\Microsoft\Crypto\DSS\*
  • c:\ProgramData\Microsoft\Diagnosis\Sideload\*
  • c:\Python27\Lib\email\*
  • c:\ProgramData\Microsoft\Search\Data\*
  • c:\Users\Harry Dresden\Documents\*
  • c:\ProgramData\Adobe\Setup\*
  • c:\Python27\Lib\distutils\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\*
  • c:\ProgramData\Microsoft\Device Stage\Task\*
  • c:\Users\*
  • \\SHARDREALM\Users\Public\Favorites\*
  • c:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AB0000000001}\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\tpl\*
  • c:\Python27\Lib\sqlite3\*
  • c:\ProgramData\Sun\Java\*
  • c:\ProgramData\Microsoft\NetFramework\*
  • c:\ProgramData\Microsoft\Crypto\Keys\*
  • c:\Python27\Lib\site-packages\pip\_vendor\cachecontrol\*
  • c:\Python27\Lib\bsddb\test\*
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\{98101498-C465-4F51-8751-D1919E97D29D}\*
  • c:\ProgramData\NovaTech Network\NovaBench\3.0.2.0\*
  • \\SHARDREALM\Users\ruiner\*
  • c:\Recovery\*
  • c:\Users\Public\Foxit Software\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\A6\*
  • c:\inetpub\history\CFGHISTORY_0000000002\*
  • c:\Python27\Lib\site-packages\pip\req\*
  • c:\Users\Harry Dresden\Videos\*
  • \\SHARDREALM\Users\Default\Downloads\*
  • c:\inetpub\wwwroot\aspnet_client\system_web\*
  • c:\Python27\tcl\tcl8.5\tzdata\Australia\*
  • c:\Users\Harry Dresden\Pictures\*
  • c:\ProgramData\Microsoft\DeviceSync\*
  • c:\ProgramData\WebEx\WebEx\12_1324\*
  • c:\ProgramData\Microsoft\Office\Heartbeat\*
  • c:\Python27\Lib\lib2to3\tests\data\fixers\myfixes\*
  • c:\Python27\Tools\Scripts\*
  • c:\Python27\Lib\hotshot\*
  • \\SHARDREALM\Users\Public\Videos\*
  • c:\ProgramData\Microsoft\*
  • c:\ProgramData\Microsoft\PlayReady\*
  • c:\Python27\Lib\site-packages\pip\utils\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\*
  • c:\Python27\tcl\tcl8.5\tzdata\Brazil\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\*
  • c:\Python27\Lib\site-packages\pkg_resources\_vendor\packaging\*
  • c:\Python27\Lib\lib2to3\*
  • c:\Python27\tcl\tcl8.5\tzdata\America\Argentina\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\E0\*
  • c:\ProgramData\Microsoft\WwanSvc\Profiles\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\*
  • c:\Python27\Lib\test\subprocessdata\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick\*
  • c:\Python27\Lib\site-packages\pip-7.0.1.dist-info\*
  • c:\Python27\Lib\site-packages\pip\_vendor\progress\*
  • c:\Users\Public\Foxit Software\Foxit Reader\*
  • c:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode\*
  • c:\ProgramData\Microsoft\Windows NT\MSFax\Inbox\*
  • c:\Python27\Lib\xml\*
  • c:\ProgramData\Microsoft\Search\*
  • c:\ProgramData\Microsoft\IlsCache\*
  • c:\Python27\tcl\tk8.5\images\*
  • e:\*
  • c:\Python27\Lib\sqlite3\test\*
  • c:\ProgramData\McAfee\MCLOGS\*
  • c:\Python27\Lib\ensurepip\*
  • c:\Python27\Lib\idlelib\Icons\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\*
  • c:\Python27\Lib\test\imghdrdata\*
  • c:\ProgramData\Microsoft\ClickToRun\ProductReleases\9E1D94D2-471F-4DC3-9EBD-E31E1E099E00\en-us.16\*
  • c:\ProgramData\Microsoft\Diagnosis\*
  • c:\6cdeacda242012e0e5b593e657\*
  • \\SHARDREALM\Users\Default\Saved Games\*
  • c:\Python27\tcl\tcl8.5\tzdata\America\*
  • c:\Python27\Lib\site-packages\pkg_resources\_vendor\*
  • c:\6cdeacda242012e0e5b593e657\1030\*
  • \\SHARDREALM\Users\Default\Videos\*
  • c:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\*
  • \\SHARDREALM\Users\Public\Downloads\*
  • c:\ProgramData\Microsoft\RAC\PublishedData\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\*
  • c:\Python27\Lib\multiprocessing\dummy\*
  • c:\Python27\Lib\email\mime\*
  • c:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\*
  • c:\Python27\tcl\tix8.4.3\demos\bitmaps\*
  • c:\Users\Public\Documents\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\35\*
  • c:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\*
  • c:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\*
  • c:\Python27\Lib\lib-tk\*
  • c:\Users\Harry Dresden\Favorites\*
  • c:\Python27\Doc\*
  • c:\Python27\Lib\curses\*
  • c:\Python27\Lib\lib2to3\pgen2\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\1A\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\A5\*
  • c:\ProgramData\Adobe\Acrobat\*
  • c:\Python27\Lib\*
  • c:\inetpub\history\CFGHISTORY_0000000004\schema\*
  • c:\Python27\tcl\tix8.4.3\demos\*
  • \\SHARDREALM\Users\Public\Pictures\Sample Pictures\*
  • c:\6cdeacda242012e0e5b593e657\1042\*
  • c:\Python27\Lib\test\audiodata\*
  • c:\inetpub\history\CFGHISTORY_0000000004\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\*
  • c:\Python27\tcl\tcl8.5\tzdata\*
  • c:\Python27\Lib\site-packages\pip\_vendor\_markerlib\*
  • c:\Python27\tcl\tcl8\8.4\platform\*
  • c:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\css\*
  • c:\Python27\Lib\site-packages\pip\vcs\*
  • c:\6cdeacda242012e0e5b593e657\1046\*
  • c:\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\Default\*
  • c:\Python27\tcl\tix8.4.3\pref\*
  • c:\Python27\Lib\site-packages\pip\compat\*
  • \\SHARDREALM\Users\Public\Pictures\*
  • c:\Python27\Lib\json\*
  • c:\Python27\Lib\lib2to3\fixes\*
  • c:\ProgramData\Microsoft\Windows Defender\LocalCopy\*
  • c:\ProgramData\Microsoft\Assistance\Client\*
  • c:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\*
  • \\SHARDREALM\Users\Default\*
  • c:\Python27\Lib\test\leakers\*
  • \\SHARDREALM\Users\Harry Dresden\Saved Games\*
  • c:\ProgramData\Microsoft\Media Player\*
  • c:\ProgramData\McAfee\MCLOGS\Common\jxpiinstall\*
  • c:\Python27\Lib\site-packages\pip\_vendor\html5lib\filters\*
  • c:\Python27\Tools\*
  • c:\6cdeacda242012e0e5b593e657\1044\*
  • c:\6cdeacda242012e0e5b593e657\1036\*
  • c:\inetpub\history\*
  • c:\6cdeacda242012e0e5b593e657\1032\*
  • c:\rsyssxjnka\bin\*
  • c:\Python27\tcl\tcl8.5\tzdata\Chile\*
  • c:\Python27\Lib\site-packages\pip\_vendor\packaging\*
  • \\SHARDREALM\Users\Public\Recorded TV\*
  • c:\ProgramData\Microsoft\Windows NT\MSScan\*
  • c:\Python27\Lib\email\test\data\*
  • c:\Python27\tcl\tix8.4.3\bitmaps\*
  • c:\Python27\Lib\site-packages\pip\_vendor\colorama\*
  • c:\Python27\Lib\lib2to3\tests\*
  • c:\ProgramData\regid.1991-06.com.microsoft\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\F7\*
  • c:\ProgramData\Microsoft OneDrive\setup\*
  • c:\inetpub\history\CFGHISTORY_0000000005\schema\*
  • c:\Python27\Lib\site-packages\pip\_vendor\cachecontrol\caches\*
  • c:\Python27\Lib\distutils\command\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\*
  • c:\Python27\tcl\*
  • c:\Python27\Lib\site-packages\pip\commands\*
  • c:\Python27\Lib\site-packages\pkg_resources\*
  • c:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\F3\*
  • c:\Python27\Lib\multiprocessing\*
  • c:\Python27\Lib\wsgiref\*
  • c:\6cdeacda242012e0e5b593e657\3082\*
  • c:\Users\Public\Favorites\*
  • c:\Python27\Lib\lib-tk\test\*
  • c:\Python27\Lib\site-packages\pip\_vendor\requests\packages\urllib3\util\*
  • c:\ProgramData\Microsoft\RAC\StateData\*
  • c:\Python27\tcl\tcl8.5\tzdata\America\Indiana\*
  • c:\Python27\Lib\site-packages\_markerlib\*
  • \\SHARDREALM\Users\Public\Foxit Software\Foxit Reader\StartPage\start\en_us\images\*
  • c:\Python27\Lib\idlelib\idle_test\*
  • c:\ProgramData\Adobe\ARM\Reader_11.0.10\*
  • c:\inetpub\custerr\en-US\*
  • c:\rsyssxjnka\lib\api\*
  • c:\ProgramData\Microsoft\Windows Defender\Definition Updates\*
  • c:\6cdeacda242012e0e5b593e657\1040\*
Registry Key-Opened
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http\
  • HKEY_CURRENT_USER\Software
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CLASSES_ROOT\.js
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\control\NetworkProvider\HwOrder
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag\VssapiPublisher
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MiniNT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Safeboot\Option
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider
  • HKEY_CURRENT_USER\Network\E
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\Control\NetworkProvider\Notifyees
  • HKEY_CURRENT_USER\Network
  • HKEY_PERFORMANCE_DATA\(Default)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\InheritConsoleHandles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cer\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InitFolderHandler
  • HKEY_CURRENT_USER\Directory\AlwaysShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PreCreate
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\Content Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADODB.Stream\CLSID\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
  • HKEY_CURRENT_USER\Directory\NeverShowExt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.chm\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\AlwaysShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParsingName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\PROCESSOR_ARCHITECTURE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1806
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\NeverShowExt
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\FolderTypeID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.crt\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Description
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Roamable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PreCreate
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.ade\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation\AllowedReservedCharacters
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
  • HKEY_CURRENT_USER\Directory\DocObject
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSXML2.XMLHTTP\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bas\(Default)
  • HKEY_CURRENT_USER\Directory\BrowseInPlace
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Name
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\DelegateExecute
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cpl\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\InheritConsoleHandles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\AlwaysShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResource
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.adp\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\NoWorkingDirectory
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.cmd\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1806
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
  • HKEY_CURRENT_USER\Directory\IsShortcut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.asp\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\SetWorkingDirectoryFromTarget
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\NeverShowExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\IsShortcut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\NeverShowExt
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\Class
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\Class
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\WebClient\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider\Class
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder\ProviderOrder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\ProviderPath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VBoxSF\NetworkProvider\name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider\Class
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
Mutex-Accessed
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Windows\System32\wscript.exe" C:\Users\HARRYD~1\AppData\Local\Temp\NRV_F46A13_.js PID: 2008, Parent PID: 3656

"C:\Windows\SysWOW64\rundll32.exe" C:\Users\HARRYD~1\AppData\Local\Temp\LE0Ap74Z.dll,0001 PID: 3060, Parent PID: 2008

Volatility

Nothing to display.