Sliver RAT Surfaces as Routine Logging Utility


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-10-27 10:20:09 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
ma76us.exe
Type
PE32+ executable (GUI) x86-64, for MS Windows
SHA‑1
9105961c97f514df3471139d28d5b044fc179568
MD5
c7e788a3aa0eb75d0e5f7fca6b09d56c
First Seen
2025-09-14 13:34:00.870709
Last Analysis
2025-09-15 07:15:22.389711
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-11 09:41:17 UTC First VirusTotal submission
2025-09-19 06:45:29 UTC Latest analysis snapshot 7 days, 21 hours, 4 minutes
2025-10-27 10:20:09 UTC Report generation time 46 days, 0 hours, 38 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 55. Missed: 18. Coverage: 75.3%.

Detected Vendors

  • Xcitium
  • +54 additional vendors (names not provided)

List includes Xcitium plus an additional 54 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • google_safebrowsing
  • Jiangmin
  • MaxSecure
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • TrendMicro
  • ViRobot
  • Yandex
  • Zillya
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (57.89% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 22 57.89%
Process 9 23.68%
File System 5 13.16%
Synchronization 1 2.63%
Hooking 1 2.63%

MITRE ATT&CK Mapping

  • T1129 – link function at runtime on Windows
  • T1129 – parse PE header
  • T1129 – access PEB ldr_data
  • T1082 – get number of processors
  • T1129 – link many functions at runtime
  • T1083 – enumerate files on Windows
  • T1083 – get file size
  • T1082 – query environment variable
  • T1562 – Tries to unhook or modify Windows functions monitored by CAPE
  • T1055 – Writes an executable to the memory of another process
  • T1055 – Contains .tls (Thread Local Storage) section
  • T1055 – Writes to the memory another process
  • T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
  • T1027 – The binary likely contains encrypted or compressed data
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary likely contains encrypted or compressed data
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1082 – Checks available memory
  • T1057 – Expresses interest in specific running processes
  • T1057 – Enumerates running processes
  • T1071 – Terminates another process
  • T1071 – Reads from the memory of another process
  • T1071 – Attempts to connect to a dead IP:Port
  • T1071 – Reads data out of its own binary image
  • T1071 – Suspicious communication with abused trusted site
  • T1573 – Establishes an encrypted HTTPS connection
  • T1005 – Searches for sensitive browser data
  • T1016 – Queries a host’s domain name
  • T1027.002 – Creates a page with write and execute permissions
  • T1047 – Queries OS version via WMI
  • T1047 – Collects hardware properties
  • T1047 – Tries to detect the presence of antivirus software
  • T1055 – Writes into the memory of another process
  • T1055.012 – Process Hollowing
  • T1056 – Combination of other detections shows multiple input capture behaviors
  • T1057 – Enumerates running processes
  • T1071.001 – Downloads file
  • T1082 – Enumerates running processes
  • T1082 – Queries OS version via WMI
  • T1082 – Collects hardware properties
  • T1083 – Searches for sensitive browser data
  • T1083 – Possibly does reconnaissance
  • T1105 – Downloads file
  • T1113 – Takes screenshot
  • T1115 – Captures clipboard data
  • T1119 – Searches for sensitive browser data
  • T1119 – Combination of other detections shows multiple input capture behaviors
  • T1518.001 – Tries to detect the presence of antivirus software
  • T1552.001 – Searches for sensitive browser data
  • T1564.003 – Creates process with hidden window
  • T1140 – Detected an attempt to pull out some data from the binary image
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1129 – access PEB ldr_data
  • T1129 – link function at runtime on Windows
  • T1129 – parse PE header
  • T1082 – get number of processors
  • T1129 – link many functions at runtime
  • T1083 – enumerate files on Windows
  • T1082 – query environment variable
  • T1083 – get file size
  • T1063 – It Tries to detect injection methods
  • T1047 – Queries BIOS Information (via WMI, Win32_Bios)
  • T1055 – Injects a PE file into a foreign processes
  • T1055 – Writes to foreign memory regions
  • T1055 – Allocates memory in foreign processes
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1027 – Binary may include packed or crypted data
  • T1027.002 – Binary may include packed or crypted data
  • T1027.002 – PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
  • T1057 – Queries a list of all running processes
  • T1082 – Queries the cryptographic machine GUID
  • T1082 – Queries BIOS Information (via WMI, Win32_Bios)
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1005 – Tries to steal Crypto Currency Wallets
  • T1005 – Found many strings related to Crypto-Wallets (likely being stolen)
  • T1573 – Uses HTTPS
  • T1071 – Uses HTTPS
  • T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 5 udp
53 4 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.2417330741882324 udp
192.168.56.11 192.168.56.255 138 138 9.241927146911621 udp
192.168.56.11 224.0.0.252 49563 5355 3.170131206512451 udp
192.168.56.11 224.0.0.252 54650 5355 3.1718881130218506 udp
192.168.56.11 224.0.0.252 55601 5355 4.4284820556640625 udp
192.168.56.11 224.0.0.252 60205 5355 3.1814451217651367 udp
192.168.56.11 224.0.0.252 62798 5355 5.738113164901733 udp
192.168.56.11 239.255.255.250 62184 3702 3.1790292263031006 udp
192.168.56.11 8.8.4.4 51690 53 7.040767192840576 udp
192.168.56.11 8.8.4.4 51899 53 5.742072105407715 udp
192.168.56.11 8.8.8.8 51690 53 8.038530111312866 udp
192.168.56.11 8.8.8.8 51899 53 6.740979194641113 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

411

Registry Set

4

Services Started

4

Services Opened

2

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutHistoryLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ForceQueriesOverTcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMulticast
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutRecalculationInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableNRPTForAdapterRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableCoalescing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMDNS
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UdpRecvBufferSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\NewDhcpSrvRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenDefaultServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryNetBTFQDN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AutodialDLL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
Show all (411 total)
Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartNameResolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartProtocolReordering
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterVPNTrigger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableParallelAandAAAA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMultiHomedRouteConflicts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PreferLocalOverLowerBindingDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableIdnEncoding
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableServerUnreachability
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessPreferLocal
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableIdnMapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShortnameProxyDefault
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShareTcpConnections
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device performance and health
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\TreatAs
HKEY_CURRENT_USER\NULL
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}\InprocHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{136FECC8-05C4-4DEA-AC27-4C0666C20320}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer32
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions\TenantRestrictionsPlugin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Family options
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Enterprise Customization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD032184-B0DE-4962-BBAC-146621F0770E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDD8A353-2577-40A0-BB02-22A99A86B34F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD0F0FC-7043-4A81-BBFA-9F68ADC97122}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSBuild.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State\Dynamic
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FEEED48-1AE6-4C15-9D6E-27DD3DF6CAC8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Systray
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8956DE3F-472B-4FBC-AF5F-748F61CBC386}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3C03EBDD-BE8F-4E39-8B9C-EA0B1EA8395C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device security
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CleanPC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllDecodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{15C23079-E719-4E7C-BD9C-F20983A9480F}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Security
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\32\52C64B7E
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{37529A8C-668C-4D7B-8EC0-FFB545A337FC}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\App and Browser protection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Firewall and network protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D71BECE8-17B8-4636-832C-D010D4F847F7}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Containers
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob 5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 04 00 00 00 01 00 00 00 10 00 00 00 0D BE 92 DE FF 7D 36 BB 48 C4 A6 B1 15 24 95 38 0F 00 00 00 01 00 00 00 20 00 00 00 53 FE B9 19 2E D4 80 F2 09 12 4A 2C 57 D7 E8 97 7A 2E 9F 39 46 1D BF 21 4D F1 12 CB 16 02 4F A2 14 00 00 00 01 00 00 00 14 00 00 00 78 B8 30 FD 63 AC 7B 89 4A 07 3B ED F6 8A 83 9C C3 52 02 65 19 00 00 00 01 00 00 00 10 00 00 00 B5 74 AF 30 C5 C1 BA 3A 69 A7 10 02 00 82 4D D0 03 00 00 00 01 00 00 00 14 00 00 00 01 74 E6 8C 97 DD F1 E0 EE EA 41 5E A3 36 A1 63 D2 B6 1A FD 20 00 00 00 01 00 00 00 F8 05 00 00 30 82 05 F4 30 82 03 DC A0 03 02 01 02 02 09 00 E0 EA 61 4C 28 56 32 64 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4C 31 0F 30 0D 06 03 55 04 08 0C 06 43 65 6E 74 65 72 31 0C 30 0A 06 03 55 04 07 0C 03 4C 6F 64 31 10 30 0E 06 03 55 04 0A 0C 07 47 6F 50 72 6F 78 79 31 10 30 0E 06 03 55 04 0B 0C 07 47 6F 50 72 6F 78 79 31 1A 30 18 06 03 55 04 03 0C 11 67 6F 70 72 6F 78 79 2E 67 69 74 68 75 62 2E 69 6
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\Windows Error Reporting\Debug\StoreLocation %LOCALAPPDATA%\Microsoft\Windows\WER\ReportArchive\AppCrash_WP9YTEV0G9DB392Y_62a4784ffb8c5d793c3c8e034cdf853311b5cf3_0a494681
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTime \xd9\x75\xa7\xbb\x0c\x23\xdc\x01
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl \x30\x83\x02\xe4\xcf\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02\xa0\x83\x02\xe4\xbf\x30\x83\x02\xe4\xba\x02\x01\x01\x31\x0f\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x30\x83\x02\xd5\x28\x06\x09\x2b\x06\x01\x04\x01\x82\x37\x0a\x01\xa0\x83\x02\xd5\x18\x30\x83\x02\xd5\x13\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x0a\x03…

Services Started (Top 15)

Service
GoogleChromeElevationService
GoogleUpdaterService136.0.7079.0
BITS
WSearch

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top