ROZETATECH-Signed Binary Masks as JEDITOR.exe to Deploy Downloader

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

5ca40b8ba5b8b76dd0b45c5ec02fb5cb7697fbf9.exe

Type

PE32 executable (GUI) Intel 80386, for MS Windows

SHA‑1

5ca40b8ba5b8b76dd0b45c5ec02fb5cb7697fbf9

MD5

001d9e4a35ad697aa884cd3db3c3df84

First Seen

2025-09-15 19:27:28.451579

Last Analysis

2025-09-16 07:20:46.418777

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 11+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-03-28 05:58:40 UTC	First VirusTotal submission	—
2025-09-19 13:22:57 UTC	Latest analysis snapshot	175 days, 7 hours, 24 minutes
2025-10-28 09:09:12 UTC	Report generation time	214 days, 3 hours, 10 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 29. Missed: 44. Coverage: 39.7%.

Detected Vendors

Xcitium
+28 additional vendors (names not provided)

List includes Xcitium plus an additional 28 vendors per the provided summary.

Missed Vendors

Acronis
Alibaba
alibabacloud
Antiy-AVL
APEX
Avira
Baidu
Bkav
ClamAV
CMC
CrowdStrike
Cynet
DrWeb
ESET-NOD32
F-Secure
google_safebrowsing
Gridinsoft
huorong
Ikarus
Jiangmin
K7AntiVirus
K7GW
Kaspersky
Kingsoft
NANO-Antivirus
Panda
Rising
Sangfor
SentinelOne
Skyhigh
Sophos
SUPERAntiSpyware
TACHYON
tehtris
Tencent
Trapmine
TrendMicro
TrendMicro-HouseCall
VirIT
Webroot
Yandex
Zillya
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (35.70% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	146	35.70%
Registry	116	28.36%
File System	69	16.87%
Misc	44	10.76%
Network	10	2.44%
Windows	7	1.71%
Process	4	0.98%
Threading	4	0.98%
Synchronization	4	0.98%
Device	4	0.98%
Hooking	1	0.24%

MITRE ATT&CK Mapping

T1059 – accept command line arguments
T1115 – open clipboard
T1056.001 – log keystrokes via polling
T1083 – get common file path
T1027 – encode data using XOR
T1083 – get file size
T1070.006 – timestomp file
T1113 – capture screenshot
T1027 – encrypt data using RC4 PRGA
T1083 – check if file exists
T1222 – set file attributes
T1115 – read clipboard data
T1129 – link function at runtime on Windows
T1027 – encrypt data using RC4 KSA
T1129 – Adversaries may execute malicious payloads via loading shared modules.
T1014 – Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components.
T1542.003 – Adversaries may use bootkits to persist on systems.
T1564 – Adversaries may attempt to hide artifacts associated with their behaviors to evade detection.
T1055 – Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.
T1542 – Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system.
T1564.001 – Adversaries may set files and directories to be hidden to evade detection mechanisms.
T1564.004 – Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection.
T1082 – An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1071 – Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.
T1496 – Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems, which may impact system and/or hosted service availability.
T1574.002 – Tries to load missing DLLs
T1036 – Creates files inside the user directory
T1036 – Drops files with a non matching file extension (content does not match to file extension)
T1056 – Creates a DirectInput object (often for capturing keystrokes)
T1518.001 – May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
T1083 – Reads ini files
T1083 – Writes ini files
T1082 – Reads software policies
T1018 – Reads the hosts file
T1095 – Performs DNS lookups
T1095 – Downloads files from webservers via HTTP
T1071 – Performs DNS lookups
T1071 – Downloads files from webservers via HTTP
T1071 – Downloads executable code via HTTP
T1105 – Downloads files from webservers via HTTP
T1105 – Downloads executable code via HTTP

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.aieov.com	76.223.54.146	United States	Amazon.com, Inc.
www.ojang.pe.kr	119.194.226.67	Korea, Republic of	Korea Telecom

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
www.ojang.pe.kr	A
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	4	udp
53	54	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.0821008682250977	udp
192.168.56.14	224.0.0.252	51209	5355	3.031266927719116	udp
192.168.56.14	224.0.0.252	52815	5355	5.594640016555786	udp
192.168.56.14	224.0.0.252	53401	5355	4.626412868499756	udp
192.168.56.14	224.0.0.252	55848	5355	3.036904811859131	udp
192.168.56.14	8.8.4.4	49916	53	51.5003080368042	udp
192.168.56.14	8.8.4.4	50180	53	98.46905994415283	udp
192.168.56.14	8.8.4.4	50710	53	36.92215299606323	udp
192.168.56.14	8.8.4.4	50870	53	268.0937159061432	udp
192.168.56.14	8.8.4.4	50914	53	192.4061119556427	udp
192.168.56.14	8.8.4.4	51262	53	253.73431301116943	udp
192.168.56.14	8.8.4.4	51614	53	343.6717839241028	udp
192.168.56.14	8.8.4.4	52556	53	329.3130009174347	udp
192.168.56.14	8.8.4.4	53449	53	300.70355892181396	udp
192.168.56.14	8.8.4.4	54579	53	22.562655925750732	udp
192.168.56.14	8.8.4.4	54683	53	145.4375548362732	udp
192.168.56.14	8.8.4.4	55094	53	5.287577867507935	udp
192.168.56.14	8.8.4.4	55827	53	206.76681900024414	udp
192.168.56.14	8.8.4.4	55914	53	80.21885204315186	udp
192.168.56.14	8.8.4.4	56399	53	127.18764400482178	udp
192.168.56.14	8.8.4.4	57742	53	315.0623710155487	udp
192.168.56.14	8.8.4.4	59068	53	286.3437399864197	udp
192.168.56.14	8.8.4.4	60117	53	38.20321798324585	udp
192.168.56.14	8.8.4.4	60713	53	221.12539386749268	udp
192.168.56.14	8.8.4.4	62022	53	112.82823586463928	udp
192.168.56.14	8.8.4.4	62112	53	20.828337907791138	udp
192.168.56.14	8.8.4.4	62548	53	174.1564519405365	udp
192.168.56.14	8.8.4.4	62800	53	239.37534499168396	udp
192.168.56.14	8.8.4.4	63205	53	159.79671692848206	udp
192.168.56.14	8.8.4.4	64452	53	358.0318579673767	udp
192.168.56.14	8.8.4.4	64753	53	65.85949087142944	udp
192.168.56.14	8.8.4.4	65148	53	7.20489501953125	udp
192.168.56.14	8.8.8.8	49916	53	50.50041484832764	udp
192.168.56.14	8.8.8.8	50180	53	97.4723129272461	udp
192.168.56.14	8.8.8.8	50710	53	35.92233490943909	udp
192.168.56.14	8.8.8.8	50870	53	267.09397292137146	udp
192.168.56.14	8.8.8.8	50914	53	191.4074158668518	udp
192.168.56.14	8.8.8.8	51262	53	252.73472499847412	udp
192.168.56.14	8.8.8.8	51614	53	342.6725130081177	udp
192.168.56.14	8.8.8.8	52556	53	328.31394696235657	udp
192.168.56.14	8.8.8.8	53449	53	299.7031059265137	udp
192.168.56.14	8.8.8.8	54579	53	21.56325101852417	udp
192.168.56.14	8.8.8.8	54683	53	144.43802189826965	udp
192.168.56.14	8.8.8.8	55094	53	6.281189918518066	udp
192.168.56.14	8.8.8.8	55827	53	205.7666540145874	udp
192.168.56.14	8.8.8.8	55914	53	79.21952700614929	udp
192.168.56.14	8.8.8.8	56399	53	126.18815302848816	udp
192.168.56.14	8.8.8.8	57742	53	314.0628619194031	udp
192.168.56.14	8.8.8.8	59068	53	285.3441309928894	udp
192.168.56.14	8.8.8.8	60117	53	37.203644037246704	udp
192.168.56.14	8.8.8.8	60713	53	220.12584400177002	udp
192.168.56.14	8.8.8.8	62022	53	111.83491492271423	udp
192.168.56.14	8.8.8.8	62112	53	19.840008974075317	udp
192.168.56.14	8.8.8.8	62548	53	173.15723991394043	udp
192.168.56.14	8.8.8.8	62800	53	238.37557888031006	udp
192.168.56.14	8.8.8.8	63205	53	158.79745602607727	udp
192.168.56.14	8.8.8.8	64452	53	357.032833814621	udp
192.168.56.14	8.8.8.8	64753	53	64.85959386825562	udp
192.168.56.14	8.8.8.8	65148	53	8.203548908233643	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

301

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)

Show all (301 total)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Tahoma
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{D3162B92-9365-467A-956B-92703ACA08AF}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\LocalServer
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{088E3905-0323-4B02-9826-5D99428E115F}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\10
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{24AD3AD4-A569-4530-98E1-AB02F9417AA8}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000035-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{24AD3AD4-A569-4530-98E1-AB02F9417AA8}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\8
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Media.Streaming.DeviceController\CustomAttributes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{D3162B92-9365-467A-956B-92703ACA08AF}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1CDD77A-65D3-4DB0-B339-21F6A48CC2FF}
HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{44C728A6-CC3C-434D-B238-E5B6541E3476}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\6
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\3
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{3DFDF296-DBEC-4FB4-81D1-6A3438BCF4DE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WEBDOWN.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000032A-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\11
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A0953C92-50DC-43bf-BE83-3742FED03C9C}\ShellFolder
HKEY_CURRENT_USER_Classes
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{24AD3AD4-A569-4530-98E1-AB02F9417AA8}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3dfdf296-dbec-4fb4-81d1-6a3438bcf4de}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{15734c0b-4aaa-4cbe-ad75-3e504f42acb3}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Media.Streaming.DeviceController
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{fde94e26-51ac-4a3b-a031-293cbf326422}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E1CDD77A-65D3-4db0-B339-21F6A48CC2FF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3DFDF296-DBEC-4FB4-81D1-6A3438BCF4DE}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{44C728A6-CC3C-434D-B238-E5B6541E3476}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DevQuery
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{f86fa3ab-70d2-4fc7-9c99-fcbf05467f3a}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{3DFDF296-DBEC-4FB4-81D1-6A3438BCF4DE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsStore
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{088E3905-0323-4B02-9826-5D99428E115F}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3ad3197b-12d6-45c2-a036-8dbcc38b1f2e}\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\Packages
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{289af617-1cc3-42a6-926c-e6a863f0e3ba}\InProcServer32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Input
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\Instance
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3882a85b-858a-11eb-b9e1-806e6f6e6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{3882a871-858a-11eb-b9e1-806e6f6e6963}\
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\InterfaceSpecificParameters\{44C728A6-CC3C-434D-B238-E5B6541E3476}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{d3162b92-9365-467a-956b-92703aca08af}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{088E3905-0323-4B02-9826-5D99428E115F}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\4
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\NULL
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\Instance
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F86FA3AB-70D2-4FC7-9C99-FCBF05467F3A}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{24ad3ad4-a569-4530-98e1-ab02f9417aa8}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\TreatAs
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0DB7E03F-FC29-4DC6-9020-FF41B59E513A}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F86FA3AB-70D2-4FC7-9C99-FCBF05467F3A}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\Elevation
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{F86FA3AB-70D2-4FC7-9C99-FCBF05467F3A}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F86FA3AB-70D2-4FC7-9C99-FCBF05467F3A}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{D3162B92-9365-467A-956B-92703ACA08AF}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{24AD3AD4-A569-4530-98E1-AB02F9417AA8}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{088e3905-0323-4b02-9826-5d99428e115f}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000032A-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{3DFDF296-DBEC-4FB4-81D1-6A3438BCF4DE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager\NULL
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{088E3905-0323-4B02-9826-5D99428E115F}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\5
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\executable.exe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{3882A85B-858A-11EB-B9E1-806E6F6E6963}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\MyComputer\NameSpace
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DevQuery\7
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\OEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\WEBDOWN.EXE
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3882A85B-858A-11EB-B9E1-806E6F6E6963}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{D3162B92-9365-467A-956B-92703ACA08AF}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{289AF617-1CC3-42A6-926C-E6A863F0E3BA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000035-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Malgun Gothic
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\MyComputer\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\executable.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}\ShellFolder

Registry Set (Top 25)

Key	Value
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config\LastKnownGoodTime	\x91\xd3\x1el\xe1\x9f\xdb\x01

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report