SystemHelper SFX Installer Queries Registry and Deploys Malicious Chain


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-05 07:03:25 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
7to7jj.exe
Type
PE32 executable (GUI) Intel 80386, for MS Windows
SHA‑1
4611832b14c5e045bbd5a1c98df0b99578b06113
MD5
853fcc1f2c1144c71b78a656b0d1d7c7
First Seen
2025-09-14 13:55:16.964691
Last Analysis
2025-09-15 07:31:08.219928
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-11 09:34:48 UTC First VirusTotal submission
2025-09-19 07:16:30 UTC Latest analysis snapshot 7 days, 21 hours, 41 minutes
2025-11-05 07:03:25 UTC Report generation time 54 days, 21 hours, 28 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 70. Detected as malicious: 44. Missed: 26. Coverage: 62.9%.

Detected Vendors

  • Xcitium
  • +43 additional vendors (names not provided)

List includes Xcitium plus an additional 43 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Avira
  • Baidu
  • ClamAV
  • CMC
  • ESET-NOD32
  • F-Secure
  • Google
  • Gridinsoft
  • Ikarus
  • Jiangmin
  • K7AntiVirus
  • K7GW
  • NANO-Antivirus
  • Rising
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Tencent
  • Trapmine
  • VBA32
  • ViRobot
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (49.65% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 149521 49.65%
Synchronization 118352 39.30%
System 23837 7.92%
Registry 6603 2.19%
Process 1538 0.51%
Com 487 0.16%
Misc 307 0.10%
Threading 243 0.08%
Device 142 0.05%
Services 54 0.02%
Hooking 40 0.01%
Windows 18 0.01%
Crypto 17 0.01%

MITRE ATT&CK Mapping

  • T1033 – get token membership
  • T1027 – reference AES constants
  • T1083 – get common file path
  • T1564.003 – hide graphical window
  • T1027 – encrypt data using AES
  • T1083 – get file system object information
  • T1547.009 – create shortcut via IShellLink
  • T1083 – check if file exists
  • T1059 – accept command line arguments
  • T1082 – query environment variable
  • T1140 – decrypt data using AES via x86 extensions
  • T1213 – reference WMI statements
  • T1082 – check OS version
  • T1010 – find graphical window
  • T1134 – modify access privileges
  • T1012 – query or enumerate registry value
  • T1222 – set file attributes
  • T1027 – encode data using XOR
  • T1083 – enumerate files on Windows
  • T1129 – parse PE header
  • T1614 – get geographical location
  • T1129 – link function at runtime on Windows
  • T1047 – connect to WMI namespace via WbemLocator
  • T1202 – Uses suspicious command line tools or Windows utilities
  • T1202 – Uses Windows utilities for basic functionality
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1539 – Touches a file containing cookies, possibly for information gathering
  • T1082 – Checks available memory
  • T1057 – Uses Windows utilities to enumerate running processes
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1071 – The PE file contains an overlay
  • T1071 – The PE file contains a PDB path
  • T1071 – Reads from the memory of another process
  • T1071 – Reads data out of its own binary image
  • T1106 – Created a process from a suspicious location
  • T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • T1485 – Anomalous file deletion behavior detected (10+)
  • T1129 – The process attempted to dynamically load a malicious function
  • T1059 – Detected command line output monitoring
  • T1140 – Detected an attempt to pull out some data from the binary image
  • T1129 – The process tried to load dynamically one or more functions.
  • T1027.009 – The process has executed a dropped binary
  • T1055 – Likely PROPagate Technique is running
  • T1059 – Apparent Internal Usage of CMD.EXE
  • T1027.009 – Drops interesting files and uses them
  • T1063 – It Tries to detect injection methods
  • T1064 – Executes batch files
  • T1059 – Uses cmd line tools excessively to alter registry or file data
  • T1055 – May try to detect the Windows Explorer process (often used for injection)
  • T1112 – Uses reg.exe to modify the Windows registry
  • T1027.002 – File is packed with WinRar
  • T1027.002 – Sample is packed with UPX
  • T1027 – Sample is packed with UPX
  • T1057 – May try to detect the Windows Explorer process (often used for injection)
  • T1057 – Queries a list of all running processes
  • T1083 – Enumerates the file system
  • T1083 – Reads ini files
  • T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.msftncsi.com 23.200.3.20 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 56 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.2444000244140625 udp
192.168.56.11 224.0.0.252 49563 5355 3.1734230518341064 udp
192.168.56.11 224.0.0.252 54650 5355 3.196775197982788 udp
192.168.56.11 224.0.0.252 55601 5355 4.369328022003174 udp
192.168.56.11 224.0.0.252 60205 5355 3.2240371704101562 udp
192.168.56.11 224.0.0.252 62798 5355 6.089327096939087 udp
192.168.56.11 239.255.255.250 62184 3702 3.226039171218872 udp
192.168.56.11 8.8.4.4 50586 53 359.2922911643982 udp
192.168.56.11 8.8.4.4 51628 53 123.44744896888733 udp
192.168.56.11 8.8.4.4 51663 53 189.73871397972107 udp
192.168.56.11 8.8.4.4 51690 53 7.697610139846802 udp
192.168.56.11 8.8.4.4 51880 53 222.3847692012787 udp
192.168.56.11 8.8.4.4 51899 53 6.1519811153411865 udp
192.168.56.11 8.8.4.4 52464 53 330.6816391944885 udp
192.168.56.11 8.8.4.4 53480 53 254.99430298805237 udp
192.168.56.11 8.8.4.4 54684 53 301.96277618408203 udp
192.168.56.11 8.8.4.4 54823 53 527.0883710384369 udp
192.168.56.11 8.8.4.4 55183 53 373.6504030227661 udp
192.168.56.11 8.8.4.4 56007 53 541.4472379684448 udp
192.168.56.11 8.8.4.4 56213 53 37.90120315551758 udp
192.168.56.11 8.8.4.4 56473 53 106.52552008628845 udp
192.168.56.11 8.8.4.4 56666 53 236.74417114257812 udp
192.168.56.11 8.8.4.4 58090 53 283.7129991054535 udp
192.168.56.11 8.8.4.4 58800 53 344.9320421218872 udp
192.168.56.11 8.8.4.4 58917 53 87.25979018211365 udp
192.168.56.11 8.8.4.4 59770 53 52.57247805595398 udp
192.168.56.11 8.8.4.4 60054 53 269.3538131713867 udp
192.168.56.11 8.8.4.4 60334 53 139.2600200176239 udp
192.168.56.11 8.8.4.4 61467 53 512.743851184845 udp
192.168.56.11 8.8.4.4 61507 53 158.8853521347046 udp
192.168.56.11 8.8.4.4 62120 53 174.80677914619446 udp
192.168.56.11 8.8.4.4 62329 53 68.72887110710144 udp
192.168.56.11 8.8.4.4 63439 53 23.15088200569153 udp
192.168.56.11 8.8.4.4 63550 53 208.0256371498108 udp
192.168.56.11 8.8.4.4 64563 53 316.3248841762543 udp
192.168.56.11 8.8.8.8 50586 53 358.2947120666504 udp
192.168.56.11 8.8.8.8 51628 53 122.45994901657104 udp
192.168.56.11 8.8.8.8 51663 53 188.74011206626892 udp
192.168.56.11 8.8.8.8 51690 53 8.697471141815186 udp
192.168.56.11 8.8.8.8 51880 53 221.38508915901184 udp
192.168.56.11 8.8.8.8 51899 53 7.150829076766968 udp
192.168.56.11 8.8.8.8 52464 53 329.68253803253174 udp
192.168.56.11 8.8.8.8 53480 53 253.9946641921997 udp
192.168.56.11 8.8.8.8 54684 53 300.96812200546265 udp
192.168.56.11 8.8.8.8 54823 53 526.0881299972534 udp
192.168.56.11 8.8.8.8 55183 53 372.6511549949646 udp
192.168.56.11 8.8.8.8 56007 53 540.4491980075836 udp
192.168.56.11 8.8.8.8 56213 53 36.90791606903076 udp
192.168.56.11 8.8.8.8 56473 53 105.52770519256592 udp
192.168.56.11 8.8.8.8 56666 53 235.7448661327362 udp
192.168.56.11 8.8.8.8 58090 53 282.71390318870544 udp
192.168.56.11 8.8.8.8 58800 53 343.93281412124634 udp
192.168.56.11 8.8.8.8 58917 53 86.2652280330658 udp
192.168.56.11 8.8.8.8 59770 53 51.581093072891235 udp
192.168.56.11 8.8.8.8 60054 53 268.35364508628845 udp
192.168.56.11 8.8.8.8 60334 53 138.27181315422058 udp
192.168.56.11 8.8.8.8 61467 53 511.7424840927124 udp
192.168.56.11 8.8.8.8 61507 53 157.89024114608765 udp
192.168.56.11 8.8.8.8 62120 53 173.80804920196533 udp
192.168.56.11 8.8.8.8 62329 53 67.73034501075745 udp
192.168.56.11 8.8.8.8 63439 53 22.16198205947876 udp
192.168.56.11 8.8.8.8 63550 53 207.0261161327362 udp
192.168.56.11 8.8.8.8 64563 53 315.323215007782 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

291

Registry Set

8

Services Started

3

Services Opened

2

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Always Use Tab
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_CURRENT_USER\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\
HKEY_CURRENT_USER\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_CURRENT_USER\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
HKEY_CURRENT_USER\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_CURRENT_USER\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_CURRENT_USER\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\Software
Show all (291 total)
Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_CURRENT_USER\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\Client\(Default)
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_CURRENT_USER\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CURRENT_USER\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete\AutoSuggest
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
HKEY_CURRENT_USER\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_CURRENT_USER\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\UserChoice
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\InprocHandler
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_CURRENT_USER_Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81d4e9c9-1d3b-41bc-9e6c-4b40bf79e35e}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\Elevation
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81EA0A17-AA39-455B-BA20-EA79A8F98966}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\batfile
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\User\Index\UserSid\S-1-5-21-1070296143-2877979003-364783958-1001
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.bat
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mode.com
HKEY_CURRENT_USER_Classes\.bat\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER_Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\LocalServer
HKEY_CURRENT_USER_Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\batfile\DocObject
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03b5835f-f03c-411b-9ce2-aa23e1171e36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSudoLG.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocHandler
HKEY_CURRENT_USER_Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_CURRENT_USER_Classes\batfile\Clsid
HKEY_CURRENT_USER_Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CURRENT_USER_Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_CURRENT_USER_Classes\.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32
HKEY_CURRENT_USER_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{B115690A-EA02-48D5-A231-E3578D2FDF80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a1e2b86b-924a-4d43-80f6-8a820df7190f}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\Elevation
HKEY_CURRENT_USER_Classes\batfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\CurVer
HKEY_CURRENT_USER_Classes\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{7C472071-36A7-4709-88CC-859513E583A9}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\LocalServer32
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\FileTypeAssociation\Index\FileType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Metadata
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\TIP\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocServer32
HKEY_CURRENT_USER_Classes\batfile\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache
HKEY_CURRENT_USER_Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_CURRENT_USER_Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CURRENT_USER_Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453f-B920-B61BB7CDD997}\TreatAs
HKEY_CURRENT_USER_Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocHandler
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_CURRENT_USER_Classes\CLSID\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\Instance
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\NSudoLG.exe
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\FileTypeAssociation\Index\FileType\.bat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace
HKEY_CURRENT_USER_Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_CURRENT_USER_Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\executable.exe
HKEY_CURRENT_USER_Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler
HKEY_CURRENT_USER_Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER_Classes\batfile\CurVer
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{807C1E6C-1D00-453F-B920-B61BB7CDD997}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{6a498709-e00b-4c45-a018-8f9e4081ae40}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.System.Internal.Launch.LauncherQueryInfo\CustomAttributes
HKEY_CURRENT_USER_Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_CURRENT_USER_Classes\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nircmd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_CURRENT_USER_Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\User\Index\UserSid\S-1-5-21-1070296143-2877979003-364783958-503
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531fdebf-9b4c-4a43-a2aa-960e8fcdc732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\OpenWithProgids
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.System.Internal.Launch.LauncherQueryInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bat\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a028ae76-01b1-46c2-99c4-acd9858ae02f}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\User\Data\3
HKEY_CURRENT_USER_Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_CURRENT_USER_Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid

Registry Set (Top 25)

Key Value
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass 1
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName 1
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet 1
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect 0
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme 0
HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\TIP\AggregateResults\data D9 A7 A8 01 01 00 03 00 EC 03 F4 6F 00 00 00 00 01 00 00 00 00 00 00 00 D1 A8 A8 01 01 00 03 00 64 B
HKEY_USERSS-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme 0

Services Started (Top 15)

Service
BITS
WSearch
TrustedInstaller

Services Opened (Top 15)

Service
TrustedInstaller
VaultSvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top