Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-01-09 15:09:27 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
gyrju.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
8ad28f96a970dae050effa0f4b40affd4fca3564
MD5
3dc4db30cb405fec18c690cbf7bd3d66
First Seen
2026-01-08 12:59:49.510741
Last Analysis
2026-01-08 13:06:37.743717
Dwell Time
0 days, 7 hours, 33 minutes
Extended Dwell Time Impact
For 6+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2026-01-02 13:34:44 UTC | First VirusTotal submission | — |
| 2026-01-09 14:20:04 UTC | Latest analysis snapshot | 7 days, 0 hours, 45 minutes |
| 2026-01-09 15:09:27 UTC | Report generation time | 7 days, 1 hours, 34 minutes |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 72. Detected as malicious: 53. Missed: 19. Coverage: 73.6%.
Detected Vendors
- Xcitium
- +52 additional vendors (names not provided)
List includes Xcitium plus an additional 52 vendors per the provided summary.
Missed Vendors
- Acronis
- AhnLab-V3
- Antiy-AVL
- Baidu
- CAT-QuickHeal
- ClamAV
- CMC
- Cynet
- DrWeb
- Jiangmin
- MaxSecure
- SUPERAntiSpyware
- TACHYON
- tehtris
- VBA32
- VirIT
- Yandex
- Zillya
- Zoner
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
Behavioral Storyline — How the Malware Operates
Dominant system-level operations (38.79% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.
Behavior Categories (weighted)
Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.
| Category | Weight | Percentage |
|---|---|---|
| System | 1965 | 38.79% |
| Registry | 1918 | 37.86% |
| File System | 400 | 7.90% |
| Process | 374 | 7.38% |
| Misc | 119 | 2.35% |
| Crypto | 94 | 1.86% |
| Windows | 56 | 1.11% |
| Synchronization | 37 | 0.73% |
| Device | 37 | 0.73% |
| Network | 20 | 0.39% |
| Threading | 18 | 0.36% |
| Com | 12 | 0.24% |
| Services | 10 | 0.20% |
| Hooking | 6 | 0.12% |
MITRE ATT&CK Mapping
- T1620 – invoke .NET assembly method
- T1620 – load .NET assembly
- T1202 – Uses Windows utilities for basic functionality
- T1036 – Attempts to masquerade or mimic a legitimate process or file name
- T1055 – Creates a process in a suspended state, likely for injection
- T1112 – Installs itself for autorun at Windows startup
- T1547 – Installs itself for autorun at Windows startup
- T1547.001 – Installs itself for autorun at Windows startup
- T1082 – Checks available memory
- T1071 – Resolves a suspicious Top Level Domain (TLD)
- T1071 – Yara detections observed in process dumps, payloads or dropped files
- T1568 – Connects to a Dynamic DNS Domain
- T1106 – Guard pages use detected – possible anti-debugging.
- T1059 – Detected command line output monitoring
- T1129 – The process attempted to dynamically load a malicious function
- T1057 – The process has tried to detect the debugger probing the use of page guards.
- T1129 – The process tried to load dynamically one or more functions.
- T1057 – The process attempted to detect a running debugger using common APIs
- T1056 – The process behaves as a keylogger (keyboard capturing detected)
- T1082 – Queries for the computername
- T1060 – The process has tried to set its autorun on the system startup
- T1112 – The process has tried to set its autorun on the system startup
- T1050 – The process has tried to set its autorun on the system startup
- T1027.002 – .NET source code contains potential unpacker
- T1083 – Reads ini files
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| www.msftncsi.com | 23.44.129.37 | United States | Akamai Technologies, Inc. |
| www.aieov.com | 13.248.169.48 | United States | Amazon Technologies Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
DNS Queries
| Request | Type |
|---|---|
| www.msftncsi.com | A |
| 5isohu.com | A |
| hackerlove.no-ip.biz | A |
| www.aieov.com | A |
Contacted IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
Port Distribution
| Port | Count | Protocols |
|---|---|---|
| 137 | 1 | udp |
| 5355 | 5 | udp |
| 53 | 16 | udp |
| 3702 | 1 | udp |
UDP Packets
| Source IP | Dest IP | Sport | Dport | Time | Proto |
|---|---|---|---|---|---|
| 192.168.56.11 | 192.168.56.255 | 137 | 137 | 3.261934995651245 | udp |
| 192.168.56.11 | 224.0.0.252 | 49563 | 5355 | 3.1823840141296387 | udp |
| 192.168.56.11 | 224.0.0.252 | 54650 | 5355 | 3.1831681728363037 | udp |
| 192.168.56.11 | 224.0.0.252 | 55601 | 5355 | 4.37379002571106 | udp |
| 192.168.56.11 | 224.0.0.252 | 60205 | 5355 | 3.303659200668335 | udp |
| 192.168.56.11 | 224.0.0.252 | 62798 | 5355 | 5.742303133010864 | udp |
| 192.168.56.11 | 239.255.255.250 | 62184 | 3702 | 3.225107192993164 | udp |
| 192.168.56.11 | 8.8.4.4 | 51690 | 53 | 7.210094213485718 | udp |
| 192.168.56.11 | 8.8.4.4 | 51899 | 53 | 5.8691511154174805 | udp |
| 192.168.56.11 | 8.8.4.4 | 56213 | 53 | 22.70992398262024 | udp |
| 192.168.56.11 | 8.8.4.4 | 56473 | 53 | 51.928404092788696 | udp |
| 192.168.56.11 | 8.8.4.4 | 58917 | 53 | 48.64703011512756 | udp |
| 192.168.56.11 | 8.8.4.4 | 59770 | 53 | 32.91246509552002 | udp |
| 192.168.56.11 | 8.8.4.4 | 62329 | 53 | 37.1312301158905 | udp |
| 192.168.56.11 | 8.8.4.4 | 63439 | 53 | 16.320245027542114 | udp |
| 192.168.56.11 | 8.8.8.8 | 51690 | 53 | 8.20938515663147 | udp |
| 192.168.56.11 | 8.8.8.8 | 51899 | 53 | 6.865972995758057 | udp |
| 192.168.56.11 | 8.8.8.8 | 56213 | 53 | 21.71012306213379 | udp |
| 192.168.56.11 | 8.8.8.8 | 56473 | 53 | 50.92923617362976 | udp |
| 192.168.56.11 | 8.8.8.8 | 58917 | 53 | 47.647680044174194 | udp |
| 192.168.56.11 | 8.8.8.8 | 59770 | 53 | 31.912967205047607 | udp |
| 192.168.56.11 | 8.8.8.8 | 62329 | 53 | 36.13196301460266 | udp |
| 192.168.56.11 | 8.8.8.8 | 63439 | 53 | 17.3190860748291 | udp |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
530
Registry Set
8
Services Started
3
Services Opened
5
Registry Opened (Top 25)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\LevelObjects |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStartAtJit |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v2.0 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\GCStressStart |
Show all (530 total)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v2.0\OptimizeUsedBinaries |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker |
| Policy\Standards |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\CustomAttributes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\a3\LastModTime |
| HKEY_LOCAL_MACHINE\System\Setup |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\MissingDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\a3\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\41\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\111d04f811c046c293515859e8c9088d4a64f5217173c463c8e79cde4834fe98.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\a6 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\70bbf7c3\a1\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\a0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\a7 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\NIDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\ConfigString |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\ILDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\65df5b1c\a8 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\MVID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\4f\DisplayName |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\9e |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\98\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\a7\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\ILDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\8e\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\99\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\MissingDependencies |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System,2.0.0.0,,b77a5c561934e089,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\NIDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\ConfigMask |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\DisplayName |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\8e\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\65df5b1c\a8\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Web__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svhost.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\a3\SIG |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\a4\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\98\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\a4\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\99\Modules |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\EvalationData |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\9e\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\ConfigMask |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\99\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\65df5b1c\a8\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NoClientChecks |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\a6\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\ConfigString |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\41\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Remoting__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\a3 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\a4\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\a0\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\9e\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\8d\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\a3\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\8d\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\65df5b1c\a8\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\a4\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\4f\Status |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\ConfigString |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\70bbf7c3\a1\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\9e\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\98\Status |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\ConfigMask |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\65df5b1c\a8\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\a7\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\a0\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\41\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\MissingDependencies |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Xml,2.0.0.0,,b77a5c561934e089,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\ConfigString |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\MVID |
| HKEY_CURRENT_USER\Software |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\4f\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\8d\Status |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\8d\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\a6\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\ILDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\VersioningLog |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\EvalationData |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\DisplayName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\MVID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\9e\DisplayName |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\LatestIndex |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\a6\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\a4\Modules |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\70bbf7c3\a1\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\MVID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\NIDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\70bbf7c3\a1\LastModTime |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\4f |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers\.exe\0x0 |
| Software\Microsoft\Fusion\GACChangeNotification\Default\Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\41 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\ILDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\98 |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\ILDependencies |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\4f\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\ConfigMask |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v2.0.50727 |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\a0\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\mscorwks.dll |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\MVID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\99 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\6719bf\7629dbbf |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3ced59c5\3dc46903\9e\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\99\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\475dce40\304b33ae\a3\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2dd6ac50\553abeb3\a4 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\2b1a4e4\23e7306f\4f\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\a7\SIG |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\a0\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\a6\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\GCStressStart |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\GCStressStartAtJit |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\Status |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index27f\ILUsageMask |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\Status |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards |
| Software\Microsoft\Fusion\GACChangeNotification\Default\mscorlib,2.0.0.0,,b77a5c561934e089,x86 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\ConfigString |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index27f |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\8e\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\8d\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\3f50fe4f\65df5b1c\a8\SIG |
| HKEY_LOCAL_MACHINE\Software\Policies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\MissingDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\6dc7d4c0\12d2be49\a0\Status |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\41\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\MissingDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\8e\Status |
| Software\Microsoft\Fusion\GACChangeNotification\Default\System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\4f99a7c9\191b956f\41\LastModTime |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\DisplayName |
| HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\3cca06a0\6dc7d4c0\9b\NIDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\24bf93f6\6e527edf\8d |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\GACChangeNotification\Default |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\8e |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\61e7e666\c991064\9a\EvalationData |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\70bbf7c3\a1 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\a7\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\c991064\5086dba8\99\DisplayName |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\EvalationData |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\98\SIG |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\index27f\NIUsageMask |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\424bd4d8\324708cb\a6\DisplayName |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\7950e2c5\70bbf7c3\a1\SIG |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0 |
| Software\Microsoft\Fusion\GACChangeNotification\Default\Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\41c04c7e\4bf62c79\98\Modules |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\30bc7c4f\3f50fe4f\a8\EvalationData |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\19ab8d57\46ad1249\a7\LastModTime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\181938c6\7950e2c5\a1\ConfigMask |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.2.0.System.Management__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\NI\1c22df2f\4f99a7c9\41\NIDependencies |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32\IL\f6e8397\3e045c21\8e\SIG |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace |
| HKEY_CURRENT_USER_Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{752073A1-23F2-4396-85F0-8FDB879ED0ED}\TreatAs |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-100000000000}\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F42EE2D3-909F-4907-8871-4C22FC0BF756} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler |
| HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435F-B3D9-28DAA648C0F6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7d83ee9b-2244-4e70-b1f5-5393042af1e4}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\fondue.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fondue.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FonDUE.EXE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_CURRENT_USER_Classes\Directory\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A4115719-D62E-491D-AA7C-E74B8BE3B067} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag |
| HKEY_CURRENT_USER_Classes\SystemFileAssociations\.EXE |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A52BBA46-E9E1-435f-B3D9-28DAA648C0F6}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-500600000000}\ |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE}\OverrideFileSystemProperties |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\FonDUE.EXE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{752073A1-23F2-4396-85F0-8FDB879ED0ED}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject |
| HKEY_CURRENT_USER_Classes\ExplorerCLSIDFlags\{66742402-F9B9-11D1-A202-0000F81FEDEE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\NULL |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback |
| HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-90d022000000}\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286a68-3c57-41a1-bbb1-0eae73d76c95}\PropertyBag |
| HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE |
| HKEY_CURRENT_USER_Classes\Folder |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v2.0.50727 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\FonDUE.EXE |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7D83EE9B-2244-4E70-B1F5-5393042AF1E4} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7}\PropertyBag |
| HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{752073A1-23F2-4396-85F0-8FDB879ED0ED}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{A0C69A99-21C8-4671-8703-7934162FCF1D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641} |
| HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION |
| HKEY_CURRENT_USER_Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23} |
| HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler32 |
| HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0AC0837C-BBF8-452A-850D-79D08E667CA7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\PropertyBag |
| HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\ShellEx\IconHandler |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main |
| HKEY_CURRENT_USER_Classes\exefile\DocObject |
| HKEY_CURRENT_USER_Classes\exefile\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{752073A1-23F2-4396-85F0-8FDB879ED0ED} |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects |
| HKEY_CURRENT_USER_Classes\exefile\Application |
| HKEY_CURRENT_USER_Classes\exefile\shell\open |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NULL |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
| HKEY_CURRENT_USER_Classes\Folder\DocObject |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\Standards\v2.0.50727 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\IdListAliasTranslations |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D} |
| HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{35286A68-3C57-41A1-BBB1-0EAE73D76C95} |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{66742402-F9B9-11D1-A202-0000F81FEDEE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173} |
| HKEY_CURRENT_USER_Classes\exefile\CurVer |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 |
| HKEY_CURRENT_USER_Classes\Folder\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell |
| HKEY_CURRENT_USER_Classes\exefile\shell |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Application |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs |
| HKEY_CURRENT_USER_Classes\exefile\Clsid |
| HKEY_CURRENT_USER_Classes\exefile |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer |
| HKEY_CURRENT_USER_Classes\exefile\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT |
| HKEY_CURRENT_USER_Classes\.EXE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{752073A1-23F2-4396-85F0-8FDB879ED0ED}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167} |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE\Diagnosis |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Advertised\Policy\Standards |
| HKEY_CURRENT_USER_Classes\Directory\Clsid |
| HKEY_CURRENT_USER_Classes\Directory |
| HKEY_CURRENT_USER_Classes\.exe |
Registry Set (Top 25)
| Key | Value |
|---|---|
| HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\35d1703cd61867afaf567473dc316f87 | “%TEMP%\svhost.exe” .. |
| HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Environment\SEE_MASK_NOZONECHECKS | 1 |
| HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Run\35d1703cd61867afaf567473dc316f87 | “%TEMP%\svhost.exe” .. |
| HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS | 1 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\35d1703cd61867afaf567473dc316f87 | “C:\Users\Bruno\AppData\Local\Temp\svhost.exe” .. |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\35d1703cd61867afaf567473dc316f87 | “C:\Users\Bruno\AppData\Local\Temp\svhost.exe” .. |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PeerDist\CacheMgr\CacheRescalingFactor | 40 |
| HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile | Binary Data |
Services Started (Top 15)
| Service |
|---|
| BITS |
| WSearch |
| HTTP |
Services Opened (Top 15)
| Service |
|---|
| policyagent |
| HTTP |
| SPPSvc |
| VaultSvc |
| clipsvc |
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.