Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-02-17 15:23:47 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
lf5dclq.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
075dd03fbfb8211da9923e2c7ff553d63111596d
MD5
c753860a6ad654da8f4cc05217e0dc6c
First Seen
2026-02-17 08:32:50.132312
Last Analysis
2026-02-17 13:42:47.317865
Dwell Time
0 days, 7 hours, 33 minutes
Extended Dwell Time Impact
For 5+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2025-10-29 09:36:51 UTC | First VirusTotal submission | — |
| 2026-02-17 14:33:53 UTC | Latest analysis snapshot | 111 days, 4 hours, 57 minutes |
| 2026-02-17 15:23:47 UTC | Report generation time | 111 days, 5 hours, 46 minutes |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 73. Detected as malicious: 15. Missed: 58. Coverage: 20.5%.
Detected Vendors
- Xcitium
- +14 additional vendors (names not provided)
List includes Xcitium plus an additional 14 vendors per the provided summary.
Missed Vendors
- Acronis
- AhnLab-V3
- Alibaba
- alibabacloud
- ALYac
- Antiy-AVL
- APEX
- Arcabit
- Avira
- Baidu
- BitDefender
- Bkav
- ClamAV
- CMC
- CrowdStrike
- CTX
- Cylance
- Cynet
- DrWeb
- Elastic
- Emsisoft
- F-Secure
- GData
- google_safebrowsing
- Gridinsoft
- huorong
- Jiangmin
- K7AntiVirus
- K7GW
- Kaspersky
- Kingsoft
- Lionic
- Malwarebytes
- MaxSecure
- MicroWorld-eScan
- NANO-Antivirus
- Paloalto
- Panda
- Sangfor
- SentinelOne
- Skyhigh
- SUPERAntiSpyware
- TACHYON
- tehtris
- Tencent
- Trapmine
- TrendMicro
- TrendMicro-HouseCall
- VBA32
- VIPRE
- VirIT
- ViRobot
- Webroot
- Xcitium
- Yandex
- Zillya
- ZoneAlarm
- Zoner
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
Behavioral Storyline — How the Malware Operates
Dominant system-level operations (36.70% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.
Behavior Categories (weighted)
Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.
| Category | Weight | Percentage |
|---|---|---|
| System | 4068 | 36.70% |
| Registry | 3173 | 28.63% |
| Misc | 1659 | 14.97% |
| File System | 1016 | 9.17% |
| Process | 368 | 3.32% |
| Device | 250 | 2.26% |
| Crypto | 192 | 1.73% |
| Threading | 176 | 1.59% |
| Services | 65 | 0.59% |
| Com | 34 | 0.31% |
| Synchronization | 29 | 0.26% |
| Network | 28 | 0.25% |
| Windows | 16 | 0.14% |
| Hooking | 10 | 0.09% |
MITRE ATT&CK Mapping
- T1140 – extract zip archive in .NET
- T1140 – decode data using Base64 in .NET
- T1083 – get common file path
- T1012 – query or enumerate registry value
- T1012 – query or enumerate registry key
- T1057 – enumerate processes
- T1518 – enumerate processes
- T1083 – check if file exists
- T1027 – reference Base64 string
- T1033 – get session user name
- T1087 – get session user name
- T1083 – check if directory exists
- T1055 – Creates a process in a suspended state, likely for injection
- T1070.006 – Binary compilation timestomping detected
- T1070 – Binary compilation timestomping detected
- T1497 – Checks for mouse movement
- T1027 – The binary likely contains encrypted or compressed data
- T1027.002 – The binary likely contains encrypted or compressed data
- T1082 – Checks available memory
- T1071 – Attempts to connect to a dead IP:Port
- T1071 – The PE file contains an overlay
- T1573 – Establishes an encrypted HTTPS connection
- T1106 – Guard pages use detected – possible anti-debugging.
- T1036 – Creates files inside the user directory
- T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
- T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
- T1497 – May sleep (evasive loops) to hinder dynamic analysis
- T1027.002 – Binary may include packed or crypted data
- T1070.006 – Binary contains a suspicious time stamp
- T1027 – .NET source code contains long base64-encoded strings
- T1027 – Binary may include packed or crypted data
- T1082 – Queries the volume information (name, serial number etc) of a device
- T1082 – Queries the cryptographic machine GUID
- T1573 – Uses HTTPS
- T1071 – Uses HTTPS
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| www.aieov.com | 13.248.169.48 | United States | Amazon Technologies Inc. |
| www.msftncsi.com | 23.200.3.18 | United States | Akamai Technologies, Inc. |
| psotimim.com | 104.18.31.195 | United States | Cloudflare, Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
DNS Queries
| Request | Type |
|---|---|
| www.msftncsi.com | A |
| 5isohu.com | A |
| psotimim.com | A |
| www.aieov.com | A |
Contacted IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
Port Distribution
| Port | Count | Protocols |
|---|---|---|
| 137 | 1 | udp |
| 5355 | 6 | udp |
| 53 | 58 | udp |
| 3702 | 1 | udp |
UDP Packets
| Source IP | Dest IP | Sport | Dport | Time | Proto |
|---|---|---|---|---|---|
| 192.168.56.11 | 192.168.56.255 | 137 | 137 | 7.357346057891846 | udp |
| 192.168.56.11 | 224.0.0.252 | 49563 | 5355 | 7.317076921463013 | udp |
| 192.168.56.11 | 224.0.0.252 | 54650 | 5355 | 7.31777286529541 | udp |
| 192.168.56.11 | 224.0.0.252 | 55601 | 5355 | 7.627146005630493 | udp |
| 192.168.56.11 | 224.0.0.252 | 60205 | 5355 | 7.327583074569702 | udp |
| 192.168.56.11 | 224.0.0.252 | 62798 | 5355 | 9.877599954605103 | udp |
| 192.168.56.11 | 224.0.0.252 | 63439 | 5355 | 10.458270072937012 | udp |
| 192.168.56.11 | 239.255.255.250 | 62184 | 3702 | 7.323533058166504 | udp |
| 192.168.56.11 | 8.8.4.4 | 50586 | 53 | 324.52917194366455 | udp |
| 192.168.56.11 | 8.8.4.4 | 51569 | 53 | 516.1070320606232 | udp |
| 192.168.56.11 | 8.8.4.4 | 51628 | 53 | 83.2166440486908 | udp |
| 192.168.56.11 | 8.8.4.4 | 51663 | 53 | 149.24763894081116 | udp |
| 192.168.56.11 | 8.8.4.4 | 51690 | 53 | 10.199023962020874 | udp |
| 192.168.56.11 | 8.8.4.4 | 51880 | 53 | 178.18468594551086 | udp |
| 192.168.56.11 | 8.8.4.4 | 51899 | 53 | 9.888679027557373 | udp |
| 192.168.56.11 | 8.8.4.4 | 52464 | 53 | 295.80981492996216 | udp |
| 192.168.56.11 | 8.8.4.4 | 53480 | 53 | 211.20075798034668 | udp |
| 192.168.56.11 | 8.8.4.4 | 54684 | 53 | 263.20077085494995 | udp |
| 192.168.56.11 | 8.8.4.4 | 54823 | 53 | 367.4974088668823 | udp |
| 192.168.56.11 | 8.8.4.4 | 55183 | 53 | 338.7791359424591 | udp |
| 192.168.56.11 | 8.8.4.4 | 56007 | 53 | 501.7471899986267 | udp |
| 192.168.56.11 | 8.8.4.4 | 56213 | 53 | 13.027163028717041 | udp |
| 192.168.56.11 | 8.8.4.4 | 56473 | 53 | 68.85713601112366 | udp |
| 192.168.56.11 | 8.8.4.4 | 56666 | 53 | 196.84694004058838 | udp |
| 192.168.56.11 | 8.8.4.4 | 58090 | 53 | 248.84505605697632 | udp |
| 192.168.56.11 | 8.8.4.4 | 58800 | 53 | 310.16964197158813 | udp |
| 192.168.56.11 | 8.8.4.4 | 58917 | 53 | 54.48223900794983 | udp |
| 192.168.56.11 | 8.8.4.4 | 59770 | 53 | 24.544646978378296 | udp |
| 192.168.56.11 | 8.8.4.4 | 59945 | 53 | 530.4662480354309 | udp |
| 192.168.56.11 | 8.8.4.4 | 60054 | 53 | 225.55987000465393 | udp |
| 192.168.56.11 | 8.8.4.4 | 60334 | 53 | 101.57562708854675 | udp |
| 192.168.56.11 | 8.8.4.4 | 61467 | 53 | 353.138475894928 | udp |
| 192.168.56.11 | 8.8.4.4 | 61507 | 53 | 116.0133068561554 | udp |
| 192.168.56.11 | 8.8.4.4 | 62120 | 53 | 130.46608686447144 | udp |
| 192.168.56.11 | 8.8.4.4 | 62329 | 53 | 39.903806924819946 | udp |
| 192.168.56.11 | 8.8.4.4 | 63550 | 53 | 163.73160886764526 | udp |
| 192.168.56.11 | 8.8.4.4 | 64563 | 53 | 277.55970788002014 | udp |
| 192.168.56.11 | 8.8.8.8 | 50586 | 53 | 323.5290710926056 | udp |
| 192.168.56.11 | 8.8.8.8 | 51569 | 53 | 515.1072969436646 | udp |
| 192.168.56.11 | 8.8.8.8 | 51628 | 53 | 82.21709704399109 | udp |
| 192.168.56.11 | 8.8.8.8 | 51663 | 53 | 148.248193025589 | udp |
| 192.168.56.11 | 8.8.8.8 | 51690 | 53 | 11.185347080230713 | udp |
| 192.168.56.11 | 8.8.8.8 | 51880 | 53 | 177.18504905700684 | udp |
| 192.168.56.11 | 8.8.8.8 | 51899 | 53 | 10.894887924194336 | udp |
| 192.168.56.11 | 8.8.8.8 | 52464 | 53 | 294.810662984848 | udp |
| 192.168.56.11 | 8.8.8.8 | 53480 | 53 | 210.20086288452148 | udp |
| 192.168.56.11 | 8.8.8.8 | 54684 | 53 | 262.2010340690613 | udp |
| 192.168.56.11 | 8.8.8.8 | 54823 | 53 | 366.497771024704 | udp |
| 192.168.56.11 | 8.8.8.8 | 55183 | 53 | 337.79548501968384 | udp |
| 192.168.56.11 | 8.8.8.8 | 56007 | 53 | 500.7483379840851 | udp |
| 192.168.56.11 | 8.8.8.8 | 56213 | 53 | 14.013397932052612 | udp |
| 192.168.56.11 | 8.8.8.8 | 56473 | 53 | 67.8573489189148 | udp |
| 192.168.56.11 | 8.8.8.8 | 56666 | 53 | 195.84834694862366 | udp |
| 192.168.56.11 | 8.8.8.8 | 58090 | 53 | 247.85101890563965 | udp |
| 192.168.56.11 | 8.8.8.8 | 58800 | 53 | 309.1697289943695 | udp |
| 192.168.56.11 | 8.8.8.8 | 58917 | 53 | 53.48259902000427 | udp |
| 192.168.56.11 | 8.8.8.8 | 59770 | 53 | 25.54436206817627 | udp |
| 192.168.56.11 | 8.8.8.8 | 59945 | 53 | 529.466423034668 | udp |
| 192.168.56.11 | 8.8.8.8 | 60054 | 53 | 224.56024289131165 | udp |
| 192.168.56.11 | 8.8.8.8 | 60334 | 53 | 100.57628607749939 | udp |
| 192.168.56.11 | 8.8.8.8 | 61467 | 53 | 352.1395149230957 | udp |
| 192.168.56.11 | 8.8.8.8 | 61507 | 53 | 115.01335787773132 | udp |
| 192.168.56.11 | 8.8.8.8 | 62120 | 53 | 129.46866393089294 | udp |
| 192.168.56.11 | 8.8.8.8 | 62329 | 53 | 38.90390706062317 | udp |
| 192.168.56.11 | 8.8.8.8 | 63550 | 53 | 162.73251700401306 | udp |
| 192.168.56.11 | 8.8.8.8 | 64563 | 53 | 276.5606300830841 | udp |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
482
Registry Set
32
Services Started
2
Services Opened
3
Registry Opened (Top 25)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration |
| HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|<USER>|Desktop|program.exe |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client |
| HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessQueryOrder |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartNameResolution |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationOverwrite |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShareTcpConnections |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableParallelAandAAAA |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DynamicServerQueryOrder |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartProtocolReordering |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Avalon.Graphics\ClassicETW |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Client\InstallPath |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PreferLocalOverLowerBindingDNS |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterVPNTrigger |
Show all (482 total)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD |
| HKEY_CURRENT_USER\Software\Microsoft\Tracing\WPF |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableCoalescing |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UdpRecvBufferSize |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMultiHomedRouteConflicts |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\C:|Users|<USER>|Desktop|program.exe |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsSecureNameQueryFallback |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenDefaultServers |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0 |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DomainNameDevolutionLevel |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryNetBTFQDN |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProductName |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release |
| HKEY_CURRENT_USER\Software\Microsoft\Avalon.Packaging |
| Policy\Standards |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableDAForAllNetworks |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\program.exe |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{6a7dfda1-a101-5a70-eade-2ecfec4034d8} |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ForceQueriesOverTcp |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AddrConfigControl |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Std |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000 |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|azure|Downloads|NotAWord.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName |
| HKEY_CURRENT_USER\Software\Microsoft\CTF\Disable Thread Input Manager |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Net Framework Setup\NDP\v4\Client\InstallPath |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35 |
| HKEY_CLASSES_ROOT\Interface\{C247F616-BBEB-406A-AED3-F75E656599AE} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling |
| System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextListCount |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber |
| System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextLockCount |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35 |
| HKEY_CURRENT_USER\Software\Microsoft\Wisp\Software\Microsoft\Wisp\Pen\SysEventParameters |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinSAT\VideoMemorySize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinSAT |
| HKEY_CURRENT_USER\Software\Microsoft\Avalon.Touch |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Dlt |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Net.Http__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Windows Presentation Foundation\Features |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:|Users|azure|Downloads|NotAWord.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|azure|Downloads|NotAWord.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics\MultiAdapterSupport |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{FFD023BC-FA32-4978-85DC-5264033CD8B5}\0000\InstalledDisplayDrivers |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework.classic__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters\ClientCacheSize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AltJit |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA |
| HKEY_CURRENT_USER\Software\Microsoft\Wisp\Software\Microsoft\Wisp\Touch |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Net.Http__b03f5f7f11d50a3a |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework.classic__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Display |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\TZI |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{FFD023BC-FA32-4978-85DC-5264033CD8B5}\0000 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NotAWord.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinSAT\VideoMemoryBandwidth |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{FFD023BC-FA32-4978-85DC-5264033CD8B5}\0000\HardwareInformation.MemorySize |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD |
| HKEY_CLASSES_ROOT\.png\Content Type |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\Dynamic DST |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs |
| HKEY_CLASSES_ROOT\.png |
| HKEY_CURRENT_USER\Software\Microsoft\CTF |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{C118199D-0A13-4C21-8ABF-076C810A61CC}\0000 |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{C118199D-0A13-4C21-8ABF-076C810A61CC}\0000\InstalledDisplayDrivers |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Video\{C118199D-0A13-4C21-8ABF-076C810A61CC}\0000\HardwareInformation.MemorySize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\08da2fefbd4708fce4b5548c044678c468af412c20066840ed816aa5b8bc6a87.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:|Users|azure|Downloads|08da2fefbd4708fce4b5548c044678c468af412c20066840ed816aa5b8bc6a87.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|azure|Downloads|08da2fefbd4708fce4b5548c044678c468af412c20066840ed816aa5b8bc6a87.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|azure|Downloads|08da2fefbd4708fce4b5548c044678c468af412c20066840ed816aa5b8bc6a87.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|Desktop|NotAWord.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\Formats |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\APTCA |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\InProcServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Printing__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\10 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Microsoft\Direct3D |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81EA0A17-AA39-455B-BA20-EA79A8F98966}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance\{41945702-8302-44A6-9445-AC98E8AFA086} |
| HKEY_CURRENT_USER\Software\Microsoft\Direct3D\Drivers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|Desktop|NotAWord.exe |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\Patterns |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NotAWord.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\8 |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 |
| HKEY_CURRENT_USER\System\CurrentControlSet\Control\GraphicsDrivers\Scheduler |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\Formats |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\13 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework__31bf3856ad364e35 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance\{41945702-8302-44A6-9445-AC98E8AFA086} |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AppContext |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationCore__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationTypes__31bf3856ad364e35 |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\5 |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\4 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\6 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\2 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\XML |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\12 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.ReachFramework__31bf3856ad364e35 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\4 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance\{fc6ceece-aef5-4a23-96ec-5984ffb486d9} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\Patterns |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InProcServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\5 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Printing__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationProvider__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.WindowsBase__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\10 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\InProcServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Formats |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Formats |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationCore__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.UIAutomationTypes__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.ReachFramework__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\11 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\11 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\InProcServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.FinishProxyTunnelConnectionEarly |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\9 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Input.Manipulations__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Net.Http__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xaml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\CustomAttributes |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\0 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531fdebf-9b4c-4a43-a2aa-960e8fcdc732}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v4.0.30319 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InProcServer32 |
| HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics\DISPLAY1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.WindowsBase__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\NotAWord.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a1e2b86b-924a-4d43-80f6-8a820df7190f}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationFramework.Aero2__31bf3856ad364e35 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\12 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\14 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.UIAutomationProvider__31bf3856ad364e35 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{FC6CEECE-AEF5-4A23-96EC-5984FFB486D9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\Patterns\0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81d4e9c9-1d3b-41bc-9e6c-4b40bf79e35e}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{a028ae76-01b1-46c2-99c4-acd9858ae02f}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xaml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\7 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| HKEY_CURRENT_USER\Software\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance\{fc6ceece-aef5-4a23-96ec-5984ffb486d9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.PresentationUI__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{B115690A-EA02-48D5-A231-E3578D2FDF80}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\14 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C2CB2CF0-AF47-413E-9780-8BC3A3C16068}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03b5835f-f03c-411b-9ce2-aa23e1171e36}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER\Software\Microsoft\Avalon.Graphics\NULL |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\8 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\9 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\13 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Net.Http__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\InprocServer32 |
| HKEY_CURRENT_USER_Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationFramework.Aero2__31bf3856ad364e35 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\6 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1070296143-2877979003-364783958-1001\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1070296143-2877979003-364783958-1001\Installer\Assemblies\C:|Users|user|Desktop|NotAWord.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\2 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{6a498709-e00b-4c45-a018-8f9e4081ae40}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.PresentationUI__31bf3856ad364e35 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\Interface\{C247F616-BBEB-406A-AED3-F75E656599AE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowFullDomainLiterals |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{fc6ceece-aef5-4a23-96ec-5984ffb486d9}\Patterns\0 |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\Patterns\1 |
| HKEY_CURRENT_USER_Classes\.png |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{7C472071-36A7-4709-88CC-859513E583A9}\Category\Category\{6302DE22-A5CF-4B02-BFE8-4D72B2BED3C6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\program.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InprocServer32 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{2B46E70F-CDA7-473E-89F6-DC9630A2390B}\Instance |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|Desktop|program.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000160-0000-0000-C000-000000000046}\ProxyStubClsid32 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000160-0000-0000-C000-000000000046} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC} |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|Desktop|program.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InprocHandler32 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\Elevation |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\LocalServer32 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA} |
Registry Set (Top 25)
| Key | Value |
|---|---|
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32 | — |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\FileTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\ConsoleTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\MaxFileSize | 1048576 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\FileDirectory | %windir%\tracing |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\FileTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\ConsoleTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\MaxFileSize | 1048576 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\FileDirectory | %windir%\tracing |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\EnableFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\EnableAutoFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASAPI32\EnableConsoleTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\EnableFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\EnableAutoFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NotAWord_RASMANCS\EnableConsoleTracing | 0 |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Tracing\program_RASAPI32 | — |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Tracing\program_RASMANCS | — |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\FileTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\ConsoleTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\MaxFileSize | 1048576 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\FileDirectory | %windir%\tracing |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\FileTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\ConsoleTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\MaxFileSize | 1048576 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\FileDirectory | %windir%\tracing |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\EnableFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\EnableAutoFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASAPI32\EnableConsoleTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\EnableFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\EnableAutoFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\program_RASMANCS\EnableConsoleTracing | 0 |
Services Started (Top 15)
| Service |
|---|
| BITS |
| WSearch |
Services Opened (Top 15)
| Service |
|---|
| SSTPSVC |
| VaultSvc |
| clipsvc |
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.