Xcitium Logo

High-Severity Trojan.Ploutus Detection Confirms Active ATM Cash-Out Threat Activity

  • February 25, 2026
Share with your community:


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-02-25 17:38:15 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
sample.exe
Type
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
SHA‑1
f8bf68cba29aca320ad0bce63b9ce8754915524c
MD5
ae3adcc482edc3e0579e152038c3844e
First Seen
2018-01-29 16:34:03.746146
Last Analysis
2018-01-29 16:34:03.746146
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 0+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.

Timeline

Time (UTC) Event Elapsed
2017-01-26 02:45:55 UTC First VirusTotal submission
2026-02-11 07:11:59 UTC Latest analysis snapshot 3303 days, 4 hours, 26 minutes
2026-02-25 17:38:15 UTC Report generation time 3317 days, 14 hours, 52 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 54. Missed: 18. Coverage: 75.0%.

Detected Vendors

  • Xcitium
  • +53 additional vendors (names not provided)

List includes Xcitium plus an additional 53 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Baidu
  • Bkav
  • ClamAV
  • CMC
  • Cynet
  • google_safebrowsing
  • Gridinsoft
  • huorong
  • Jiangmin
  • MaxSecure
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • VBA32
  • Webroot
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (38.66% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 1638 38.66%
Registry 1187 28.02%
Process 486 11.47%
File System 466 11.00%
Misc 169 3.99%
Threading 147 3.47%
Device 59 1.39%
Network 55 1.30%
Synchronization 13 0.31%
Windows 12 0.28%
Crypto 4 0.09%
Hooking 1 0.02%

MITRE ATT&CK Mapping

  • T1055 – write process memory
  • T1083 – check if file exists
  • T1027 – encode data using Base64
  • T1620 – load .NET assembly
  • T1083 – check if directory exists
  • T1027 – encrypt data using AES via .NET
  • T1140 – decode data using Base64 in .NET
  • T1129 – link function at runtime on Windows
  • T1055.004 – inject other processes with apc
  • T1016 – collect network adapter information
  • T1082 – collect system hardware fingerprint info
  • T1010 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1056.001 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1082 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1083 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1012 – SetUnhandledExceptionFilter detected: superseding the top-level exception handler of each thread of a process is a common anti-debug technique.
  • T1095 – Unsuccessful connections attempts were detected (with 1 different IP:Port)
  • T1129 – The process attempted to dynamically load a malicious function
  • T1140 – Detected an attempt to pull out some data from the binary image
  • T1057 – The process has tried to detect the debugger probing the use of page guards.
  • T1129 – The process tried to load dynamically one or more functions.
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1140 – decode data using Base64 in .NET
  • T1055 – write process memory
  • T1129 – link function at runtime on Windows
  • T1083 – check if file exists
  • T1027 – encode data using Base64
  • T1620 – load .NET assembly
  • T1083 – check if directory exists
  • T1027 – encrypt data using AES via .NET
  • T1057 – The process attempted to detect a running debugger using common APIs
  • T1010 – A process attempted to delay the analysis task by a long amount of time.
  • T1056.001 – A process attempted to delay the analysis task by a long amount of time.
  • T1082 – A process attempted to delay the analysis task by a long amount of time.
  • T1083 – A process attempted to delay the analysis task by a long amount of time.
  • T1012 – A process attempted to delay the analysis task by a long amount of time.
  • T1010 – Manalize Local SandBox Find Crypto
  • T1056.001 – Manalize Local SandBox Find Crypto
  • T1082 – Manalize Local SandBox Find Crypto
  • T1083 – Manalize Local SandBox Find Crypto
  • T1012 – Manalize Local SandBox Find Crypto
  • T1027.009 – Drops interesting files and uses them
  • T1106 – .NET source code references suspicious native API functions
  • T1574.002 – Tries to load missing DLLs
  • T1036 – Creates files inside the user directory
  • T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
  • T1497 – Contains long sleeps (>= 3 min)
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1140 – .NET source code contains calls to encryption/decryption functions
  • T1027 – Binary may include packed or crypted data
  • T1027.002 – Binary may include packed or crypted data
  • T1027.002 – PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)
  • T1027.002 – .NET source code contains method to dynamically call methods (often used by packers)
  • T1027.002 – .NET source code contains potential unpacker
  • T1010 – Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook
  • T1018 – Reads the hosts file
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1082 – Queries the cryptographic machine GUID
  • T1082 – Reads software policies
  • T1560 – .NET source code contains calls to encryption/decryption functions
  • T1571 – Detected TCP or UDP traffic on non-standard ports
  • T1095 – Performs DNS lookups
  • T1071 – Uses dynamic DNS services
  • T1071 – Performs DNS lookups

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
58.158.177.102 ARTERIA Networks Corporation
Sumitomo Fudosan Shinbashi Bldg.Shinbashi,6-9-8, minato-ku, Tokyo,105-0004 Japan

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Level 3 Communications, Inc.

DNS Queries

Request Type
usbtest.ddns.net A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Level 3 Communications, Inc.

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 3 udp
40020 1 tcp
53 1 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.198014974594116 udp
192.168.56.11 192.168.56.255 138 138 6.199693918228149 udp
192.168.56.11 224.0.0.252 49395 5355 3.1289360523223877 udp
192.168.56.11 224.0.0.252 60463 5355 5.84675407409668 udp
192.168.56.11 224.0.0.252 61495 5355 3.277431011199951 udp
192.168.56.11 239.255.255.250 49480 3702 3.6593360900878906 udp
192.168.56.11 8.8.4.4 56270 53 8.805136919021606 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

723

Registry Set

15

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs
\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
\Registry\Machine\System\CurrentControlSet\Control\Nls\Locale\Alternate Sorts
\Registry\Machine\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
\REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters\AppId_Catalog
HKLM/System/CurrentControlSet/Control/Nls/Sorting/Versions
HKLM/System/CurrentControlSet/Control/Nls/CustomLocale
HKLM/System/CurrentControlSet/Control/Nls/ExtendedLocale
HKLM/System/CurrentControlSet/Control/SafeBoot/Option
HKLM/System/CurrentControlSet/Control/Srp/GP/DLL
HKLM/Software/Policies/Microsoft/Windows/Safer/CodeIdentifiers
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Policies/Microsoft/Windows/Safer/CodeIdentifiers
HKLM/System/CurrentControlSet/Control/Session Manager
HKLM
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Diagnostics
HKLM/Software/Microsoft/.NETFramework/Policy
HKLM/Software/Microsoft/.NETFramework/Policy//v4.0
HKLM/Software/Microsoft/.NETFramework
HKU/S-1-5-21-470376811-3006406624-3672060426-1000
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Microsoft/.NETFramework
HKLM/System/CurrentControlSet/Control/Error Message Instrument
HKLM/Software/Microsoft/Windows NT/CurrentVersion/GRE_Initialize
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Compatibility32
HKLM/Software/Microsoft/Windows NT/CurrentVersion/IME Compatibility
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Windows
HKLM/Software/Microsoft/.NETFramework/Policy/Standards
HKLM/Software/Microsoft/.NETFramework/Policy/Standards/v4.0.30319
HKLM/SOFTWARE/Microsoft/Fusion
HKLM/Software/Microsoft/.NETFramework/v4.0.30319/SKUs
HKLM/Software/Microsoft/.NETFramework/v4.0.30319/SKUs//default
HKLM/Software/Microsoft/Fusion
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sample.exe
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Microsoft/Fusion
HKLM/Software/Microsoft/Windows NT/CurrentVersion/Image File Execution Options
HKLM/Software/Microsoft/.NETFramework/NGen/Policy/v4.0
HKLM/Software/Microsoft/StrongName
HKLM/Software/Microsoft/Rpc
HKLM/System/CurrentControlSet/Control/ComputerName/ActiveComputerName
HKLM/System/Setup
HKLM/Software/Policies/Microsoft/Windows NT/Rpc
HKLM/Software/Policies/Microsoft/SQMClient/Windows
HKLM/Software/Microsoft/SQMClient/Windows
HKLM/SOFTWARE/Microsoft/OLE
HKLM/Software/Microsoft/OLE/Tracing
HKLM/System/CurrentControlSet/Control/Nls/Locale
HKLM/System/CurrentControlSet/Control/Nls/Locale/Alternate Sorts
HKLM/System/CurrentControlSet/Control/Nls/Language Groups
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Control Panel/Desktop/MuiCached/MachineLanguageConfiguration
HKLM/Software/Policies/Microsoft/MUI/Settings
Show all (723 total)
Key
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Policies/Microsoft/Control Panel/Desktop
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Control Panel/Desktop/LanguageConfiguration
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Control Panel/Desktop
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Control Panel/Desktop/MuiCached
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Xml__b77a5c561934e089
HKLM/SOFTWARE/Microsoft/.NETFramework/Policy/APTCA
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Windows.Forms__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.Accessibility__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Security__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Core__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Core__b77a5c561934e089
HKLM/Software/Microsoft/Windows/CurrentVersion/SideBySide
HKLM/Software/Microsoft/Windows/CurrentVersion/SideBySide/AssemblyStorageRoots
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKLM/Software/Microsoft/Windows/Windows Error Reporting/WMR
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Time Zones/China Standard Time
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Time Zones/China Standard Time/Dynamic DST
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/FolderDescriptions
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/FolderDescriptions/{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/FolderDescriptions/{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}/PropertyBag
HKLM/Software/Microsoft/Windows/CurrentVersion/Explorer/KnownFolderSettings
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.System.Numerics__b77a5c561934e089
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/AppId_Catalog
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/AppId_Catalog/0CF13238
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/00000017
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000001
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000002
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000003
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000004
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000005
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000006
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000007
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000008
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000009
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000010
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000011
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000012
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000013
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000014
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000015
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/Catalog_Entries/000000000016
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/0000000C
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries/000000000001
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries/000000000002
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries/000000000003
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries/000000000004
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries/000000000005
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/NameSpace_Catalog5/Catalog_Entries/000000000006
HKLM/System/CurrentControlSet/Services/Winsock2/Parameters
HKLM/SYSTEM/CurrentControlSet/Services/Winsock/Parameters
HKLM/System/CurrentControlSet/Services/Tcpip6/Parameters/Winsock
HKLM/System/CurrentControlSet/Services/Psched/Parameters/Winsock
HKLM/SYSTEM/CurrentControlSet/Services/Winsock/Setup Migration/Providers
HKLM/SYSTEM/CurrentControlSet/Services/Winsock/Setup Migration/Providers/Psched
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Winsock
HKLM/SYSTEM/CurrentControlSet/Services/Winsock/Setup Migration/Providers/Tcpip
HKLM/SYSTEM/CurrentControlSet/Services/Winsock/Setup Migration/Providers/Tcpip6
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters
HKLM/System/CurrentControlSet/Services/DnsCache/Parameters
HKLM/Software/Policies/Microsoft/Windows NT/DnsClient
HKLM/Software/Policies/Microsoft/System/DNSClient
HKLM/System/CurrentControlSet/Control/Lsa/FipsAlgorithmPolicy
HKLM/System/CurrentControlSet/Control/Lsa
HKLM/System/CurrentControlSet/Services/DNS
HKLM/SYSTEM/CurrentControlSet/Services/Tcpip6/Parameters/Interfaces/{EF9F179E-AE2C-42CA-A398-54FBBDAA65DF}
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{ef9f179e-ae2c-42ca-a398-54fbbdaa65df}
HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{EF9F179E-AE2C-42CA-A398-54FBBDAA65DF}
HKLM/SYSTEM/CurrentControlSet/Services/Tcpip6/Parameters/Interfaces/{E29AC6C2-7037-11DE-816D-806E6F6E6963}
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{e29ac6c2-7037-11de-816d-806e6f6e6963}
HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{E29AC6C2-7037-11DE-816D-806E6F6E6963}
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{ddfefdde-6dc9-4cef-a6ff-ea18aa7023b0}
HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Linkage
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{EF9F179E-AE2C-42CA-A398-54FBBDAA65DF}
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{E29AC6C2-7037-11DE-816D-806E6F6E6963}
HKLM/SYSTEM/CurrentControlSet/Services/NetBT/Parameters
HKLM/System/CurrentControlSet/Control/Nsi/{eb004a00-9b1a-11d4-9123-0050047759bc}/6
HKLM/System/CurrentControlSet/Control/Nsi/{eb004a00-9b1a-11d4-9123-0050047759bc}/2
HKLM/System/CurrentControlSet/Control/Nsi/{eb004a00-9b1a-11d4-9123-0050047759bc}
HKU/S-1-5-21-470376811-3006406624-3672060426-1000_Classes
HKCR/AppID/sample.exe
HKLM/Software/Microsoft/OLE/AppCompat
HKLM/SOFTWARE/Microsoft/Cryptography/Defaults/Provider/Microsoft Strong Cryptographic Provider
HKLM/SYSTEM/CurrentControlSet/Policies/Microsoft/Cryptography/Configuration
HKLM/Software/Policies/Microsoft/Cryptography
HKLM/Software/Microsoft/Cryptography
HKLM/Software/Microsoft/Cryptography/Offload
HKCR/Interface/{00000134-0000-0000-C000-000000000046}
HKU/S-1-5-21-470376811-3006406624-3672060426-1000_Classes/Interface/{00000134-0000-0000-C000-000000000046}/ProxyStubClsid32
HKLM/Software/Microsoft/Rpc/Extensions
HKLM/SYSTEM/CurrentControlSet/Services/BFE
HKLM/Software/Microsoft/SQMClient/Windows/DisabledProcesses
HKLM/Software/Microsoft/SQMClient/Windows/DisabledSessions
HKLM/Hardware/DeviceMap/VIDEO
HKLM/Hardware/DeviceMap/Video
HKLM/System/CurrentControlSet/CONTROL/VIDEO/{45F50A20-A771-4A1A-82CA-E04188398EA3}/0000
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Fonts
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Microsoft/GDIPlus
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/FontLink/SystemLink
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/LanguagePack/DataStore_V1.0
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/LanguagePack/SurrogateFallback
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/LanguagePack/SurrogateFallback/SimSun
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/LanguagePack/SurrogateFallback/微软雅黑
HKLM/SOFTWARE/Microsoft/CTF/Compatibility/sample.exe
HKLM/Software/Microsoft/Windows NT/CurrentVersion/FontSubstitutes
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Installer/Managed/S-1-5-21-470376811-3006406624-3672060426-1000/Installer/Assemblies/C:|sample.exe
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Microsoft/Installer/Assemblies/C:|sample.exe
HKCR/Installer/Assemblies/C:|sample.exe
HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Installer/Managed/S-1-5-21-470376811-3006406624-3672060426-1000/Installer/Assemblies/Global
HKU/S-1-5-21-470376811-3006406624-3672060426-1000/Software/Microsoft/Installer/Assemblies/Global
HKCR/Installer/Assemblies/Global
HKLM/SOFTWARE/Microsoft/Cryptography/Defaults/Provider Types/Type 024
HKLM/SOFTWARE/Microsoft/Cryptography/Defaults/Provider/Microsoft Enhanced RSA and AES Cryptographic Provider
HKLM/Software/Microsoft/Cryptography/DESHashSessionKeyBackward
HKLM/Software/Microsoft/CTF/TIP/{0000897b-83df-4b96-be07-0fb58b01c4a4}/LanguageProfile/0x00000000/{0001bea3-ed56-483d-a2e2-aeae25577436}
HKLM/SOFTWARE/Microsoft/CTF
HKLM/Software
HKLM/Software/TeamViewer
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.mscorlib.resources_zh_b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.mscorlib.resources_zh-CHS_b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.mscorlib.resources_zh-CN_b77a5c561934e089
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{d9d13def-d73b-4aa5-8569-30888909dde3}
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.mscorlib.resources_zh_b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.mscorlib.resources_zh-Hans_b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.mscorlib.resources_zh-CN_b77a5c561934e089
HKLM/SOFTWARE/Microsoft/OLEAUT
HKLM/System/CurrentControlSet/Services/WinSock2/Parameters/Protocol_Catalog9/0000001B
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/policy.4.0.mscorlib.resources_zh-Hans_b77a5c561934e089
HKLM/Software/Microsoft/Fusion/PublisherPolicy/Default/v4.0_policy.4.0.mscorlib.resources_zh-CHS_b77a5c561934e089
HKLM/System/CurrentControlSet/Services/Tcpip/Parameters/Interfaces/{56a45ea9-b6be-4120-ba0a-cbecf914d7d1}
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoreei.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KERNEL32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USER32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winime32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll\CheckAppHelp
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USP10.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LPK.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCR100_CLR0400.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clr.dll
\REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorlib.ni.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\culture.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nlssorting.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clrjit.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uxtheme.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.ni.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.Drawing.ni.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.Windows.Forms.ni.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.Configuration.ni.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.Xml.ni.dll
\REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\WinSock_Registry_Version
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
\REGISTRY\MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32SpinCount
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\System.Core.ni.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iphlpapi.dll
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gdiplus.dll
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8C6B73CA-C00B-4864-99FA-12B90E0F122A}\DhcpServer
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{8C6B73CA-C00B-4864-99FA-12B90E0F122A}\NameServer
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsaenh.dll
\REGISTRY\MACHINE\Software\Policies\Microsoft\Cryptography
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Parameters\Transports
\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Winsock\HelperDllName
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adsldpc.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACTIVEDS.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtutils.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAMLIB.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll
\Registry\Machine\Software\Policies\Microsoft\System\DNSclient
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MPRAPI.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\credui.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dot3api.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eappcfg.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\eappprxy.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OneX.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dot3dlg.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netshell.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINMM.dll
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave3
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave5
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave6
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave7
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave9
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi3
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi5
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi6
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi7
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi9
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux3
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux5
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux6
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux7
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux9
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer3
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer4
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer5
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer6
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer7
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer9
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TAPI32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RASAPI32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WININET.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WZCSAPI.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll
\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DHCPCSVC.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QUtil.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EapolQec.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ESENT.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WZCSvc.DLL
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netman.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WMI.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wlanapi.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\diasymreader.dll
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\DebugApplications
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\DebugApplications
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\PCHealth\ErrorReporting
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\ShowUI
\REGISTRY\MACHINE\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
HKLM\Software\Microsoft\.NETFramework\Policy
HKLM\Software\Microsoft\.NETFramework\Policy\v4.0
HKLM\Software\Microsoft\.NETFramework
HKLM\Software\Microsoft\.NETFramework\InstallRoot
HKLM\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKLM\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKLM\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKCU\Software\Microsoft\.NETFramework\Policy\Standards
HKLM\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKLM\SOFTWARE\Microsoft\Fusion
HKLM\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKLM\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKLM\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKLM\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKLM\Software\Microsoft\.NETFramework\DisableConfigCache
HKLM\Software\Microsoft\Fusion
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685.exe
HKLM\Software\Microsoft\Fusion\CacheLocation
HKLM\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKLM\Software\Microsoft\Fusion\EnableLog
HKLM\Software\Microsoft\Fusion\LoggingLevel
HKLM\Software\Microsoft\Fusion\ForceLog
HKLM\Software\Microsoft\Fusion\LogFailures
HKLM\Software\Microsoft\Fusion\LogResourceBinds
HKLM\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKLM\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKLM\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKLM\Software\Microsoft\Fusion\DisableMSIPeek
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKLM\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKLM\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKLM\Software\Microsoft\StrongName
HKLM\Software\Microsoft\.NETFramework\FeatureSIMD
HKLM\Software\Microsoft\.NETFramework\AltJit
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\index24
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKLM\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKLM\SOFTWARE\Microsoft\.NETFramework\AppContext
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKLM\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3711686801-687107597-1149503783-1001
HKLM\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKLM\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3711686801-687107597-1149503783-1001\Installer\Assemblies\C:|Users|admin|Downloads|d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685.exe
HKCU\Software\Microsoft\Installer\Assemblies\C:|Users|admin|Downloads|d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685.exe
HKLM\SOFTWARE\Classes\Installer\Assemblies\C:|Users|admin|Downloads|d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3711686801-687107597-1149503783-1001\Installer\Assemblies\Global
HKCU\Software\Microsoft\Installer\Assemblies\Global
HKLM\SOFTWARE\Classes\Installer\Assemblies\Global
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKLM\Software
HKLM\Software\TeamViewer
HKEY_CURRENT_USER\EUDC\1252
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|Desktop|executable.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|Desktop|executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\Packages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Microsoft Sans Serif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1015118539-3749460369-599379286-1001\Installer\Assemblies\C:|Users|user|Desktop|executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1015118539-3749460369-599379286-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\executable.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OOBE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\WindowsStore
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\TeamViewer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\InterfaceSpecificParameters\{92904508-F335-4574-A127-534547B20089}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3882a85b-858a-11eb-b9e1-806e6f6e6963}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\14685EAE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\00000014
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\InterfaceSpecificParameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{3882A85B-858A-11EB-B9E1-806E6F6E6963}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{92904508-F335-4574-A127-534547B20089}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3882A85B-858A-11EB-B9E1-806E6F6E6963}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{92904508-F335-4574-A127-534547B20089}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\OEM
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\WOW6432Node
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Cryptography\DESHashSessionKeyBackward
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\DirectWrite
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Input
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Microsoft Antimalware\MpEngine
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows Defender\MpEngine
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1015118539-3749460369-599379286-1001
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\Settings\LanguageConfiguration
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\UILanguages
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\MUI\UILanguages\PendingDelete
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\NLS\Language
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|Desktop|file.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\file.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|Desktop|file.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-1015118539-3749460369-599379286-1001\Installer\Assemblies\C:|Users|user|Desktop|file.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\file.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\21EEE445
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe

Registry Set (Top 25)

Key Value
\REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\996E\DEBUG\Trace Level
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\LogSessionName stdout
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Active 01000000
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ControlFlags 01000000
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid\Guid d905ac1c-65e7-4242-99ea-fe66a8355df8
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid\BitNames DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid\Guid 0c5a3172-2248-44fd-b9a6-8389cb1dc56a
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid\BitNames DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid\Guid 6da4ddca-0901-4bae-9ad4-7e6030bab531
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid\BitNames WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid\Guid 2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid\BitNames SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid\Guid 637a0f36-dff5-4b2f-83dd-b106c1c725e2
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid\BitNames WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT
HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\A70D59A1-8EAD-4F40-AAAB-FBFC460800A4\FriendlyName WORK: admin:

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Like what you see? Share with a friend.