Xcitium Logo

Win32 Trojan Archive Masquerades as Benign German ZIP While Hunting Target Processes

  • June 8, 2026
Share with your community:

Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-06-08 08:11:10 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
Alles in dem schuppen.zip
Type
Mozilla Firefox browser extension
SHA‑1
7b2c661cfb69e9c75df90d5102647bb014c28ad5
MD5
First Seen
Last Analysis
Dwell Time
unknown

Extended Dwell Time Impact

For unknown, the dwell time for this case could not be accurately determined from available data.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. The dwell time for this case could not be accurately determined.

Timeline

Time (UTC) Event Elapsed
2026-04-16 11:48:51 UTC First VirusTotal submission
2026-06-05 05:43:20 UTC Latest analysis snapshot 49 days, 17 hours, 54 minutes
2026-06-08 08:11:10 UTC Report generation time 52 days, 20 hours, 22 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 67. Detected as malicious: 46. Missed: 21. Coverage: 68.7%.

Detected Vendors

  • Xcitium
  • +45 additional vendors (names not provided)

List includes Xcitium plus an additional 18 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Avast-Mobile
  • CMC
  • CrowdStrike
  • DeepInstinct
  • DrWeb
  • google_safebrowsing
  • Gridinsoft
  • Kingsoft
  • Microsoft
  • MicroWorld-eScan
  • NANO-Antivirus
  • Panda
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • TrendMicro-HouseCall
  • Trustlook
  • VirIT
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

MITRE ATT&CK Mapping

  • T1129 – Drops a binary and executes it
  • T1082 – Checks available memory
  • T1057 – Expresses interest in specific running processes
  • T1057 – Enumerates running processes
  • T1071 – Terminates another process
  • T1071 – A named pipe was used for inter-process communication
  • T1562 – Tries to unhook or modify Windows functions monitored by CAPE
  • T1055 – Creates a process in a suspended state, likely for injection
  • T1055 – Writes to the memory another process
  • T1070 – Deletes executed files from disk
  • T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
  • T1485 – Anomalous file deletion behavior detected (10+)
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
  • T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
  • T1082 – Queries the cryptographic machine GUID
  • T1082 – Queries the volume information (name, serial number etc) of a device

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

189

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\Software\Classes\PackagedCom
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DA35375C-A06A-49AC-9136-31B6C102646B}
HKEY_USERS\S-1-5-18
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\rundll32.exe
HKEY_CURRENT_USER\Software\Classes
HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep
HKEY_USERS\.DEFAULT\Control Panel\International\NumShape
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}\AccessPermission
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{CC7899F5-56C9-44F1-9611-080BFC180FD5}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_USERS\.DEFAULT\Control Panel\International\iCountry
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit
HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_USERS\.DEFAULT\Control Panel\International\iDigits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName
HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure
HKEY_USERS\.DEFAULT\Control Panel\International\\xed\xa0\xbc\xed\xbc\x8e\xed\xa0\xbc\xed\xbc\x8f\xed\xa0\xbc\xed\xbc\x8d
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping
HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
Show all (189 total)
Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_USERS\.DEFAULT\Control Panel\International\s2359
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\TransparentEnabled
HKEY_USERS\.DEFAULT\Control Panel\International\sThousand
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Alles in dem schuppen.exe
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex
HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits
HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat
HKEY_USERS\.DEFAULT\Control Panel\International
HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign
HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber
HKEY_USERS\.DEFAULT\Control Panel\International\iLZero
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B0957D9C-810B-4DE0-9C5E-48DB09C5B413}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{de5d803e-5d2a-4b5f-9c63-af25a465cc44}\AuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC7899F5-56C9-44F1-9611-080BFC180FD5}
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_USERS\.DEFAULT\Control Panel\International\s1159
HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime
HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr
HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{5EDBC3E0-49BB-4E0D-860F-80037D14E735}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\rundll32.exe\AppID
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek
HKEY_USERS\.DEFAULT\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Statement of account0413.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_USERS\.DEFAULT\Control Panel\International\sList
HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear
HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{DA35375C-A06A-49AC-9136-31B6C102646B}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\AuthenticodeEnabled
HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{00000323-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000323-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000323-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unarchiver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Cryptography\DESHashSessionKeyBackward
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\unarchiver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unarchiver.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\7za.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Cryptography\Offload
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{00000323-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\Control Panel\International
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\Windows NT\Rpc
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc\Extensions

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

Like what you see? Share with a friend.