Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-08-27 21:37:22 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
286d31758d33ced461aad858bc2bb31851f17f7f
Type
PE32+ executable (console) x86-64, for MS Windows
SHA‑1
286d31758d33ced461aad858bc2bb31851f17f7f
MD5
9ad33fdb057d037f618c6fcf801b33c3
First Seen
2025-08-21 20:37:11
Last Analysis
2025-08-27 22:33:34
Dwell Time
6 days, 1 hours, 56 minutes
Extended Dwell Time Impact
For 5+ days, this malware remained undetected — an unusually long window that granted the adversary the ability to persist, recon, and potentially exfiltrate data with zero alerts.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. This case doubles that benchmark, highlighting a severe detection gap.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2025-08-21 20:37:11 UTC | First VirusTotal submission | — |
| 2025-08-27 10:12:34 UTC | Latest analysis snapshot | 5 days, 13 hours, 35 minutes |
| 2025-08-27 21:37:22 UTC | Report generation time | N/A |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 77. Detected as malicious: 41. Missed: 32. Coverage: 53.2%.
Detected Vendors
- Xcitium
- +40 additional vendors (names not provided)
List includes Xcitium plus an additional 40 vendors per the provided summary.
Missed Vendors
- Acronis
- AhnLab-V3
- Alibaba
- Antiy-AVL
- Avira
- Baidu
- ClamAV
- CMC
- DrWeb
- Elastic
- Gridinsoft
- huorong
- Jiangmin
- K7AntiVirus
- K7GW
- Malwarebytes
- NANO-Antivirus
- Panda
- Rising
- Sangfor
- SUPERAntiSpyware
- TACHYON
- tehtris
- Trapmine
- VBA32
- VirIT
- ViRobot
- Webroot
- Yandex
- Zillya
- ZoneAlarm
- Zoner
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
Behavioral Storyline — How the Malware Operates
This threat blends evasive checks with data collection and outbound communications. Behavior tags point to sandbox detection, prolonged sleeps, registry reconnaissance, and encrypted egress — a classic quiet‑then‑talk pattern.
Behavior Categories (weighted)
- hooking: 0.00%
- threading: 0.00%
- windows: 0.00%
- misc: 0.01%
- system: 0.09%
- crypto: 99.75%
- process: 0.02%
- synchronization: 0.00%
- registry: 0.11%
- file system: 0.02%
- device: 0.00%
MITRE ATT&CK Mapping
- T1497 – Virtualization/Sandbox Evasion (checks BIOS/WMI; long sleeps)
- T1113 – Screen Capture (WinAPI)
- T1056.001 – Input Capture: Keylogging (global keyboard hook)
- T1012 – Query Registry (policy & crypto OID keys)
- T1071.001 – Web Protocols (HTTPS to external IP lookup service)
- T1105 – Ingress Tool Transfer / C2 data (socket/HTTP usage)
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| www.aieov.com | 13.248.169.48 | United States | Amazon Technologies Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
DNS Queries
| Request | Type |
|---|---|
| 5isohu.com | A |
| www.aieov.com | A |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
303
Registry Set
21
Services Started
2
Services Opened
3
Registry Opened
| Key |
|---|
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\CustomAttributes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Threading |
| HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\powershell.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\C:|Windows|System32|WindowsPowerShell|v1.0|powershell.exe.Config |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Permissions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\FeatureBits |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivationType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\TrustLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\DllPath |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInSharedBroker |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Server |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInBrokerForMediumILContainer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis |
| HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateOnHostFlags |
| HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateAsUser |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Windows|System32|WindowsPowerShell|v1.0|powershell.exe.Config |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\RemoteServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\HillClimbing_TargetSignalToNoiseRatio |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense |
| HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0 |
| HKEY_LOCAL_MACHINE\Software\Classes |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\My\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates |
| HKEY_LOCAL_MACHINE\Software\Policies |
| HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityStore\Cache\S-1-5-21-4226853953-3309226944-3078887307-1000 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{170AE69C-48AA-4CE8-8459-2B0326B81E25} |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\My |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\3e\52C64B7E |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25} |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2AA82B95-4015-4391-B755-F55EDC24BA17} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\My\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\StoreInit |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\defendnot |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\SystemMetaData |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\My\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nitro5 |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\CRLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\CTLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display |
| HKEY_LOCAL_MACHINE\System\Setup |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration |
| HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Ole |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\2. xmpeg_lite_install.exe |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache |
| HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7 |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Client-built.exe |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7 |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\ |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7 |
| HKEY_CURRENT_USER\Software\Microsoft\.NETFramework |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax |
| Policy\Standards |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SystemDefaultTlsVersions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7\Name |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7d\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallationType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting |
| HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\Dynamic DST |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD0F0FC-7043-4A81-BBFA-9F68ADC97122} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.2.SharpDX.Direct3D11__b4dcf0f35e5521f1 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.protobuf-net__257b51d87d2e4d67 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SecurityHealthService.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_CURRENT_USER\NULL |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8956DE3F-472B-4FBC-AF5F-748F61CBC386} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\DenyList\System.Memory, Version=4.0.1.2, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D71BECE8-17B8-4636-832C-D010D4F847F7} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.2.SharpDX.Mathematics__b4dcf0f35e5521f1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FEEED48-1AE6-4C15-9D6E-27DD3DF6CAC8} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.CompilerServices.Unsafe__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.protobuf-net__257b51d87d2e4d67 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.protobuf-net.Core__257b51d87d2e4d67 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDD8A353-2577-40A0-BB02-22A99A86B34F} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.2.SharpDX__b4dcf0f35e5521f1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\DenyList\System.Buffers, Version=4.0.3.0, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Memory__cc7b13ffcd2ddd51 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Buffers__cc7b13ffcd2ddd51 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.2.SharpDX.Mathematics__b4dcf0f35e5521f1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Memory__cc7b13ffcd2ddd51 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a |
| HKEY_CURRENT_USER\Control Panel\International |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.SMDiagnostics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{15C23079-E719-4E7C-BD9C-F20983A9480F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.2.SharpDX.DXGI__b4dcf0f35e5521f1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|Desktop|Client-built.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\DenyList\System.Collections.Immutable, Version=7.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.7.0.System.Collections.Immutable__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3C03EBDD-BE8F-4E39-8B9C-EA0B1EA8395C} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|Desktop|Client-built.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{37529A8C-668C-4D7B-8EC0-FFB545A337FC} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A} |
| HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.CompilerServices.Unsafe__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\32\52C64B7E |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CleanPC |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.2.SharpDX.DXGI__b4dcf0f35e5521f1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.2.SharpDX.Direct3D11__b4dcf0f35e5521f1 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089 |
| HKEY_CURRENT_USER_Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler32 |
| HKEY_CURRENT_USER_Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{136FECC8-05C4-4DEA-AC27-4C0666C20320} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceModel.Internals__31bf3856ad364e35 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.AllowFullDomainLiterals |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer32 |
| HKEY_CURRENT_USER_Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.protobuf-net.Core__257b51d87d2e4d67 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
| HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Buffers__cc7b13ffcd2ddd51 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\DenyList\System.Runtime.CompilerServices.Unsafe, Version=6.0.3.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB} |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD032184-B0DE-4962-BBAC-146621F0770E} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.FinishProxyTunnelConnectionEarly |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.6.0.System.Runtime.CompilerServices.Unsafe__b03f5f7f11d50a3a |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocHandler32 |
Registry Set
| Key | Value |
|---|---|
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\C:\bnpzo\sqsa.exe | \xcf\xf1\xac\x5c\xa5\x14\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\System32\cmd.exe | \x3b\xf1\x22\x59\xa5\x14\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe | \xea\x88\xca\x4c\xa5\x14\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect | 0x00000000 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime | \x6e\x07\x76\x56\xa5\x14\xdc\x01 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl | \x30\x83\x02\xe3\x8e\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02\xa0\x83\x02\xe3\x7e\x30\x83\x02\xe3\x79\x02\x01\x01\x31\x0f\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x30\x83\x02\xd3\xe7\x06\x09\x2b\x06\x01\x04\x01\x82\x37\x0a\x01\xa0\x83\x02\xd3\xd7\x30\x83\x02\xd3\xd2\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x0a\x03… |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTime | \x99\x73\xc5\x56\xa5\x14\xdc\x01 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\Author | https://github.com/es3n1n/defendnot |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\Triggers | \x17\x00\x00\x00\x00\x00\x00\x00\x00\xdc\xe7\x6c\x98\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xdc\xe7\x6c\x98\x00\x00\x00\xff\xff\xff\xff\xff\xff\xff\xff\x08\x21\x42\x43\x48\x48\x48\x48\x25\xb8\x9f\x8e\x48\x48\x48\x48\x0e\x00\x00\x00\x48\x48\x48\x48\x41\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x00\x00\x48\x48\x00\x00\x00\x00\x48… |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000\RefCount | \x06\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\Schema | 0x00010002 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\Actions | \x03\x00\x0c\x00\x00\x00\x41\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x66\x66\x00\x00\x00\x00\x3e\x00\x00\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x77\x00\x73\x00\x63\x00\x72\x00\x69\x00\x70\x00\x74\x00\x2e\x00\x65… |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\DynamicInfo | \x03\x00\x00\x00\x15\xb4\xdb\x56\xa5\x14\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\defendnot\Index | 0x00000001 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2aa82b95-4015-4391-b755-f55edc24ba17}\DynamicInfo | \x03\x00\x00\x00\x56\x97\xf2\x58\xa5\x14\xdc\x01\x0b\x86\x1d\x6c\xa5\x14\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\URI | \defendnot |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nitro5\SD | \x01\x00\x04\x80\x78\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x64\x00\x04\x00\x00\x00\x00\x10\x18\x00\x9f\x01\x1f\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x10\x14\x00\x9f\x01\x1f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x10\x18\x00\xff\x01\x1f\x00\x01\x02\x00\x00\x00… |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\URI | \nitro5 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\Path | \defendnot |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\Actions | \x03\x00\x0c\x00\x00\x00\x41\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x66\x66\x00\x00\x00\x00\x56\x00\x00\x00\x43\x00\x3a\x00\x5c\x00\x55\x00\x73\x00\x65\x00\x72\x00\x73\x00\x5c\x00\x50\x00\x75\x00\x62\x00\x6c\x00\x69\x00\x63\x00\x5c\x00\x4d\x00\x75\x00\x73\x00\x69\x00\x63\x00\x5c\x00\x73\x00\x74\x00\x72\x00\x65\x00\x61\x00\x6d\x00\x5c… |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\defendnot\Id | {170AE69C-48AA-4CE8-8459-2B0326B81E25} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\Path | \nitro5 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\Hash | \x62\x0d\x6d\xf7\x6c\x3e\xfc\xa5\xb4\x96\x29\xff\x63\x6b\xcf\x2f\xdf\x6f\x1a\x89\x40\x7e\xad\xca\xcf\x23\xb8\xef\x0c\xb9\x9a\x1b |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\Triggers | \x17\x00\x00\x00\x00\x00\x00\x00\x01\x07\x01\x00\x00\x00\x01\x00\x80\x84\xda\x9f\xe8\x5b\xdb\x01\x01\x60\x40\x29\xdf\x01\x00\x00\x80\x3e\x48\xcd\x16\x26\xe8\x01\x40\xa1\x40\x02\x48\x48\x48\x48\x5a\x29\xb3\x69\x48\x48\x48\x48\x0e\x00\x00\x00\x48\x48\x48\x48\x41\x00\x75\x00\x74\x00\x68\x00\x6f\x00\x72\x00\x00\x00\x48\x48\x00\x00\x00\x00\x48… |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\defendnot\SD | \x01\x00\x04\x80\x78\x00\x00\x00\x88\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x02\x00\x64\x00\x04\x00\x00\x00\x00\x10\x18\x00\x9f\x01\x1f\x00\x01\x02\x00\x00\x00\x00\x00\x05\x20\x00\x00\x00\x20\x02\x00\x00\x00\x10\x14\x00\x9f\x01\x1f\x00\x01\x01\x00\x00\x00\x00\x00\x05\x12\x00\x00\x00\x00\x10\x18\x00\xff\x01\x1f\x00\x01\x02\x00\x00\x00… |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nitro5\Id | {2AA82B95-4015-4391-B755-F55EDC24BA17} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\Hash | \xfa\xbf\x4b\xf5\xbd\x35\xaa\x81\xf1\x8a\xfd\x9d\xcd\x1f\x4a\x48\xb8\x61\x19\xd5\x1d\x2a\xc7\xcf\x84\xf5\x39\x5d\x50\x63\x87\xe2 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{170AE69C-48AA-4CE8-8459-2B0326B81E25}\Schema | 0x00010002 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\nitro5\Index | 0x00000003 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2AA82B95-4015-4391-B755-F55EDC24BA17}\DynamicInfo | \x03\x00\x00\x00\x56\x97\xf2\x58\xa5\x14\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75 | \x05\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x59\x0f\x1c\x01\x04\x00\x83\x00\x02\x00\x07\x80\x0b\x01\x24\x00\x66\x00\x66\x00\x73\x96\x00\x00\x00\x00\x38\x01\x24\x00\x66\x00\xf9\xf9\x09\x00\x76\x00\x00\x00\x59\x00\x00\x00\x73\x68\x65\x6c\x6c\x5c\x72\x6f\x61\x6d\x69\x6e\x67\x5c\x73\x65\x74\x74\x69\x6e\x67\x73\x79\x6e\x63… |
| HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile | Binary Data |
Services Started
| Service | Display Name |
|---|---|
| BITS | — |
| WSearch | — |
Services Opened
| Service | Display Name |
|---|---|
| VaultSvc | — |
| clipsvc | — |
| wscsvc | — |
Registry Set
| Key | Value |
|---|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\EnableFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\EnableAutoFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\EnableConsoleTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\FileTracingMask | 18446744073709486080 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\ConsoleTracingMask | 18446744073709486080 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\MaxFileSize | 1048576 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\FileDirectory | %windir%\tracing |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\EnableFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\EnableAutoFileTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\EnableConsoleTracing | 0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\FileTracingMask | 18446744073709486080 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\ConsoleTracingMask | 18446744073709486080 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\MaxFileSize | 1048576 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\FileDirectory | %windir%\tracing |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config\LastKnownGoodTime | K\xa7\xea\x05\xda\x0c\xdc\x01 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Client-built_RASAPI32 | |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Client-built_RASMANCS | |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\FileTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASAPI32\ConsoleTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\FileTracingMask | -65536 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Client-built_RASMANCS\ConsoleTracingMask | -65536 |
Transport & Telemetry — TLS, HTTP, IP, IDS
The sample leans on encrypted transport and benign‑looking hosts, but the patterns still betray it: JA3/JA4 hints, cert chains, and IDS metadata are enough to anchor hunting queries.
TLS Sessions
| Subject CN | Issuer CN | Serial | TLS | SNI | JA3 | JA4 |
|---|---|---|---|---|---|---|
| ipwho.is | GoGetSSL ECC DV CA | 68cc9ded8945f97bd499e7c58b3ca6c2 | TLS 1.2 | ipwho.is | 3b5074b1b5d032e5620f69f9f700ff0e | t12d210700_76e208dd3e22_2dae41c691ec |
| cojkor grway | cojkor grway | 00db2acbe81874557b8180eaae48b518d4b293dd95 | TLS 1.2 | c12f54a3f91dc7bafd92cb59fe009a35 | t12i210600_76e208dd3e22_2dae41c691ec | |
| cojkor grway | cojkor grway | 00db2acbe81874557b8180eaae48b518d4b293dd95 | TLS 1.2 | 43016d7f7f9336b17c884650d0d2545d | t12i180600_4b22cbed5bed_2dae41c691ec | |
| ipwho.is | GoGetSSL ECC DV CA | 68cc9ded8945f97bd499e7c58b3ca6c2 | TLS 1.2 | ipwho.is | 6a5d235ee78c6aede6a61448b4e9ff1e | t12d180700_4b22cbed5bed_2dae41c691ec |
IP Traffic
| Dest IP | Dest Port | Proto |
|---|---|---|
| 1.1.1.1 | TCP | |
| 104.18.20.213 | 443 | TCP |
| 104.18.21.213 | 443 | TCP |
| 178.33.45.159 | 80 | TCP |
| 184.27.218.92 | 80 | TCP |
| 192.168.0.45 | 443 | TCP |
| 20.69.140.28 | 443 | TCP |
| 20.99.133.109 | 443 | TCP |
| 23.195.81.59 | 443 | TCP |
| 23.195.81.72 | 443 | TCP |
IDS Alerts
| Signature | Severity | Category | Src IP | Dst IP | Src Port | Dst Port |
|---|---|---|---|---|---|---|
| 8.8.8.8 | 53 | |||||
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.