e007d40c05a5002976117c1f54683c69e638ae0a


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-11 12:34:07 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
e007d40c05a5002976117c1f54683c69e638ae0a
Type
Win32 EXE
SHA‑1
e007d40c05a5002976117c1f54683c69e638ae0a
MD5
b50edb4d4920a0d4b7ce925031e56075
First Seen
2025-09-05 07:18:21.120463
Last Analysis
2025-09-05 10:02:36.518167
Dwell Time
0 days, 2 hours, 44 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-04 00:30:51 UTC First VirusTotal submission
2025-09-09 07:41:24 UTC Latest analysis snapshot 5 days, 7 hours, 10 minutes
2025-09-11 12:34:07 UTC Report generation time 7 days, 12 hours, 3 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 54. Missed: 19. Coverage: 74.0%.

Detected Vendors

  • Xcitium
  • +53 additional vendors (names not provided)

List includes Xcitium plus an additional 53 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • ClamAV
  • CMC
  • DrWeb
  • Jiangmin
  • MaxSecure
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • TrendMicro
  • VBA32
  • VirIT
  • ViRobot
  • Webroot
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (88.06% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 59 88.06%
Process 4 5.97%
File System 2 2.99%
Registry 2 2.99%

MITRE ATT&CK Mapping

  • T1027.002 – packed with UPX
  • T1027.002 – packed with generic packer
  • T1548.002 – Attempts to disable UAC
  • T1564 – Attempts to interact with an Alternate Data Stream (ADS)
  • T1562 – Tries to unhook or modify Windows functions monitored by CAPE
  • T1112 – Attempts to disable UAC
  • T1548 – Attempts to disable UAC
  • T1070 – Deletes executed files from disk
  • T1064 – A scripting utility was executed
  • T1562.001 – Tries to unhook or modify Windows functions monitored by CAPE
  • T1027 – The binary likely contains encrypted or compressed data
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary likely contains encrypted or compressed data
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1564.004 – Attempts to interact with an Alternate Data Stream (ADS)
  • T1539 – Touches a file containing cookies, possibly for information gathering
  • T1082 – Checks available memory
  • T1082 – Collects information to fingerprint the system
  • T1057 – Expresses interest in specific running processes
  • T1057 – Enumerates running processes
  • T1012 – Collects information to fingerprint the system
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1071 – Reads data out of its own binary image
  • T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1059 – A scripting utility was executed
  • T1005 – Attempts to access Bitcoin/ALTCoin wallets
  • T1485 – Anomalous file deletion behavior detected (10+)
  • T1047 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • T1047 – Queries process information (via WMI, Win32_Process)
  • T1047 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • T1543.003 – Creates or modifies windows services
  • T1547.008 – Spawns drivers
  • T1055 – May try to detect the Windows Explorer process (often used for injection)
  • T1036 – Creates files inside the user directory
  • T1036 – Creates files inside the program directory
  • T1036 – Creates a directory in C:\Program Files
  • T1562.001 – Disables UAC (registry)
  • T1497 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • T1497 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1027 – Sample is packed with UPX
  • T1027.002 – Sample is packed with UPX
  • T1003 – Tries to harvest and steal browser information (history, passwords, etc)
  • T1056 – Installs a raw input device (often for capturing keystrokes)
  • T1056 – Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook
  • T1518.001 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • T1518.001 – Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
  • T1057 – May try to detect the Windows Explorer process (often used for injection)
  • T1057 – Queries a list of all running processes
  • T1083 – Reads ini files
  • T1082 – Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
  • T1082 – Queries a list of all running drivers
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1082 – Queries process information (via WMI, Win32_Process)
  • T1082 – Queries the cryptographic machine GUID
  • T1005 – Found many strings related to Crypto-Wallets (likely being stolen)
  • T1005 – Tries to harvest and steal browser information (history, passwords, etc)
  • T1005 – Tries to steal Crypto Currency Wallets

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 2 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 3.0794520378112793 udp
192.168.56.14 224.0.0.252 51209 5355 3.009038209915161 udp
192.168.56.14 224.0.0.252 53401 5355 4.550171136856079 udp
192.168.56.14 224.0.0.252 55094 5355 5.563530206680298 udp
192.168.56.14 224.0.0.252 55848 5355 3.009329080581665 udp
192.168.56.14 8.8.4.4 52815 53 7.406171083450317 udp
192.168.56.14 8.8.8.8 52815 53 8.406370162963867 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

540

Registry Set

117

Services Started

11

Services Opened

7

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\Scripting\Default Namespace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\LocalServer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ProgIdIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
Show all (540 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\Software\Classes\PackagedCom
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WbemScripting.SWbemLocator
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\Scripting\Default Impersonation Level
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\MachineGuid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\9
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TypeLibIndex
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76A64158-CB41-11D1-8B02-00600806D9B6}\InprocHandler32
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&RDCAMERA_BUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\HostActivityManager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\3000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\TS_USB_HUB_ENUMERATOR\UMB\2&30D3618&0&TS_USB_HUB\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentials
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsWhenNTLMOnly
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0050
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TERMINPUT_BUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsDomain
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TSBUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\DeviceSetup
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\StoreInit
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnly
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TERMINPUT_BUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\TS_USB_HUB_ENUMERATOR\UMB\2&30D3618&0&TS_USB_HUB\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
\REGISTRY\A\{661c9ca4-71e7-7f9f-aac6-f897d0e55af2}\LocalState
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache
HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverPackages
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\DRIVERS\DriverDatabase\DriverInfFiles
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop
\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TS_USB_HUB_ENUMERATOR\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TSBUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityStore\Cache\S-1-5-21-4226853953-3309226944-3078887307-1000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\PRINTENUM\PRINTQUEUES\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CRLs
\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\3e\52C64B7E
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsWhenNTLMOnlyDomain
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TS_USB_HUB_ENUMERATOR\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\PRINTENUM\PRINTQUEUES\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\Licensing Core
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentials
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&RDCAMERA_BUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Device Metadata\ActiveDownloads
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\8E0AB23F67466F9DCFBC70CDA92B2150FEA46EC3
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\SystemMetaData
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyDomain
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\Microsoft
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CRLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs
\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\3e\52C64B7E
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\E311719FEBBDC9C22045766815DCF9CC89F33198
\REGISTRY\A\{66f02be0-2da6-f940-4b8c-c97fe3e29a11}\LocalState
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\ED0576D08205C17885676D5FF77C7476F52E69E9
\REGISTRY\A\{6351c177-344f-ed29-e079-57f11728e63b}\LocalState
\REGISTRY\A\{768c0818-5324-fdb3-43ce-1b02f8acf764}\LocalState
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\988CAF2A7F85A5112E796A74FA81C802F1D293CC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{a499fa48-7057-4ac1-9702-44c6fd924058}
HKEY_CURRENT_USER\Software\Microsoft\LanguageOverlay\UpdateFailures
\REGISTRY\A\{bff4431e-3a3d-7151-ced0-fde29bfcab4a}\LocalState
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\UpdateFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0edea23a-3dec-41c3-b03e-bc7a3356d6bc}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50dddd38-168c-486b-966f-a23226488295}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\1B253EC2D2B0E223FB16276A25ABCA527098A4E6
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{00000346-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{00000339-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\Forward
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000344-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{0000034B-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD032184-B0DE-4962-BBAC-146621F0770E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000032A-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FEEED48-1AE6-4C15-9D6E-27DD3DF6CAC8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{00000352-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000034B-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000346-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{0000032A-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000339-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020421-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{00000352-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{00000339-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000346-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{00000346-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ProgIdIndex\WbemScripting.SWbemLocator
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000339-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000032A-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\InprocServer32
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler32
HKEY_CURRENT_USER\SOFTWARE\Valve\Steam
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{0000034B-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{0000032A-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020421-0000-0000-C000-000000000046}\Elevation
HKEY_CURRENT_USER\SOFTWARE\Classes\tg\shell\open\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000344-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000034B-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020420-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000352-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{15C23079-E719-4E7C-BD9C-F20983A9480F}
HKEY_CURRENT_USER\Software\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{37529A8C-668C-4D7B-8EC0-FFB545A337FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000352-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8956DE3F-472B-4FBC-AF5F-748F61CBC386}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\filezila32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020421-0000-0000-C000-000000000046}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{00000344-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD0F0FC-7043-4A81-BBFA-9F68ADC97122}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D71BECE8-17B8-4636-832C-D010D4F847F7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{136FECC8-05C4-4DEA-AC27-4C0666C20320}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3C03EBDD-BE8F-4E39-8B9C-EA0B1EA8395C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDD8A353-2577-40A0-BB02-22A99A86B34F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{00000344-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}

Registry Set (Top 25)

Key Value
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000\RegFiles0000 \x00
HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000\RegFilesHash \xc3\xb9\xec\xc3\x1aK\xa7\xcexZ\xbaa\xc6\x98E\xff\x8e\x8d\x01\x82\x03}x\x835:%\xd1\xf4\x03v#
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TSBUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000\RefCount \x05\x00\x00\x00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\3000 4294901778
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \x8e\x0a\xb2\x3f\x67\x46\x6f\x9d\xcf\xbc\x70\xcd\xa9\x2b\x21\x50\xfe\xa4\x6e\xc3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TERMINPUT_BUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&TS_USB_HUB_ENUMERATOR\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\PRINTENUM\PRINTQUEUES\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\Flags 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0002 4294901777
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0069 4294901767
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\8E0AB23F67466F9DCFBC70CDA92B2150FEA46EC3\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x8e\x0a\xb2\x3f\x67\x46\x6f\x9d\xcf\xbc\x70\xcd\xa9\x2b\x21\x50\xfe\xa4\x6e\xc3\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\TS_USB_HUB_ENUMERATOR\UMB\2&30D3618&0&TS_USB_HUB\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertStore Remote Desktop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\SessionNumber \x0b\x00\x00\x00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\UMB\UMB\1&841921D&0&RDCAMERA_BUS\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A 4294901778
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0008\en-US 4294901776
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID 73a1a17c-9d36-4504-9e35-c19870b
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \xb1\xfe\x8d\xe9\x19\x1e\xdc\x01
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0050 4294909970
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceContainers\{00000000-0000-0000-FFFF-FFFFFFFFFFFF}\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A 4294901767
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance\LastNotificationAddedTime REG_QWORD
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 \xbc\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\x9e\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xf3\x00\x00…
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2\Epoch 0x00000009
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ITT REG_QWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnly\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsDomain\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\fDenyChildConnections 0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentials\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsWhenNTLMOnly\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyDomain\RD Child Sessions vs-debug/localhost
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\ICT REG_QWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsWhenNTLMOnlyDomain\RD Child Sessions vs-debug/localhost
HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT REG_QWORD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentials\RD Child Sessions vs-debug/localhost
\REGISTRY\A\{661c9ca4-71e7-7f9f-aac6-f897d0e55af2}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTime \x01\x82\xcd\xbe\x0d\x1e\xdc\x01
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl \x30\x83\x02\xe4\xcf\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02\xa0\x83\x02\xe4\xbf\x30\x83\x02\xe4\xba\x02\x01\x01\x31\x0f\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x30\x83\x02\xd5\x28\x06\x09\x2b\x06\x01\x04\x01\x82\x37\x0a\x01\xa0\x83\x02\xd5\x18\x30\x83\x02\xd5\x13\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x0a\x03…
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \x95\x51\x28\xc5\x0d\x1e\xdc\x01
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \x80\x82\x50\xc7\xf4\x3e\x42\x60\x90\x8b\x2d\x88\x4d\x4a\x9d\x0c\xa5\xdf\x81\xe1
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\808250C7F43E4260908B2D884D4A9D0CA5DF81E1\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x80\x82\x50\xc7\xf4\x3e\x42\x60\x90\x8b\x2d\x88\x4d\x4a\x9d\x0c\xa5\xdf\x81\xe1\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000\RefCount \x06\x00\x00\x00
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID ed9d5f84-ed6d-4395-99fc-506c79c
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75 \x05\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x59\x0f\x1c\x01\x04\x00\x83\x00\x02\x00\x07\x80\x0b\x01\x24\x00\x66\x00\x66\x00\x73\x96\x00\x00\x00\x00\x38\x01\x24\x00\x66\x00\xf9\xf9\x09\x00\x76\x00\x00\x00\x59\x00\x00\x00\x73\x68\x65\x6c\x6c\x5c\x72\x6f\x61\x6d\x69\x6e\x67\x5c\x73\x65\x74\x74\x69\x6e\x67\x73\x79\x6e\x63…
Show all (117 total)
Key Value
\REGISTRY\A\{746d7dea-b13d-715c-58b3-ffedd5b49033}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\E311719FEBBDC9C22045766815DCF9CC89F33198\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\xe3\x11\x71\x9f\xeb\xbd\xc9\xc2\x20\x45\x76\x68\x15\xdc\xf9\xcc\x89\xf3\x31\x98\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID 761ac373-634a-4630-83e6-c5704d3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \x2c\x8f\xbe\x0e\xb4\x1d\xdc\x01
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \xe3\x11\x71\x9f\xeb\xbd\xc9\xc2\x20\x45\x76\x68\x15\xdc\xf9\xcc\x89\xf3\x31\x98
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 \xb9\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\xa0\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xee\x00\x00…
\REGISTRY\A\{66f02be0-2da6-f940-4b8c-c97fe3e29a11}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\ED0576D08205C17885676D5FF77C7476F52E69E9\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\xed\x05\x76\xd0\x82\x05\xc1\x78\x85\x67\x6d\x5f\xf7\x7c\x74\x76\xf5\x2e\x69\xe9\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID ae19dfd8-1a7d-4fc7-a819-14d1529
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \xed\x05\x76\xd0\x82\x05\xc1\x78\x85\x67\x6d\x5f\xf7\x7c\x74\x76\xf5\x2e\x69\xe9
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \x04\xad\xa9\x62\xeb\x1e\xdc\x01
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 \xb9\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\xa1\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xf1\x00\x00…
\REGISTRY\A\{6351c177-344f-ed29-e079-57f11728e63b}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID 085a7773-b5d0-4969-9d3f-833430a
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \x98\x8c\xaf\x2a\x7f\x85\xa5\x11\x2e\x79\x6a\x74\xfa\x81\xc8\x02\xf1\xd2\x93\xcc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \xde\xaa\xd4\x7e\xfa\x1f\xdc\x01
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\988CAF2A7F85A5112E796A74FA81C802F1D293CC\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x98\x8c\xaf\x2a\x7f\x85\xa5\x11\x2e\x79\x6a\x74\xfa\x81\xc8\x02\xf1\xd2\x93\xcc\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
\REGISTRY\A\{768c0818-5324-fdb3-43ce-1b02f8acf764}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0edea23a-3dec-41c3-b03e-bc7a3356d6bc}\DynamicInfo \x03\x00\x00\x00\x47\x8a\x6c\x15\x53\xec\xda\x01\xdb\x70\x01\x16\xe3\x20\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x61\x4b\x75\x04\x95\x20\xdc\x01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{a499fa48-7057-4ac1-9702-44c6fd924058}\DynamicInfo \x03\x00\x00\x00\xfd\xb8\xb5\x15\x53\xec\xda\x01\x82\x01\x00\x16\xe3\x20\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\xc9\x90\xf8\x16\xe3\x20\xdc\x01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{50dddd38-168c-486b-966f-a23226488295}\DynamicInfo \x03\x00\x00\x00\x53\x6e\x5a\x15\x53\xec\xda\x01\x2e\x91\x2f\x16\xe3\x20\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x82\xfc\x58\x17\xe3\x20\xdc\x01
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \x03\x99\x30\x37\xe3\x20\xdc\x01
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID 78b6ca36-81a5-459b-beab-8f120b6
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \x1b\x25\x3e\xc2\xd2\xb0\xe2\x23\xfb\x16\x27\x6a\x25\xab\xca\x52\x70\x98\xa4\xe6
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\1B253EC2D2B0E223FB16276A25ABCA527098A4E6\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x1b\x25\x3e\xc2\xd2\xb0\xe2\x23\xfb\x16\x27\x6a\x25\xab\xca\x52\x70\x98\xa4\xe6\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 \xba\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\x9c\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xec\x00\x00…
\REGISTRY\A\{bff4431e-3a3d-7151-ced0-fde29bfcab4a}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob \x0f\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x3f\x04\x11\xed\xe9\xc4\x47\x70\x57\xd5\x7e\x57\x88\x3b\x1f\x20\x5b\x20\xcd\xc0\xf3\x26\x31\x29\xb1\xee\x02\x69\xa2\x67\x8f\x63\x62\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x96\xbc\xec\x06\x26\x49\x76\xf3\x74\x60\x77\x9a\xcf\x28\xc5\xa7\xcf\xe8\xa3\xc0\xaa\xe1\x1a\x8f\xfc\xee\x05\xc0\xbd…
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTime \x4c\xea\x86\x52\xea\x20\xdc\x01
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\SelfSignedCertificate \x4a\x10\x66\x45\xbf\xc6\x64\x89\xab\x60\x3c\xcf\xbe\x2a\x1e\x66\xa1\x76\xc4\x04
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\ClusterSettings\LastLSMInstanceID a85746b8-e69b-4ae6-9a38-59b9b51
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DsmSvc\State\LastActiveTime \xab\xa6\xac\x5b\xea\x20\xdc\x01
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Remote Desktop\Certificates\4A106645BFC66489AB603CCFBE2A1E66A176C404\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x4a\x10\x66\x45\xbf\xc6\x64\x89\xab\x60\x3c\xcf\xbe\x2a\x1e\x66\xa1\x76\xc4\x04\x02\x00\x00\x00\x01\x00\x00\x00\x9c\x00\x00\x00\x1c\x00\x00\x00\x3c\x00\x00\x00\x01\x00\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x54\x00\x53\x00\x53\x00\x65\x00\x63\x00\x4b\x00\x65…
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\System32\conhost.exe \x5b\xfd\x26\x3a\xea\x20\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 \xbb\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\x9b\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xed\x00\x00…
\REGISTRY\A\{32683e9e-604c-04dc-13b5-6387f0e6f5b8}\LocalState\PeekBadges 100000012
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentials\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsDomain\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnly\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowFreshCredentialsWhenNTLMOnlyDomain\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentials\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsDomain\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsWhenNTLMOnly\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Credssp\PolicyDefaults\AllowDefaultCredentialsWhenNTLMOnlyDomain\RD Child Sessions vs-debug/localhost
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DWORD (0x00000000)
HKEY_CURRENT_USER\Software\Microsoft\RestartManager
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\Properties
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Class RDPDR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\NoDisplayClass 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\NoUseClass 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{cc41eba2-ab57-4f4e-8c3d-1bc33b1e74e3}\Properties\Security 01 00 0C 90 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 30 00 02 00 00 00 00 00 14 00 00 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\Class RDPDR
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\NoDisplayClass 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\NoUseClass 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{091bc97e-2352-4362-a539-10a6d8ff7596}\Properties\Security 01 00 0C 90 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 02 00 1C 00 01 00 00 00 00 00 14 00 00 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{191a5137-7c9d-43c0-a943-de4411f424f7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{191a5137-7c9d-43c0-a943-de4411f424f7}\##?#TS_USB_HUB_Enumerator#UMB#2&30d3618&0&TS_USB_HUB#{191a5137-7c9d-43c0-a943-de4411f424f7}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{191a5137-7c9d-43c0-a943-de4411f424f7}\##?#TS_USB_HUB_Enumerator#UMB#2&30d3618&0&TS_USB_HUB#{191a5137-7c9d-43c0-a943-de4411f424f7}\#
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf\WdfMajorVersion 1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\Wdf\WdfMinorVersion 15
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\DeviceClasses\{191a5137-7c9d-43c0-a943-de4411f424f7}\##?#TS_USB_HUB_Enumerator#UMB#2&30d3618&0&TS_USB_HUB#{191a5137-7c9d-43c0-a943-de4411f424f7}\DeviceInstance TS_USB_HUB_Enumerator\UMB\2&30d3618&0&TS_USB_HUB

Services Started (Top 15)

Service
TermService
GoogleChromeElevationService
MicrosoftEdgeElevationService
BITS
WSearch
RdpVideoMiniport
UmRdpService
CertPropSvc
SessionEnv
DsmSvc
LxpSvc

Services Opened (Top 15)

Service
RdpVideoMiniport
UmRdpService
CertPropSvc
SessionEnv
Spooler
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top