Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-09 10:26:27 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
4th5qcxy.exe
Type
Win32 EXE
SHA‑1
edc8537613c1299f3c2c3be833d5245be6490e5f
MD5
6bf83a8e18df2d478f457f4371b7f8f5
First Seen
2025-09-05 07:15:20.878788
Last Analysis
2025-09-05 10:02:36.726120
Dwell Time
0 days, 2 hours, 47 minutes
Extended Dwell Time Impact
For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2025-09-04 22:10:03 UTC | First VirusTotal submission | — |
| 2025-09-09 07:41:35 UTC | Latest analysis snapshot | 4 days, 9 hours, 31 minutes |
| 2025-09-09 10:26:27 UTC | Report generation time | 4 days, 12 hours, 16 minutes |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 73. Detected as malicious: 54. Missed: 19. Coverage: 74.0%.
Detected Vendors
- Xcitium
- +53 additional vendors (names not provided)
List includes Xcitium plus an additional 53 vendors per the provided summary.
Missed Vendors
- Acronis
- Antiy-AVL
- APEX
- Baidu
- ClamAV
- CMC
- Jiangmin
- MaxSecure
- NANO-Antivirus
- SUPERAntiSpyware
- TACHYON
- tehtris
- VBA32
- ViRobot
- Webroot
- Yandex
- Zillya
- ZoneAlarm
- Zoner
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
Behavioral Storyline — How the Malware Operates
Intensive file system activity (49.74% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.
Behavior Categories (weighted)
Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.
| Category | Weight | Percentage |
|---|---|---|
| File System | 135211 | 49.74% |
| Synchronization | 125401 | 46.13% |
| Registry | 5874 | 2.16% |
| System | 3394 | 1.25% |
| Process | 1337 | 0.49% |
| Com | 273 | 0.10% |
| Misc | 118 | 0.04% |
| __Notification__ | 93 | 0.03% |
| Threading | 61 | 0.02% |
| Device | 56 | 0.02% |
| Windows | 16 | 0.01% |
| Hooking | 10 | 0.00% |
| Services | 4 | 0.00% |
| Network | 2 | 0.00% |
| Crypto | 1 | 0.00% |
MITRE ATT&CK Mapping
- T1056.001 – log keystrokes via polling
- T1129 – link many functions at runtime
- T1012 – query or enumerate registry key
- T1012 – query or enumerate registry value
- T1115 – open clipboard
- T1083 – get file size
- T1083 – enumerate files on Windows
- T1083 – enumerate files recursively
- T1129 – link function at runtime on Windows
- T1112 – delete registry key
- T1529 – shutdown system
- T1222 – set file attributes
- T1083 – get common file path
- T1112 – delete registry value
- T1070.004 – self delete
- T1125 – capture webcam image
- T1010 – find graphical window
- T1027 – encode data using XOR
- T1083 – check if file exists
- T1082 – get disk size
- T1083 – get file system object information
- T1082 – query environment variable
- T1083 – get file version info
- T1059 – accept command line arguments
- T1547.009 – create shortcut via IShellLink
- T1202 – Uses Windows utilities for basic functionality
- T1202 – Uses suspicious command line tools or Windows utilities
- T1112 – Installs itself for autorun at Windows startup
- T1497 – Checks for mouse movement
- T1497 – Detects the presence of Windows Defender AV emulator via files
- T1547 – Installs itself for autorun at Windows startup
- T1547.001 – Installs itself for autorun at Windows startup
- T1082 – Checks available memory
- T1083 – Detects the presence of Windows Defender AV emulator via files
- T1057 – Enumerates running processes
- T1057 – Expresses interest in specific running processes
- T1057 – Detects the presence of Windows Defender AV emulator via files
- T1057 – Uses Windows utilities to enumerate running processes
- T1518 – Detects the presence of Windows Defender AV emulator via files
- T1071 – Resolves a suspicious Top Level Domain (TLD)
- T1071 – The PE file contains an overlay
- T1071 – Yara detections observed in process dumps, payloads or dropped files
- T1573 – Establishes an encrypted HTTPS connection
- T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
- T1059 – Executed a very long command line or script command which may be indicative of chained commands or obfuscation
- T1485 – Anomalous file deletion behavior detected (10+)
- T1129 – The process attempted to dynamically load a malicious function
- T1140 – Detected an attempt to pull out some data from the binary image
- T1129 – The process tried to load dynamically one or more functions.
- T1045 – Manalize Local SandBox Packer Harvesting
- T1222 – set file attributes
- T1083 – get file system object information
- T1027 – encode data using XOR
- T1012 – query or enumerate registry key
- T1112 – delete registry key
- T1010 – find graphical window
- T1082 – query environment variable
- T1012 – query or enumerate registry value
- T1083 – enumerate files on Windows
- T1083 – get file version info
- T1547.009 – create shortcut via IShellLink
- T1112 – delete registry value
- T1083 – get file size
- T1529 – shutdown system
- T1083 – get common file path
- T1059 – accept command line arguments
- T1056.001 – log keystrokes via polling
- T1082 – get disk size
- T1125 – capture webcam image
- T1115 – open clipboard
- T1083 – check if file exists
- T1129 – link function at runtime on Windows
- T1129 – link many functions at runtime
- T1083 – enumerate files recursively
- T1082 – Queries for the computername
- T1027.009 – Drops interesting files and uses them
- T1063 – It Tries to detect injection methods
- T1047 – Queries process information (via WMI, Win32_Process)
- T1059 – Very long cmdline option found, this is very uncommon (may be encrypted or packed)
- T1547.001 – Creates a start menu entry (Start Menu\\Programs\\Startup)
- T1547.001 – Stores files to the Windows startup directory
- T1055 – May try to detect the Windows Explorer process (often used for injection)
- T1036 – Drops PE files with a suspicious file extension
- T1036 – Drops files with a non matching file extension (content does not match to file extension)
- T1036 – Creates files inside the user directory
- T1036 – Creates files inside the system directory
- T1497 – May sleep (evasive loops) to hinder dynamic analysis
- T1057 – Queries a list of all running processes
- T1057 – Uses tasklist.exe to query information about running processes
- T1057 – May try to detect the Windows Explorer process (often used for injection)
- T1083 – Reads ini files
- T1083 – Enumerates the file system
- T1082 – Queries the volume information (name, serial number etc) of a device
- T1082 – Queries process information (via WMI, Win32_Process)
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| www.msftncsi.com | 23.200.3.18 | United States | Akamai Technologies, Inc. |
| www.aieov.com | 76.223.54.146 | United States | Amazon.com, Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
DNS Queries
| Request | Type |
|---|---|
| 5isohu.com | A |
| www.msftncsi.com | A |
| www.aieov.com | A |
| rDJrBttWDOUKoGkMxmsEVhNU.rDJrBttWDOUKoGkMxmsEVhNU | A |
Contacted IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
Port Distribution
| Port | Count | Protocols |
|---|---|---|
| 137 | 1 | udp |
| 138 | 1 | udp |
| 5355 | 5 | udp |
| 53 | 35 | udp |
| 3702 | 1 | udp |
UDP Packets
| Source IP | Dest IP | Sport | Dport | Time | Proto |
|---|---|---|---|---|---|
| 192.168.56.13 | 192.168.56.255 | 137 | 137 | 3.2440919876098633 | udp |
| 192.168.56.13 | 192.168.56.255 | 138 | 138 | 9.244245052337646 | udp |
| 192.168.56.13 | 224.0.0.252 | 49311 | 5355 | 5.746464967727661 | udp |
| 192.168.56.13 | 224.0.0.252 | 55150 | 5355 | 3.173459053039551 | udp |
| 192.168.56.13 | 224.0.0.252 | 60010 | 5355 | 5.229328870773315 | udp |
| 192.168.56.13 | 224.0.0.252 | 62406 | 5355 | 3.178333044052124 | udp |
| 192.168.56.13 | 224.0.0.252 | 63527 | 5355 | 3.9935240745544434 | udp |
| 192.168.56.13 | 239.255.255.250 | 52252 | 3702 | 3.1821539402008057 | udp |
| 192.168.56.13 | 8.8.4.4 | 50554 | 53 | 131.1655719280243 | udp |
| 192.168.56.13 | 8.8.4.4 | 53518 | 53 | 228.4162540435791 | udp |
| 192.168.56.13 | 8.8.4.4 | 54879 | 53 | 7.791501045227051 | udp |
| 192.168.56.13 | 8.8.4.4 | 54881 | 53 | 6.555064916610718 | udp |
| 192.168.56.13 | 8.8.4.4 | 55551 | 53 | 165.0879988670349 | udp |
| 192.168.56.13 | 8.8.4.4 | 56197 | 53 | 149.97831296920776 | udp |
| 192.168.56.13 | 8.8.4.4 | 57310 | 53 | 52.196922063827515 | udp |
| 192.168.56.13 | 8.8.4.4 | 57415 | 53 | 67.71305394172668 | udp |
| 192.168.56.13 | 8.8.4.4 | 58697 | 53 | 21.978019952774048 | udp |
| 192.168.56.13 | 8.8.4.4 | 58920 | 53 | 82.36916995048523 | udp |
| 192.168.56.13 | 8.8.4.4 | 60543 | 53 | 213.99411606788635 | udp |
| 192.168.56.13 | 8.8.4.4 | 60910 | 53 | 101.86912298202515 | udp |
| 192.168.56.13 | 8.8.4.4 | 61004 | 53 | 180.38456201553345 | udp |
| 192.168.56.13 | 8.8.4.4 | 62493 | 53 | 36.618772983551025 | udp |
| 192.168.56.13 | 8.8.4.4 | 62849 | 53 | 36.38496398925781 | udp |
| 192.168.56.13 | 8.8.4.4 | 64533 | 53 | 199.1038899421692 | udp |
| 192.168.56.13 | 8.8.4.4 | 64801 | 53 | 116.63459086418152 | udp |
| 192.168.56.13 | 8.8.8.8 | 50554 | 53 | 130.16697096824646 | udp |
| 192.168.56.13 | 8.8.8.8 | 53518 | 53 | 227.4164628982544 | udp |
| 192.168.56.13 | 8.8.8.8 | 54879 | 53 | 8.79078984260559 | udp |
| 192.168.56.13 | 8.8.8.8 | 54881 | 53 | 7.540674924850464 | udp |
| 192.168.56.13 | 8.8.8.8 | 55551 | 53 | 164.08821296691895 | udp |
| 192.168.56.13 | 8.8.8.8 | 56197 | 53 | 148.98157691955566 | udp |
| 192.168.56.13 | 8.8.8.8 | 57065 | 53 | 246.08793997764587 | udp |
| 192.168.56.13 | 8.8.8.8 | 57310 | 53 | 51.20072889328003 | udp |
| 192.168.56.13 | 8.8.8.8 | 57415 | 53 | 66.7128758430481 | udp |
| 192.168.56.13 | 8.8.8.8 | 58697 | 53 | 20.9907009601593 | udp |
| 192.168.56.13 | 8.8.8.8 | 58920 | 53 | 81.3694498538971 | udp |
| 192.168.56.13 | 8.8.8.8 | 60543 | 53 | 212.99450588226318 | udp |
| 192.168.56.13 | 8.8.8.8 | 60910 | 53 | 100.88226199150085 | udp |
| 192.168.56.13 | 8.8.8.8 | 61004 | 53 | 179.3846080303192 | udp |
| 192.168.56.13 | 8.8.8.8 | 62493 | 53 | 35.63045287132263 | udp |
| 192.168.56.13 | 8.8.8.8 | 62849 | 53 | 35.38669204711914 | udp |
| 192.168.56.13 | 8.8.8.8 | 64533 | 53 | 198.10420298576355 | udp |
| 192.168.56.13 | 8.8.8.8 | 64801 | 53 | 115.63506197929382 | udp |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
506
Registry Set
11
Services Started
4
Services Opened
3
Registry Opened (Top 25)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\TreatAs |
| HKEY_USERS\.DEFAULT\Control Panel\International\sTimeFormat |
| HKEY_USERS\.DEFAULT\Control Panel\International\iFirstDayOfWeek |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| HKEY_USERS\.DEFAULT\Control Panel\International\iCountry |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib |
| HKEY_USERS\.DEFAULT\Control Panel\International |
| HKEY_USERS\.DEFAULT\Control Panel\International\sGrouping |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense |
| HKEY_USERS\.DEFAULT\Control Panel\International\iCurrDigits |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat |
| HKEY_USERS\.DEFAULT\Control Panel\International\iFirstWeekOfYear |
| HKEY_USERS\.DEFAULT\Control Panel\International\LocaleName |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib\Version |
| HKEY_USERS\.DEFAULT\Control Panel\International\sList |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\UDTAlignmentPolicy |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\ActivateOnHostFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\(Default) |
| HKEY_USERS\.DEFAULT\Control Panel\International\sShortTime |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}\cohort |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\InprocHandler |
| HKEY_USERS\.DEFAULT\Control Panel\International\s2359 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}\channel |
| HKEY_USERS\.DEFAULT\Control Panel\International\\xed\xa0\xbc\xed\xbc\x8e\xed\xa0\xbc\xed\xbc\x8f\xed\xa0\xbc\xed\xbc\x8d |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\AppID |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32\(Default) |
| HKEY_USERS\.DEFAULT\Control Panel\International\iNegCurr |
| HKEY_USERS\.DEFAULT\Control Panel\International\sMonThousandSep |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\ap |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_USERS\.DEFAULT\Control Panel\International\s1159 |
| HKEY_USERS\.DEFAULT\Control Panel\International\iCurrency |
| HKEY_LOCAL_MACHINE\Software\Classes |
| HKEY_USERS\.DEFAULT\Control Panel\International\sNativeDigits |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\LocalServer |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions |
| HKEY_USERS\.DEFAULT\Control Panel\International\sLongDate |
Show all (506 total)
| Key |
|---|
| HKEY_USERS\.DEFAULT\Control Panel\International\iPaperSize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\Forward |
| HKEY_USERS\.DEFAULT\Control Panel\International\sShortDate |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64\(Default) |
| HKEY_USERS\.DEFAULT\Control Panel\International\sPositiveSign |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
| HKEY_USERS\.DEFAULT\Control Panel\International\NumShape |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\TreatAs |
| HKEY_CURRENT_USER\Software\Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}\cohort\name |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8} |
| HKEY_USERS\.DEFAULT\Control Panel\International\sYearMonth |
| HKEY_USERS\.DEFAULT\Control Panel\International\sNegativeSign |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\elevation_service.exe |
| HKEY_USERS\.DEFAULT\Control Panel\International\sCurrency |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib |
| HKEY_USERS\.DEFAULT\Control Panel\International\sMonDecimalSep |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TypeLibIndex |
| HKEY_USERS\.DEFAULT\Control Panel\International\sDecimal |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\InprocHandler32 |
| HKEY_USERS\.DEFAULT\Control Panel\International\iDigits |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| HKEY_USERS\.DEFAULT\Control Panel\International\sThousand |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64 |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046} |
| HKEY_USERS\.DEFAULT\Control Panel\International\iMeasure |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\ActivateOnHostFlags |
| HKEY_USERS\.DEFAULT\Software\Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64\(Default) |
| HKEY_USERS\.DEFAULT\Control Panel\International\iLZero |
| HKEY_USERS\.DEFAULT\Control Panel\International\sMonGrouping |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B} |
| HKEY_USERS\.DEFAULT\Control Panel\International\iCalendarType |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}\(Default) |
| HKEY_USERS\.DEFAULT\Control Panel\International\iNegNumber |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{a499fa48-7057-4ac1-9702-44c6fd924058} |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates |
| \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\3e\52C64B7E |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft |
| HKEY_CURRENT_USER\Software\Microsoft\LanguageOverlay\UpdateFailures |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CTLs |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\Certificates |
| HKEY_LOCAL_MACHINE\Software |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CRLs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CTLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\WBEM\CIMOM |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CTLs |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\StoreInit |
| HKEY_LOCAL_MACHINE\Software\Policies |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\3e\52C64B7E |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BackgroundAccessApplications |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot |
| HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityStore\Cache\S-1-5-21-4226853953-3309226944-3078887307-1000 |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CTLs |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CRLs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\UpdateFailures |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CTLs |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\SystemMetaData |
| \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CRLs |
| HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\Certificates |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\Certificates |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000 |
| \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\Certificates |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ContextLimit |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ProcessID |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit |
| HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32 |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\program.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0ddd015d-b06c-45d5-8c4c-f59713854639}\PropertyBag |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32 |
| HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0DDD015D-B06C-45D5-8C4C-F59713854639} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler32 |
| HKEY_CURRENT_USER_Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{18989B1D-99B5-455B-841C-AB7C74E4DDFC} |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}\PropertyBag |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-100000000000}\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InprocServer32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{18989B1D-99B5-455B-841C-AB7C74E4DDFC}\PropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler |
| HKEY_CURRENT_USER_Classes\Directory |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag |
| HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell |
| HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg |
| HKEY_CURRENT_USER_Classes\Folder\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC} |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration |
| HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\extrac32.exe |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\WBEM\CIMOM |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_CURRENT_USER_Classes\Folder\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer32 |
| HKEY_CURRENT_USER_Classes\Directory\Clsid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32 |
| HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-90d022000000}\ |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-500600000000}\ |
| HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions |
| HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 |
| HKEY_CURRENT_USER_Classes\Folder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe |
| HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocHandler |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\program.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wait.pif |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\NULL |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{00BCFC5A-ED94-4E48-96A1-3F6217F21990} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001\fdeploy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{00021401-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{027947E1-D731-11CE-A357-000000000001} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\extrac32.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\tasklist.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocHandler32 |
| HKEY_CURRENT_USER\Control Panel\Mouse |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32 |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00021401-0000-0000-C000-000000000046}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32 |
| HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{0F214138-B1D3-4A90-BBA9-27CBC0C5389A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\CTF\Compatibility\Wait.pif |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF} |
| HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer |
| HKEY_CURRENT_USER_Classes\Directory\DocObject |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32 |
| HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt |
| HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler |
Registry Set (Top 25)
| Key | Value |
|---|---|
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision | {6EBBC831-4C3D-4B02-B8C7-8473F8CECAE2} |
| HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000060034\VirtualDesktop | \x10\x00\x00\x0000DV\xc0\x87T(\xe1\x1a\x99K\x82\x8b\x8b\x97\x1e\xc3O\x11 |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\SysWOW64\extrac32.exe | \xf2\x6c\x40\x48\xbd\x1d\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl | \x30\x83\x02\xe4\xcf\x06\x09\x2a\x86\x48\x86\xf7\x0d\x01\x07\x02\xa0\x83\x02\xe4\xbf\x30\x83\x02\xe4\xba\x02\x01\x01\x31\x0f\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x30\x83\x02\xd5\x28\x06\x09\x2b\x06\x01\x04\x01\x82\x37\x0a\x01\xa0\x83\x02\xd5\x18\x30\x83\x02\xd5\x13\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x0a\x03… |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTime | \x40\xfd\x94\x5f\xbd\x1d\xdc\x01 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{a499fa48-7057-4ac1-9702-44c6fd924058}\DynamicInfo | \x03\x00\x00\x00\xfd\xb8\xb5\x15\x53\xec\xda\x01\x3d\xea\xb8\xf4\xef\x1d\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x91\xb5\xec\xf4\xef\x1d\xdc\x01 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000\RefCount | \x05\x00\x00\x00 |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2\Epoch | 0x00000009 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475 | \xba\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\xa0\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xf0\x00\x00… |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75 | \x05\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x59\x0f\x1c\x01\x04\x00\x83\x00\x02\x00\x07\x80\x0b\x01\x24\x00\x66\x00\x66\x00\x73\x96\x00\x00\x00\x00\x38\x01\x24\x00\x66\x00\xf9\xf9\x09\x00\x76\x00\x00\x00\x59\x00\x00\x00\x73\x68\x65\x6c\x6c\x5c\x72\x6f\x61\x6d\x69\x6e\x67\x5c\x73\x65\x74\x74\x69\x6e\x67\x73\x79\x6e\x63… |
| HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile | Binary Data |
Services Started (Top 15)
| Service |
|---|
| BITS |
| WSearch |
| GoogleChromeElevationService |
| LxpSvc |
Services Opened (Top 15)
| Service |
|---|
| wscsvc |
| VaultSvc |
| clipsvc |
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.