Game-Crack Installer Adds Defender Exclusions and Beacons to IP Lookup APIs

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

Nursultancrack.exe

Type

Win16 NE executable (generic)

SHA‑1

6145c73e66849b739f6b93212f63e8134ab83ee1

MD5

019e8aca48eb4874fafe441113f045e5

First Seen

2025-09-14 13:34:52.083124

Last Analysis

2025-09-15 07:15:21.484764

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2024-05-15 12:08:30 UTC	First VirusTotal submission	—
2025-09-19 06:43:34 UTC	Latest analysis snapshot	491 days, 18 hours, 35 minutes
2025-10-31 10:45:23 UTC	Report generation time	533 days, 22 hours, 36 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 55. Missed: 18. Coverage: 75.3%.

Detected Vendors

Xcitium
+54 additional vendors (names not provided)

List includes Xcitium plus an additional 54 vendors per the provided summary.

Missed Vendors

Baidu
ClamAV
CMC
google_safebrowsing
Gridinsoft
Jiangmin
Kingsoft
NANO-Antivirus
SUPERAntiSpyware
TACHYON
tehtris
TrendMicro
TrendMicro-HouseCall
ViRobot
Webroot
Yandex
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (40.26% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	1079	40.26%
Registry	707	26.38%
File System	248	9.25%
Process	182	6.79%
Misc	160	5.97%
Network	114	4.25%
Threading	104	3.88%
Device	61	2.28%
Com	10	0.37%
Synchronization	8	0.30%
Services	4	0.15%
Windows	2	0.07%
Hooking	1	0.04%

MITRE ATT&CK Mapping

T1497.001 – reference anti-VM strings targeting Xen
T1129 – link function at runtime on Windows
T1082 – get hostname
T1047 – Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads.
T1129 – Adversaries may execute malicious payloads via loading shared modules.
T1106 – Adversaries may interact with the native OS application programming interface (API) to execute behaviors.
T1059 – Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1064 – **This technique has been deprecated.
T1033 – Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
T1082 – An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1012 – Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
T1003 – Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.
T1555 – Adversaries may search for common password storage locations to obtain user credentials.
T1552 – Adversaries may search compromised systems to find and obtain insecurely stored credentials.
T1555.003 – Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
T1552.001 – Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1547 – Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.
T1547.001 – Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
T1071 – Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic.
T1573 – Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
T1202 – Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
T1562 – Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms.
T1112 – Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
T1070 – Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses.
T1562.001 – Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities.
T1005 – Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
T1560 – An adversary may compress and/or encrypt data that is collected prior to exfiltration.
T1485 – Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
T1005 – Searches for sensitive browser data
T1005 – Reads sensitive browser data
T1012 – Query OS Information
T1016 – Reads network adapter information
T1016 – Checks external IP address
T1027.002 – Creates a page with write and execute permissions
T1047 – Queries OS version via WMI
T1047 – Collects hardware properties
T1070.004 – Deletes file after execution
T1071.004 – Performs DNS request
T1082 – Query OS Information
T1082 – Queries OS version via WMI
T1082 – Collects hardware properties
T1083 – Searches for sensitive browser data
T1083 – Possibly does reconnaissance
T1083 – Reads sensitive browser data
T1095 – Connects to remote host
T1095 – Sets up server that accepts incoming connections
T1106 – Makes direct system call to possibly evade hooking based monitoring
T1113 – Takes screenshot
T1119 – Searches for sensitive browser data
T1119 – Reads sensitive browser data
T1124 – Tries to detect virtual machine
T1134 – Enables process privileges
T1497.001 – Tries to detect application sandbox
T1497.003 – Tries to detect virtual machine
T1547.001 – Installs system startup script or application
T1552.001 – Searches for sensitive browser data
T1552.001 – Reads sensitive browser data
T1562.001 – Modifies native system functions
T1562.001 – Modifies Windows Defender configuration
T1564.003 – Creates process with hidden window
T1059 – Very long cmdline option found, this is very uncommon (may be encrypted or packed)
T1059.001 – Suspicious powershell command line found
T1547.001 – Creates a start menu entry (Start Menu\\Programs\\Startup)
T1547.001 – Drops PE files to the startup folder (C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup)
T1547.001 – Stores files to the Windows startup directory
T1574.002 – Tries to load missing DLLs
T1036 – Drops PE files with a suspicious file extension
T1036 – Creates files inside the user directory
T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
T1562.001 – Adds a directory exclusion to Windows Defender
T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
T1497 – Contains long sleeps (>= 3 min)
T1497 – May sleep (evasive loops) to hinder dynamic analysis
T1497 – Query firmware table information (likely to detect VMs)
T1497 – Contains medium sleeps (>= 30s)
T1497 – Checks if the current process is being debugged
T1027 – .NET source code contains long base64-encoded strings
T1070.006 – Binary contains a suspicious time stamp
T1003 – Tries to harvest and steal browser information (history, passwords, etc)
T1056.004 – Overwrites code with unconditional jumps – possibly settings hooks in foreign process
T1056 – Creates a DirectInput object (often for capturing keystrokes)
T1518.001 – Tries to evade analysis by execution special instruction (VM detection)
T1518.001 – May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
T1518.001 – Query firmware table information (likely to detect VMs)
T1518.001 – Checks if the current process is being debugged
T1057 – Queries a list of all running processes
T1010 – Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook
T1018 – Reads the hosts file
T1016 – Checks the online ip address of the machine
T1083 – Reads ini files
T1082 – Queries the volume information (name, serial number etc) of a device
T1082 – Tries to evade analysis by execution special instruction (VM detection)
T1082 – Queries the cryptographic machine GUID
T1082 – Reads software policies
T1005 – Found many strings related to Crypto-Wallets (likely being stolen)
T1005 – Tries to harvest and steal browser information (history, passwords, etc)
T1095 – Performs DNS lookups
T1071 – Performs DNS lookups

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
gstatic.com	142.250.80.35	United States	Google LLC
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.aieov.com	A
gstatic.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	76	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.078223943710327	udp
192.168.56.14	224.0.0.252	51209	5355	3.0106401443481445	udp
192.168.56.14	224.0.0.252	53401	5355	5.56397008895874	udp
192.168.56.14	224.0.0.252	55094	5355	6.6512720584869385	udp
192.168.56.14	224.0.0.252	55848	5355	3.501431941986084	udp
192.168.56.14	224.0.0.252	65148	5355	20.907076120376587	udp
192.168.56.14	8.8.4.4	49916	53	60.703696966171265	udp
192.168.56.14	8.8.4.4	50180	53	85.10940313339233	udp
192.168.56.14	8.8.4.4	50582	53	363.39110493659973	udp
192.168.56.14	8.8.4.4	50710	53	39.83016896247864	udp
192.168.56.14	8.8.4.4	50870	53	196.60937404632568	udp
192.168.56.14	8.8.4.4	50914	53	149.12530493736267	udp
192.168.56.14	8.8.4.4	51262	53	182.71886610984802	udp
192.168.56.14	8.8.4.4	51614	53	243.92170214653015	udp
192.168.56.14	8.8.4.4	52116	53	320.297000169754	udp
192.168.56.14	8.8.4.4	52556	53	231.51553106307983	udp
192.168.56.14	8.8.4.4	52815	53	9.813045024871826	udp
192.168.56.14	8.8.4.4	53449	53	211.10929608345032	udp
192.168.56.14	8.8.4.4	54017	53	334.59412813186646	udp
192.168.56.14	8.8.4.4	54579	53	36.34404706954956	udp
192.168.56.14	8.8.4.4	54683	53	116.32800102233887	udp
192.168.56.14	8.8.4.4	55827	53	158.2967381477356	udp
192.168.56.14	8.8.4.4	55914	53	83.54674005508423	udp
192.168.56.14	8.8.4.4	56399	53	109.51580309867859	udp
192.168.56.14	8.8.4.4	56716	53	305.87490701675415	udp
192.168.56.14	8.8.4.4	56864	53	272.9686679840088	udp
192.168.56.14	8.8.4.4	57355	53	354.0466501712799	udp
192.168.56.14	8.8.4.4	57742	53	225.54743695259094	udp
192.168.56.14	8.8.4.4	59068	53	207.17194294929504	udp
192.168.56.14	8.8.4.4	59212	53	280.70387601852417	udp
192.168.56.14	8.8.4.4	60117	53	54.56241798400879	udp
192.168.56.14	8.8.4.4	60713	53	163.57823395729065	udp
192.168.56.14	8.8.4.4	61083	53	329.5943760871887	udp
192.168.56.14	8.8.4.4	62022	53	101.89080715179443	udp
192.168.56.14	8.8.4.4	62055	53	349.015743970871	udp
192.168.56.14	8.8.4.4	62112	53	25.37531614303589	udp
192.168.56.14	8.8.4.4	62548	53	133.9217929840088	udp
192.168.56.14	8.8.4.4	62800	53	178.14088606834412	udp
192.168.56.14	8.8.4.4	62997	53	305.20376896858215	udp
192.168.56.14	8.8.4.4	63205	53	130.797287940979	udp
192.168.56.14	8.8.4.4	64452	53	255.89078998565674	udp
192.168.56.14	8.8.4.4	64753	53	69.04682612419128	udp
192.168.56.14	8.8.4.4	65271	53	291.4380819797516	udp
192.168.56.14	8.8.4.4	65283	53	258.5313880443573	udp
192.168.56.14	8.8.8.8	49916	53	59.703258991241455	udp
192.168.56.14	8.8.8.8	50180	53	84.10954093933105	udp
192.168.56.14	8.8.8.8	50582	53	362.3911020755768	udp
192.168.56.14	8.8.8.8	50710	53	38.828654050827026	udp
192.168.56.14	8.8.8.8	50870	53	195.61012816429138	udp
192.168.56.14	8.8.8.8	50914	53	148.12641596794128	udp
192.168.56.14	8.8.8.8	51262	53	181.71929001808167	udp
192.168.56.14	8.8.8.8	51614	53	242.9225480556488	udp
192.168.56.14	8.8.8.8	52116	53	319.297523021698	udp
192.168.56.14	8.8.8.8	52556	53	230.5163869857788	udp
192.168.56.14	8.8.8.8	52815	53	10.81275200843811	udp
192.168.56.14	8.8.8.8	53449	53	210.10972094535828	udp
192.168.56.14	8.8.8.8	54017	53	333.59450507164	udp
192.168.56.14	8.8.8.8	54579	53	35.34404706954956	udp
192.168.56.14	8.8.8.8	54683	53	115.32870602607727	udp
192.168.56.14	8.8.8.8	55827	53	157.2969479560852	udp
192.168.56.14	8.8.8.8	55914	53	82.54692816734314	udp
192.168.56.14	8.8.8.8	56399	53	108.51590895652771	udp
192.168.56.14	8.8.8.8	56716	53	304.8759591579437	udp
192.168.56.14	8.8.8.8	56864	53	271.96937108039856	udp
192.168.56.14	8.8.8.8	57355	53	353.04746103286743	udp
192.168.56.14	8.8.8.8	57742	53	224.5474910736084	udp
192.168.56.14	8.8.8.8	59068	53	206.17230200767517	udp
192.168.56.14	8.8.8.8	59212	53	279.6253969669342	udp
192.168.56.14	8.8.8.8	60117	53	53.56392002105713	udp
192.168.56.14	8.8.8.8	60713	53	162.58474206924438	udp
192.168.56.14	8.8.8.8	61083	53	328.5939121246338	udp
192.168.56.14	8.8.8.8	62022	53	100.8914270401001	udp
192.168.56.14	8.8.8.8	62055	53	348.0159649848938	udp
192.168.56.14	8.8.8.8	62112	53	24.37757396697998	udp
192.168.56.14	8.8.8.8	62548	53	132.92251300811768	udp
192.168.56.14	8.8.8.8	62800	53	177.14128398895264	udp
192.168.56.14	8.8.8.8	62997	53	304.2039909362793	udp
192.168.56.14	8.8.8.8	63205	53	129.7975480556488	udp
192.168.56.14	8.8.8.8	64452	53	254.89071011543274	udp
192.168.56.14	8.8.8.8	64753	53	68.04724717140198	udp
192.168.56.14	8.8.8.8	65271	53	290.4378819465637	udp
192.168.56.14	8.8.8.8	65283	53	257.45362615585327	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

765

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ActivatableClasses
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivateInSharedBroker
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C53E07EC-25F3-4093-AA39-FC67EA22E99D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\CustomAttributes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ExplicitPsmActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateInBrokerForMediumILContainer

Show all (765 total)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServiceName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Identity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8645456f-d9a2-4b82-afec-58f0e8df0acf}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\ServerType
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{89bc3f49-f8d9-5103-ba13-de497e609167}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8645456F-D9A2-4B82-AFEC-58F0E8DF0ACF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{89BC3F49-F8D9-5103-BA13-DE497E609167}
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\IdentityType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\Permissions
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository\CommandLine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue\Permissions
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{657A8842-0B5E-40E1-B8CB-9AAFACC33AAB}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Nursultancrack.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Storage.Streams.DataWriter
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\3e\52C64B7E
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\Certificates
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging
HKEY_CURRENT_USER\SOFTWARE\Roblox\RobloxStudioBrowser
HKEY_CURRENT_USER\HKEY_CURRENT_USER\SOFTWARE\Roblox
HKEY_CURRENT_USER\SOFTWARE\Roblox
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\System\CurrentControlSet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\TZI
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
HKEY_CURRENT_USER\HKEY_CURRENT_USER\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Log File Max Size
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PROCESSOR_IDENTIFIER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Std
HKEY_CURRENT_USER\HKEY_CURRENT_USER\SOFTWARE\Roblox\RobloxStudioBrowser
HKEY_CURRENT_USER\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Central European Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\AmsiEnable
HKEY_CURRENT_USER\SOFTWARE
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\appcompat
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_CURRENT_USER\{00020430-0000-0000-C000-000000000046}\2.0\0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.3.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Dynamic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Microsoft.CSharp__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/xml
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKEY_CURRENT_USER\Environment\PSMODULEPATH
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32\Class
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit\{860BB310-5D01-11D0-BD3B-00A0C911CE86}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.System.Management.Automation__31bf3856ad364e35
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.SMDiagnostics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\TZI
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_CURRENT_USER\HKCU\SOFTWARE\Roblox\RobloxStudioBrowser
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH
HKEY_CURRENT_USER\HKCU\SOFTWARE\Roblox
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\2.0\0\win64
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Environment
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.Management.Infrastructure.Native__31bf3856ad364e35
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.3.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.4.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.3.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\file
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_CLASSES_ROOT\DirectShow\MediaObjects\Categories\860bb310-5d01-11d0-bd3b-00a0c911ce86
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.1.0.Microsoft.Management.Infrastructure__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Net.Http__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID
HKEY_CLASSES_ROOT\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.3.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Nursultan.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CURRENT_USER\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit\Version
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\BidInterface\Loader
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.1.0.Microsoft.Management.Infrastructure.Native__31bf3856ad364e35
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
Software\Microsoft\Cryptography\policy.4.0.System.IO.Compression.FileSystem__b77a5c561934e089
HKEY_CURRENT_USER\{00020430-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.4.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:\|Windows\|System32\|WindowsPowerShell\|v1.0\|powershell.exe
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.3.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKEY_CURRENT_USER\{00020430-0000-0000-C000-000000000046}\2.0
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\HillClimbing_TargetSignalToNoiseRatio
HKEY_CURRENT_USER\HKCU\SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Transactions__b77a5c561934e089
HKEY_CURRENT_USER\2.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32\0x0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Web.Services__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
Software\Microsoft\Cryptography\policy.4.0.System.Dynamic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_CLASSES_ROOT\DirectShow\MediaObjects
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN\ServiceStackVersion
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
Software\Microsoft\Cryptography\v4.0_policy.4.0.System.Dynamic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.System.Management.Automation__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
Software\Microsoft\Cryptography\v4.0_policy.4.0.System.IO.Compression__b77a5c561934e089
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.3.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.DirectoryServices__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration
HKEY_CLASSES_ROOT\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.ServiceProcess__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\NetFrameworkV4IsInstalled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Dynamic__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.3.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.1.0.Microsoft.Management.Infrastructure__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.EnterpriseServices__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Net.Http__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Caching__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_CURRENT_USER\2.0\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.SMDiagnostics__b77a5c561934e089
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Windows\|System32\|WindowsPowerShell\|v1.0\|powershell.exe
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.3.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.Commands.Management__31bf3856ad364e35
Software\Microsoft\Cryptography\v4.0_policy.4.0.System.IO.Compression.FileSystem__b77a5c561934e089
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.3.0.Microsoft.WSMan.Management__31bf3856ad364e35
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\v4.0_policy.4.0.System.Transactions__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data__b77a5c561934e089
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FILEPROTOCOL_NOFINDFIRST_KB947853
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Caching__b03f5f7f11d50a3a
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextLockCount
HKEY_CLASSES_ROOT\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_CLASSES_ROOT\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\Dynamic DST
HKEY_CURRENT_USER\S-1-5-21-4270068108-2931534202-3907561125-1001_Classes\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine\PowerShellVersion
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Namespaces
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler
HKEY_CURRENT_USER_Classes\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DirectShow\MediaObjects\Categories\860bb310-5d01-11d0-bd3b-00a0c911ce86
HKEY_CURRENT_USER_Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer
HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace
HKEY_CURRENT_USER_Classes\DirectShow\MediaObjects\Categories\860bb310-5d01-11d0-bd3b-00a0c911ce86
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\.exe
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_CURRENT_USER_Classes\exefile
HKEY_CURRENT_USER_Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer32
HKEY_CURRENT_USER_Classes\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Clsid
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_CURRENT_USER_Classes\exefile\BrowseInPlace
HKEY_CURRENT_USER_Classes
HKEY_CURRENT_USER_Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Elevation
HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer
HKEY_CURRENT_USER_Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\63\52C64B7E
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocHandler32
HKEY_CURRENT_USER_Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DocObject
HKEY_CURRENT_USER_Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_CURRENT_USER_Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Nursultan.exe
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_CURRENT_USER_Classes\exefile\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\BrowseInPlace
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER_Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\LocalServer32
HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7
HKEY_CURRENT_USER_Classes\DirectShow\MediaObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs
HKEY_CURRENT_USER_Classes\exefile\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllDecodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer
HKEY_CURRENT_USER_Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.exe\Clsid
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\Packages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}\LocalServer32
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\DocObject
HKEY_CURRENT_USER\Software\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\BrowseInPlace
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Namespaces
HKEY_CURRENT_USER_Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{62BE5D10-60EB-11D0-BD3B-00A0C911CE86}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe\Clsid
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER_Classes\exefile\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32
HKEY_CURRENT_USER_Classes\Directory\Clsid
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.exe
HKEY_CURRENT_USER_Classes\AllFilesystemObjects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\Elevation
HKEY_CURRENT_USER_Classes\Folder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\LocalServer
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler32
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

Registry Set (Top 25)

Key	Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob	5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 04 00 00 00 01 00 00 00 10 00 00 00 0D BE 92 DE FF 7D 36 BB 48 C4 A6 B1 15 24 95 38 0F 00 00 00 01 00 00 00 20 00 00 00 53 FE B9 19 2E D4 80 F2 09 12 4A 2C 57 D7 E8 97 7A 2E 9F 39 46 1D BF 21 4D F1 12 CB 16 02 4F A2 14 00 00 00 01 00 00 00 14 00 00 00 78 B8 30 FD 63 AC 7B 89 4A 07 3B ED F6 8A 83 9C C3 52 02 65 19 00 00 00 01 00 00 00 10 00 00 00 B5 74 AF 30 C5 C1 BA 3A 69 A7 10 02 00 82 4D D0 03 00 00 00 01 00 00 00 14 00 00 00 01 74 E6 8C 97 DD F1 E0 EE EA 41 5E A3 36 A1 63 D2 B6 1A FD 20 00 00 00 01 00 00 00 F8 05 00 00 30 82 05 F4 30 82 03 DC A0 03 02 01 02 02 09 00 E0 EA 61 4C 28 56 32 64 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4C 31 0F 30 0D 06 03 55 04 08 0C 06 43 65 6E 74 65 72 31 0C 30 0A 06 03 55 04 07 0C 03 4C 6F 64 31 10 30 0E 06 03 55 04 0A 0C 07 47 6F 50 72 6F 78 79 31 10 30 0E 06 03 55 04 0B 0C 07 47 6F 50 72 6F 78 79 31 1A 30 18 06 03 55 04 03 0C 11 67 6F 70 72 6F 78 79 2E 67 69 74 68 75 62 2E 69 6
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32\FileDirectory	%windir%\tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32\MaxFileSize	1048576
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32\ConsoleTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32\FileTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32\EnableConsoleTracing	0
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32\EnableFileTracing	0
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS\FileDirectory	%windir%\tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS\MaxFileSize	1048576
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS\ConsoleTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS\FileTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS\EnableConsoleTracing	0
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS\EnableFileTracing	0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC3475	\xba\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x02\x06\x00\x00\x00\x00\x00\x05\x00\x00\x00\x6b\x50\x7e\x00\x02\x00\x00\x00\x87\xde\x83\x00\x02\x00\x00\x00\x90\xa6\xa1\x01\x87\x02\x00\x00\xa1\x9f\x5e\x00\x04\x00\x00\x00\xdb\xb4\xef\x00\x01\x00\x00\x00\xfe\xd3\x7a\x00\x05\x00\x01\x00\x00\x00\x08\x00\x00\x00\x18\x7d\xc7\x00\xee\x00\x00…
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect	0x00000000
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe	\xe9\xca\xd7\x19\x91\x20\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\System32\cmd.exe	\x4c\xd9\x8a\x2c\x91\x20\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob	\x0f\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x5a\x6d\x07\xb6\x37\x1d\x96\x6a\x2f\xb6\xba\x92\x82\x8c\xe5\x51\x2a\x49\x51\x3d\x09\x00\x00\x00\x01\x00\x00\x00\x68\x00\x00\x00\x30\x66\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x01\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x02\x06\x08\x2b\x06\x01\x05\x05\x07\x03\x03\x06\x08\x2b\x06\x01\x05\x05\x07\x03…
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdaterInternalService126.0.6462.0\Start	DWORD (0x00000002)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\GoogleUpdaterInternalService126.0.6462.0\ImagePath	“C:\Program Files (x86)\Google\GoogleUpdater\126.0.6462.0\updater.exe” –system –windows-service –service=update-internal
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM	—
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile	Binary Data
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASAPI32	—
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\Nursultan_RASMANCS	—
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie	—
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit	—
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\EnableFileTracing	0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\EnableAutoFileTracing	0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\EnableConsoleTracing	0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\FileTracingMask	-65536
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\ConsoleTracingMask	-65536
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\MaxFileSize	1048576
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASAPI32\FileDirectory	%windir%\tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\EnableFileTracing	0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\EnableAutoFileTracing	0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\EnableConsoleTracing	0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\FileTracingMask	-65536
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\ConsoleTracingMask	-65536
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\MaxFileSize	1048576
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Nursultan_RASMANCS\FileDirectory	%windir%\tracing
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit\Version	7
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\ProgramId	0006458946b1fd1149a7daf4df5cf6aa73e500000000
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\FileId	00001a05c61fff6e484e2a0eab6560c36293d533bf29
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\LowerCaseLongPath	c:\users\user\appdata\local\temp\nursultan.exe
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\LongPathHash	nursultan.exe\|7e216526e0bd18bb
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\Name	Nursultan.exe
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\Publisher	(
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\Version	1.0.0.0
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\BinFileVersion	1.0.0.0
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\BinaryType	pe32_clr_il

Show all (60 total)

Key	Value
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\ProductName	4@@productversion
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\ProductVersion	1.0.0.0
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\LinkDate	02/19/2053 18:54:36
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\BinProductVersion	1.0.0.0
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\Size	00 A6 03 00 00 00 00 00
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\Language	0
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\IsPeFile	1
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\IsOsComponent	0
\REGISTRY\A\{42ac9401-6db6-cba1-6cf2-8205514f85eb}\Root\InventoryApplicationFile\nursultan.exe\|7e216526e0bd18bb\Usn	F8 02 6F 86 00 00 00 00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\ExceptionRecord	52 43 43 E0 01 00 00 00 00 00 00 00 00 00 00 00 88 A3 F9 5A F8 7F 00 00 05 00 00 00 00 00 00 00 00 1

Services Started (Top 15)

Service
WSearch
SecurityHealthService

Services Opened (Top 15)

Service
WinDefend
dnsCache

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report