MSIL XWorm Payload Exhibits Trojan Activity and Portmap C2 Communication


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-27 12:50:46 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
clzw4noy2.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
29b48448e5ce6f57eb9e1495ec66ef30c0be9059
MD5
d43e25545233c17a55f974d8bb087237
First Seen
2025-11-25 08:01:53.446040
Last Analysis
2025-11-25 09:01:54.669976
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-11-12 03:51:37 UTC First VirusTotal submission
2025-11-27 06:59:19 UTC Latest analysis snapshot 15 days, 3 hours, 7 minutes
2025-11-27 12:50:46 UTC Report generation time 15 days, 8 hours, 59 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 59. Missed: 14. Coverage: 80.8%.

Detected Vendors

  • Xcitium
  • +58 additional vendors (names not provided)

List includes Xcitium plus an additional 58 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Alibaba
  • Antiy-AVL
  • Baidu
  • CMC
  • Cynet
  • google_safebrowsing
  • Jiangmin
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Webroot
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (69.00% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 1536 69.00%
Registry 268 12.04%
File System 179 8.04%
Process 126 5.66%
Misc 59 2.65%
Crypto 19 0.85%
Threading 15 0.67%
Synchronization 10 0.45%
Network 8 0.36%
Device 4 0.18%
Hooking 1 0.04%
Windows 1 0.04%

MITRE ATT&CK Mapping

  • T1083 – get common file path
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1083 – check if file exists
  • T1560.002 – compress data using GZip in .NET
  • T1027 – encode data using Base64
  • T1033 – get session integrity level
  • T1070.004 – self delete
  • T1047 – access WMI data in .NET
  • T1113 – capture screenshot
  • T1620 – invoke .NET assembly method
  • T1082 – get hostname
  • T1213 – reference WMI statements
  • T1082 – get OS version in .NET
  • T1105 – download and write a file
  • T1082 – get disk size
  • T1620 – load .NET assembly
  • T1033 – get session user name
  • T1087 – get session user name
  • T1112 – delete registry key
  • T1082 – get number of processors
  • T1012 – query or enumerate registry value
  • T1140 – decode data using Base64 in .NET
  • T1033 – Collects and encrypts information about the computer likely to send to C2 server
  • T1082 – Checks available memory
  • T1071 – Binary file triggered YARA rule
  • T1071 – Resolves a suspicious Top Level Domain (TLD)
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1560 – Collects and encrypts information about the computer likely to send to C2 server
  • T1047 – Checks if Antivirus program is installed (via WMI)
  • T1047 – Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
  • T1112 – Stores large binary data to the registry
  • T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
  • T1497 – Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
  • T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1140 – .NET source code contains calls to encryption/decryption functions
  • T1027.002 – .NET source code contains method to dynamically call methods (often used by packers)
  • T1027.002 – .NET source code contains potential unpacker
  • T1518.001 – Checks if Antivirus program is installed (via WMI)
  • T1518.001 – Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
  • T1082 – Queries the cryptographic machine GUID
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1082 – Checks the free space of harddrives
  • T1560 – .NET source code contains calls to encryption/decryption functions
  • T1571 – Detected TCP or UDP traffic on non-standard ports
  • T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.msftncsi.com 23.200.3.20 United States Akamai Technologies, Inc.
twetywew83-32536.portmap.host 193.161.193.99 Russian Federation OOO GETWIFI

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
twetywew83-32536.portmap.host A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 52 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 8.378253936767578 udp
192.168.56.13 224.0.0.252 49311 5355 10.862565994262695 udp
192.168.56.13 224.0.0.252 55150 5355 8.308883905410767 udp
192.168.56.13 224.0.0.252 60010 5355 10.318042039871216 udp
192.168.56.13 224.0.0.252 62406 5355 8.310983896255493 udp
192.168.56.13 224.0.0.252 63527 5355 8.472657918930054 udp
192.168.56.13 239.255.255.250 52252 3702 8.320741891860962 udp
192.168.56.13 8.8.4.4 50554 53 131.04007005691528 udp
192.168.56.13 8.8.4.4 53518 53 224.98711490631104 udp
192.168.56.13 8.8.4.4 53985 53 347.53417110443115 udp
192.168.56.13 8.8.4.4 54879 53 12.878381967544556 udp
192.168.56.13 8.8.4.4 54881 53 11.061662912368774 udp
192.168.56.13 8.8.4.4 55551 53 163.65888905525208 udp
192.168.56.13 8.8.4.4 55743 53 333.174693107605 udp
192.168.56.13 8.8.4.4 56086 53 304.5655961036682 udp
192.168.56.13 8.8.4.4 56197 53 149.2844250202179 udp
192.168.56.13 8.8.4.4 56908 53 361.893522977829 udp
192.168.56.13 8.8.4.4 57065 53 243.23726201057434 udp
192.168.56.13 8.8.4.4 57310 53 55.34679889678955 udp
192.168.56.13 8.8.4.4 57415 53 69.70575499534607 udp
192.168.56.13 8.8.4.4 58697 53 20.781135082244873 udp
192.168.56.13 8.8.4.4 58920 53 84.06538105010986 udp
192.168.56.13 8.8.4.4 59610 53 271.95590901374817 udp
192.168.56.13 8.8.4.4 60543 53 210.62808990478516 udp
192.168.56.13 8.8.4.4 60780 53 290.20600295066833 udp
192.168.56.13 8.8.4.4 60910 53 102.31529092788696 udp
192.168.56.13 8.8.4.4 61004 53 178.0180149078369 udp
192.168.56.13 8.8.4.4 61800 53 318.9247040748596 udp
192.168.56.13 8.8.4.4 62493 53 40.7684440612793 udp
192.168.56.13 8.8.4.4 62849 53 26.40865397453308 udp
192.168.56.13 8.8.4.4 64533 53 196.2686529159546 udp
192.168.56.13 8.8.4.4 64801 53 116.67489790916443 udp
192.168.56.13 8.8.4.4 64886 53 257.59653997421265 udp
192.168.56.13 8.8.8.8 50554 53 130.03411197662354 udp
192.168.56.13 8.8.8.8 53518 53 223.98762893676758 udp
192.168.56.13 8.8.8.8 53985 53 346.5357201099396 udp
192.168.56.13 8.8.8.8 54879 53 13.877969026565552 udp
192.168.56.13 8.8.8.8 54881 53 12.04952597618103 udp
192.168.56.13 8.8.8.8 55551 53 162.6610460281372 udp
192.168.56.13 8.8.8.8 55743 53 332.1781210899353 udp
192.168.56.13 8.8.8.8 56086 53 303.56549406051636 udp
192.168.56.13 8.8.8.8 56197 53 148.28465294837952 udp
192.168.56.13 8.8.8.8 56908 53 360.8948290348053 udp
192.168.56.13 8.8.8.8 57065 53 242.23736596107483 udp
192.168.56.13 8.8.8.8 57310 53 54.34712505340576 udp
192.168.56.13 8.8.8.8 57415 53 68.70607995986938 udp
192.168.56.13 8.8.8.8 58697 53 21.768404006958008 udp
192.168.56.13 8.8.8.8 58920 53 83.06550598144531 udp
192.168.56.13 8.8.8.8 59610 53 270.95611691474915 udp
192.168.56.13 8.8.8.8 60543 53 209.64092588424683 udp
192.168.56.13 8.8.8.8 60780 53 289.2075979709625 udp
192.168.56.13 8.8.8.8 60910 53 101.31558609008789 udp
192.168.56.13 8.8.8.8 61004 53 177.01899409294128 udp
192.168.56.13 8.8.8.8 61800 53 317.92496609687805 udp
192.168.56.13 8.8.8.8 62493 53 39.77031207084656 udp
192.168.56.13 8.8.8.8 62849 53 25.409306049346924 udp
192.168.56.13 8.8.8.8 64533 53 195.2695291042328 udp
192.168.56.13 8.8.8.8 64801 53 115.67493104934692 udp
192.168.56.13 8.8.8.8 64886 53 256.5969309806824 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

371

Registry Set

6

Services Started

2

Services Opened

2

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fVPN 2012.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
Show all (371 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\fVPN 2012.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_CURRENT_USER\Software\899A34CB785F521B3558\CEA86D652A6F8A3EFB651CE6E4796B94497918B904A82E27A8F3F9842E603ECA
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Dlt
HKEY_CLASSES_ROOT\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_CURRENT_USER\Control Panel\International
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_CLASSES_ROOT\DirectShow\MediaObjects
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_CLASSES_ROOT\CLSID
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit\Version
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_CURRENT_USER\Software\899A34CB785F521B3558
Software\899A34CB785F521B3558\CEA86D652A6F8A3EFB651CE6E4796B94497918B904A82E27A8F3F9842E603ECA
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|azure|Downloads|fVPN 2012.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit\{860BB310-5D01-11D0-BD3B-00A0C911CE86}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\VFW
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|azure|Downloads|fVPN 2012.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\HillClimbing_TargetSignalToNoiseRatio
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ProcessID
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum 64-bit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:|Users|azure|Downloads|fVPN 2012.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\0x0
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\0x0
HKEY_CURRENT_USER\Software\899A34CB785F521B3558\49EF4716EE261031D1C6977EFE6AFC47EBCF012BC87219A78F21786B46AA0DE2
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_CURRENT_USER_Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER_Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_CURRENT_USER_Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER_Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0
HKEY_CURRENT_USER_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\Elevation
HKEY_CURRENT_USER_Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}
HKEY_CURRENT_USER_Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_CURRENT_USER_Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control
HKEY_CURRENT_USER_Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\TreatAs
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SYSTEM
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_CURRENT_USER_Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocHandler
HKEY_CURRENT_USER_Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\Elevation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip6
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\Elevation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_CURRENT_USER_Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER_Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fVPN 2012.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F309AD18-D86A-11D0-A075-00C04FB68820}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}
HKEY_CURRENT_USER_Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\Elevation
HKEY_CURRENT_USER_Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\BD7381F7A484F6D5CA48
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_CURRENT_USER_Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7D35CFA-348B-485E-B524-252725D697CA}\TreatAs
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER_Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_CURRENT_USER_Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_CURRENT_USER_Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_CURRENT_USER_Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EB87E1BD-3233-11D2-AEC9-00C04FB68820}\LocalServer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

Registry Set (Top 25)

Key Value
HKEY_CURRENT_USER\Software\899A34CB785F521B3558\CEA86D652A6F8A3EFB651CE6E4796B94497918B904A82E27A8F3F9842E603ECA
HKEY_CURRENT_USER\Software\899A34CB785F521B3558\49EF4716EE261031D1C6977EFE6AFC47EBCF012BC87219A78F21786B46AA0DE2 䘀謟
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\msvideo
HKEY_CURRENT_USER\Software\BD7381F7A484F6D5CA48
HKEY_CURRENT_USER\Software\BD7381F7A484F6D5CA48\CEA86D652A6F8A3EFB651CE6E4796B94497918B904A82E27A8F3F9842E603ECA 00 4A 00 00 1F 8B 08 00 00 00 00 00 04 00 ED 7C 0B 78 1B D5 95 F0 99 D1 68 66 24 59 B2 25 C7 B2 92 D

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
VaultSvc
dnsCache

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top