'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-05-28 13:38:15.533691 2018-05-28 13:40:14.787883 119 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-05-28 13:38:17 2018-05-28 13:40:14

File Details

File name 3646620a2eec40fe0844948b141f5342dc34d39b.exe
File size 2026920 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 45BE333F
MD5 d9fd368fb0a9f59a99cad0f96af3d9d7
SHA1 3646620a2eec40fe0844948b141f5342dc34d39b
SHA256 f00e6283ab567b04a6fb86c2a456208a56b6574fb3d776f48038aff97e338d50
SHA512 dc27c667bdc4dc456f4abbc74afd36bd0c930ef537469efa8ea1e6943558c0b257f57e05a14d693b2afd68e6ef307369b8a790e9ad7d0f95ac68c464a75746e6
Ssdeep None
PEiD None matched
Yara
  • Str_Win32_Http_API (Match Windows Http API call)
VirusTotal Permalink
VirusTotal Scan Date: 2018-05-24 02:28:42
Detection Rate: 3/65 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1527529235]=0): Snort Events=1, AV Events=0
Total Score=75

SNORT EVENTS:
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Dropped File/Buffer Yara Signatures:
0e67fad920e38890_serval.dll: Str_Win32_Http_API
3c9207c097b4ff5e07bc91c2f488181890b37218 [BUFFER]: embedded_pe
24e5b46aba10f56f4a1eb9b47d3d4f73f3a1d446 [BUFFER]: shellcode
e98b664508fd4956556ecbb67f47f31996fe11f5 [BUFFER]: shellcode
cd513285a184690cd949cda017604f5c773a62d1 [BUFFER]: shellcode
ad7d0167072687108cef13b8f5cc9deb08fe1151 [BUFFER]: shellcode
4560e98674af86041a154bcf008e060472ecfe63 [BUFFER]: shellcode
438e212ec4cdfc1c94980f0675910c8f3dbbb29a [BUFFER]: shellcode
6939f0a5edbd90e0e7b8d48e4e29ade38f4dc172 [BUFFER]: shellcode
54fc2dd4c41256a089a1834675a8baa96365ca5e [BUFFER]: shellcode
5da7d72cd9db76ff6a8b651d8041f0eaedf33619 [BUFFER]: shellcode
3240447312ee7f8490d586ce334083cb051acc3c [BUFFER]: shellcode
29409b632e1aaacea45fd9b2735bb1123ba8e231 [BUFFER]: shellcode
19fd2e0eb1630771bdbaf7165d478b291e219f3c [BUFFER]: shellcode
3c2d32e064ffa65bbf49e4c0cba228e20032eb3b [BUFFER]: embedded_win_api
3c2d32e064ffa65bbf49e4c0cba228e20032eb3b [BUFFER]: Str_Win32_Http_API
a7ee3e3477e647061fc80e56e55c219e5ebfc8a1 [BUFFER]: embedded_pe
93dd2cbdfff324eb35da73d72b4fecd718ef4509 [BUFFER]: shellcode
202742007e850119d74814904e920c36d9f9edc4 [BUFFER]: shellcode
83a02d846f86e16392c6aaf0237f0e8e02a9eb8a [BUFFER]: shellcode
fdfb7288ae31c95c37048a308dece7dd9403370c [BUFFER]: shellcode
639905df4206fb0d695f846787a5481a09a6e32c [BUFFER]: shellcode
fb8b21ce28ec404aaa2ecb039bc263b8312d3371 [BUFFER]: shellcode
ada3b904fd3bc5b42b1fa2d6b73ec0cc2df3fd3e [BUFFER]: shellcode
8992e2d68e5a9cc5edbaa11b3fdae11435fd184d [BUFFER]: shellcode
506a505c87aebe40476ce0f91735d6503eec82a6 [BUFFER]: shellcode
677aac58487c9aa997cd8666b0b58623f94c51af [BUFFER]: shellcode
1c8283c562fa693c1095f3ebfb1f6d62598169c2 [BUFFER]: shellcode
1ce88841abfed5b6aa2ac842803b0b85c969eea7 [BUFFER]: embedded_win_api
7fb6e6caabff51c6cdcb714de203c7ad969d415b [BUFFER]: embedded_win_api
70a7a301d60d4f0b2c3dde94e847cf5ef926c228 [BUFFER]: embedded_pe
b34596dc74762eebbcc0759bf55e2c060e0a687c [BUFFER]: shellcode
7e40b9f07f0751770ed1f17ed7134dd25715413b [BUFFER]: shellcode
0ab5ddecb893e009feb62f55347fef88f871a076 [BUFFER]: shellcode
5b24d1392932b43930865d0b4f4f94f176c49786 [BUFFER]: shellcode
e4e95de1688a80b460ef28c5b700e81fb4c0f7be [BUFFER]: shellcode
3f15b8aca72f8abe3fa1634a97c39fa96c3190d9 [BUFFER]: shellcode
e23ada768a383eb8471527f313e4800aa7176a6a [BUFFER]: shellcode
33412c42e770e2748c66a7bf8ecaab367a8dd06d [BUFFER]: shellcode
1988387c4987192b4279510cdb45db520d33e569 [BUFFER]: shellcode
1d739fd95586b530e30316dfd75a55555126b219 [BUFFER]: shellcode
5a575d93f9d3807051489701d555886a6fdde45e [BUFFER]: shellcode
fb0fb4f270ff722a9933dc5205af58286e6f25bb [BUFFER]: shellcode
1a3d21df8a7e073deb45398183a596eb094a60e1 [BUFFER]: shellcode
4904d5e2474e823fe25d5d0424559d429c543e7a [BUFFER]: shellcode
d7c4900efb7fa6f7d93f07a51146ea3c8d07e481 [BUFFER]: shellcode
30a8a89e82901d4b1b59f883e3b6cc984f877b79 [BUFFER]: shellcode
26f8c7a36b6bb4cd28f0b87255d77723f1fc92fa [BUFFER]: embedded_win_api
01574690f7c25ba59f9886047abaa13c1fac4696 [BUFFER]: embedded_win_api
b69278c07dbe68815b91873f8b38b97dda068dd4 [BUFFER]: embedded_pe
1002266363c2d19de196cf405fc9e25d25f31b5b [BUFFER]: shellcode
56a7d5a52a03a8545a7b5b0974c1eaba00ea6cc9 [BUFFER]: shellcode
fdf45e3b17ef8fc94dd26d40497e67a73f3984e9 [BUFFER]: shellcode
ff5193c92ec9396aa79762c97d8afc8a09dfafc7 [BUFFER]: shellcode
ba97b66dd4f388aa8de37fcf7b7895f91c57628a [BUFFER]: shellcode
4b2c8850a9274e04ecd120856086c5a87481c025 [BUFFER]: shellcode
661c0d48aa801bf5cf0668bca57eeba568d08a0c [BUFFER]: shellcode
d6a15f732b21cdf431d2eae6059385e5a2d9a53b [BUFFER]: shellcode
f7cd6b74af8cd14f0cb4a70903ee28da736d77b1 [BUFFER]: shellcode
a86beb5b0cbace842d732ce9d03af44fcc5ae59c [BUFFER]: shellcode
7a972905d7c9cbbe6b0a99dee3d83bf789227a55 [BUFFER]: shellcode
eea64900d0f4f4119adfdcc70c99d60e1ddbaec9 [BUFFER]: shellcode
eb64fed7f286a202696aa4ee62851951d9c3db06 [BUFFER]: shellcode
d881dea424f049b68870b6fd43a7cb51d4ee8482 [BUFFER]: shellcode
aa285414064959748866853c8838f4920baa6933 [BUFFER]: shellcode
ad00d8ba05cc8daee45738fa505a0fd4f85ef306 [BUFFER]: embedded_win_api
ab98acc70b2be1c5fdac64ceaaf202a1fcac2f17 [BUFFER]: embedded_pe
a26740454c617f3fbc858969bc208d4b34ed7b71 [BUFFER]: embedded_win_api
a26740454c617f3fbc858969bc208d4b34ed7b71 [BUFFER]: shellcode
3207c29b3fd94a2fcde651d9ea4de20d0f7e42aa [BUFFER]: shellcode
ea2789e7c9e97f4022ea72edb5d5009470556d32 [BUFFER]: embedded_win_api
e507ad9536f03eaf3f7a28dfe26fc8b25a52d9c1 [BUFFER]: shellcode
e1afaa5f2936a264241a122042c95839b6b509c2 [BUFFER]: shellcode
cf3f4a8febdcf64992b029fdca017d01abcfc7ae [BUFFER]: shellcode
d1eb4a4480f3e106b1bdd9a5736227efdb6b95e2 [BUFFER]: shellcode
b0efce8597d6a13bbf8aff0eab5a71e9e444755f [BUFFER]: embedded_win_api
99326df3c2de9a87ba6cc6303bb29f8d8757bb40 [BUFFER]: shellcode
68e99cb5ae89d5b12133abfe2b5e7d7c412825d2 [BUFFER]: shellcode
8c86c9f18ac7a62f8cf643d44f54b4a1ebb3386f [BUFFER]: shellcode
0683bed87c86631cafb75c6faf14c1ba123c7ef7 [BUFFER]: embedded_win_api
0683bed87c86631cafb75c6faf14c1ba123c7ef7 [BUFFER]: Str_Win32_Http_API
22037a137bc9de2daee80fe42c976af8ddb4bb42 [BUFFER]: shellcode
66e4ef805cd75fb1c98fb83b356b729e7fc3386d [BUFFER]: shellcode
c2f7614737e8483b53f351d03af382b35a8d5b0b [BUFFER]: shellcode
d8a145d7273dd0e1129a835d5041ee617274731f [BUFFER]: shellcode
1843eb394dcd91d467ca276dd43d0765e0eb68cf [BUFFER]: embedded_win_api

Signatures

antivm_queries_computername details
has_pdb details
antivm_memory_available details
dumped_buffer details
openprocess_nonchild details
allocates_rwx details
antivm_disk_size details
antivm_network_adapters details
network_downloader_exe details
overwites_files details
privilege_luid_check details
dumped_buffer2 details
Windows_Proxy_Tinkering details
nolookup_communication details
modifies_certificates details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

e3b0c44298fc1c14_AIEF8CD.tmp

4150ae6b41c104f1_Cab2E0.tmp

cc36d25f632741e4_Tar2E1.tmp

5ecd3ff2fb862db2_MSIA45.tmp

9f74d3c82bd3fa7d_MSIE23.tmp

6eacd52d73298f11_aief8cd.tmp

f545ec56bc9b690a_frame_right.bmp

4f92e804a1145338_new

3e9099b5015e8f48_c86bd7751d53f10f65aaad66bbdf33c7

dba117a25f8afe1a_removico

bce5b6de3a1c7af7_checkbox

56e64eaf6349ece0_sys_min_normal.png

3a0a5b69f9da7cae_metroinstallbutton

4801d63bd9bdc627_sys_close_down.png

bbcac1632131b21d_sys_close_normal.png

e917dc7bac3607b7_checkbox_for_ctrls

c1d0663131fe901d_sys_min_down.png

0403ed31d75dcc18_frame_caption_inactive.bmp

05c27d934bdd94df_exclamic

a8856bd3783a5fc3_repair.png

cea275dbb399bb7b_waitlogoicon

eda260871bba0927_whitebackground

52b0b4466f73d18b_77ec63bda74bd0d0e0426dc8f8008506

3afa4fc86f860411_modify.png

15405855866fa2b7_sys_close_hot.png

9467b2b79bb59466_c86bd7751d53f10f65aaad66bbdf33c7

c93be5a7c979c534_frame_right_inactive.bmp

030e5bb7b7fff395_viewreadmebutton

e5f4f6b5e24d6f7e_custicon

44ba930fd1be21b1_userreglogoicon

1d59fe11b3f1951c_frame_top_mid.bmp

ef40e1664427f888_header.jpg

afef25522f3973f2_optionslogoicon

17b5cd496d98db14_frame_top_right_inactive.bmp

564097adeb962659_viewer.exe

eb276449eb326a40_installlogoicon

a3b59dbc5a39d551_sys_min_inactive.png

7f0121322785c107_cmdlinkarrow

c155d93a173e880a_info

384ebd5800becadf_frame_bottom_right.bmp

205209facdebf400_frame_bottom_mid_inactive.bmp

bcbb601daa5a1394_sys_min_hot.png

573e3260eed63604_up

d5e9f3533cb7d727_frame_bottom_left_inactive.bmp

c178ed81de4aa8b0_runapplicationbutton

65172283ee04f2fa_nextcancelbuttons

520e5248975b3b8e_completi

728c6cc4230e5e5b_progressimage.png

0ee7650c7faf9712_preparedlgprogress.gif

6e5c2e9e923569f9_printico

f044f542bc464640_background

c615374a880b3990_checkbox_for_list_ctrls

914a0241a557591d_metrorunapplicationbutton

5c7b8366596a2caa_print.png

16e6e7662f3a2040_metrobuttonimage

251099323513ea86_insticon

4a8fa6335720d3e4_repairic

71836c56ec4765d8_backbutton

0e67fad920e38890_serval.dll

3a05e6decea8e68c_remove.png

f4302ee2090bc7d7_browsebutton

83bfdb826d2d753f_applogoicon

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_down.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\PrepareDlgProgress.gif
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_normal.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\3646620a2eec40fe0844948b141f5342dc34d39b.exe
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_hot.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\Cab2E0.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_normal.png
  • C:\Windows\SysWOW64\mscoree.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_inactive.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_inactive.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_hot.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\Header.jpg
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_down.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tar2E1.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\background
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid_inactive.bmp
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\repair.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\runapplicationbutton
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\Up
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C86BD7751D53F10F65AAAD66BBDF33C7
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\PrepareDlgProgress.gif
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\removico
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\checkbox
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_inactive.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_normal.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\metroinstallbutton
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_down.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\PowerShellScriptLauncher.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_normal.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\checkbox_for_ctrls
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_down.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB33.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\exclamic
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\aicustact.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIAF3.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\repairic
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp.part
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_hot.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\viewreadmebutton
  • C:\Users\Harry Dresden\AppData\Local\Temp\Cab2E0.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\metrorunapplicationbutton
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C86BD7751D53F10F65AAAD66BBDF33C7
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\custicon
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\userreglogoicon
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSI3F90.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB13.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\viewer.exe
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\optionslogoicon
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIE23.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\installlogoicon
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_inactive.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\waitlogoicon
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\cmdlinkarrow
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\info
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_hot.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\New
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\Header.jpg
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\print.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\modify.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tar2E1.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\nextcancelbuttons
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\completi
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\ProgressImage.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\printico
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB54.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\background
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\checkbox_for_list_ctrls
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIA45.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\metrobuttonimage
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\insticon
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\backbutton
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIAD3.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\serval.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\remove.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\browsebutton
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\applogoicon
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\whitebackground
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\Cab2E0.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB54.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB33.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB13.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIA45.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIAD3.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tar2E1.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIAF3.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIE23.tmp
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_down.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left_inactive.bmp
  • C:\Windows\AppPatch\sysmain.sdb
  • C:\
  • C:\Windows\SysWOW64\
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_normal.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left_inactive.bmp
  • C:\Windows\System32\msimsg.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_down.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIA45.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIAF3.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\3646620a2eec40fe0844948b141f5342dc34d39b.exe
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_hot.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\Cab2E0.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\PrepareDlgProgress.gif
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_right.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_normal.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSI3F90.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB13.tmp
  • C:\Windows\SysWOW64\mscoree.dll
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_right_inactive.bmp
  • C:\Windows\SysWOW64\en-US\sxs.DLL.mui
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIE23.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_inactive.png
  • C:\Windows\AppPatch\msimain.sdb
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_close_inactive.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\sys_min_hot.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_left.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_right.bmp
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\Header.jpg
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tar2E1.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_right_inactive.bmp
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_mid.bmp
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB54.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_caption.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIB33.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_top_left.bmp
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\frame_bottom_mid_inactive.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272\background
  • C:\Windows\SysWOW64\sxs.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\MSIAD3.tmp
  • C:\Users\Harry Dresden\AppData\LocalLow
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp.part -> C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp
Network-Connects Host
  • mtga-client.dl.wizards.com
Directory-Created
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\History
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • C:\Users\Harry Dresden\AppData\Local\Temp\AI_EXTUI_BIN_2272
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Cookies
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData
Directory-Enumerated
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Windows\SysWOW64\*.*
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\Microsoft.NET\Framework\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\AIEF8CD.tmp.part
  • C:\Windows\SysWOW64\mscoree.dll
  • C:\Windows
  • C:\Users
  • C:\Windows\SysWOW64
  • C:\Users\Harry Dresden\AppData
  • C:\Windows\SysWOW64\*
Registry Key-Opened
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll
  • HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\9A7FC00C588A6FA44BE0726C586806C3
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\F8142E4A9429952479373AA6783DAEFB
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\9A7FC00C588A6FA44BE0726C586806C3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\F8142E4A9429952479373AA6783DAEFB
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\v4.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Relative Files
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\F8142E4A9429952479373AA6783DAEFB
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F8142E4A9429952479373AA6783DAEFB\InstallProperties
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\UpgradeCodes\9A7FC00C588A6FA44BE0726C586806C3
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Registry Keys
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Read
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\LogFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.44.3.4!7\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
  • HKEY_CURRENT_USER\Control Panel\International\LocaleName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Wat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\restore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InitFolderHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Name
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\EMPTY
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\NetworkList
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\NDF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\FileSystem\Win31FileSystem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\ParsingName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\manifeststore
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Target Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Category
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\3646620a2eec40fe0844948b141f5342dc34d39b.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Security
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\winrm
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentMajorVersionNumber
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WindowsPowerShell
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.47.1.1!7\Name
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\AdvancedInstallers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sysprep
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PublishExpandedPath
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentMinorVersionNumber
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDns
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\.
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\LocalizedName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Category
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParentFolder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\DriverStore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\LastSyncTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Tasks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguageFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sppui
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\3646620a2eec40fe0844948b141f5342dc34d39b.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\migration
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\ParsingName
  • HKEY_CURRENT_USER\Local Settings\MuiCache\4A\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Description
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentVersion
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\icsxml
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\config
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\InfoTip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WCN
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PreCreate
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\Stream
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Macromed
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wdi
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\StreamResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\..
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C1033-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\catroot
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\inetsrv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GroupPolicy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{D9DC8A3B-B784-432E-A781-5A1130A75963}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData
  • HKEY_LOCAL_MACHINE\SYSTEM\Con