Analysis Report · CAPE Sandbox

Analysis

Category	Package	Started	Completed	Duration	Options	Log(s)
FILE	exe	2025-06-11 10:22:10	2025-06-11 10:39:48	1058 seconds	Show Options	Show Analysis Log

procmemdump=1
import_reconstruction=1
unpacker=2
norefer=1
no-iat=1

2024-11-25 13:37:14,959 [root] INFO: Date set to: 20250611T07:25:50, timeout set to: 1000
2025-06-11 08:25:50,019 [root] DEBUG: Starting analyzer from: C:\tmp_gell1p8
2025-06-11 08:25:50,019 [root] DEBUG: Storing results at: C:\gHzlKZ
2025-06-11 08:25:50,019 [root] DEBUG: Pipe server name: \\.\PIPE\rHrtLqJID
2025-06-11 08:25:50,019 [root] DEBUG: Python path: C:\Users\Packager\AppData\Local\Programs\Python\Python310-32
2025-06-11 08:25:50,019 [root] INFO: analysis running as an admin
2025-06-11 08:25:50,019 [root] INFO: analysis package specified: "exe"
2025-06-11 08:25:50,019 [root] DEBUG: importing analysis package module: "modules.packages.exe"...
2025-06-11 08:25:50,988 [root] DEBUG: imported analysis package "exe"
2025-06-11 08:25:50,988 [root] DEBUG: initializing analysis package "exe"...
2025-06-11 08:25:50,988 [lib.common.common] INFO: wrapping
2025-06-11 08:25:50,988 [lib.core.compound] INFO: C:\Users\Packager\AppData\Local\Temp already exists, skipping creation
2025-06-11 08:25:50,988 [root] DEBUG: New location of moved file: C:\Users\Packager\AppData\Local\Temp\powershell.exe
2025-06-11 08:25:50,988 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL option
2025-06-11 08:25:50,988 [root] INFO: Analyzer: Package modules.packages.exe does not specify a DLL_64 option
2025-06-11 08:25:50,988 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader option
2025-06-11 08:25:50,988 [root] INFO: Analyzer: Package modules.packages.exe does not specify a loader_64 option
2025-06-11 08:25:51,316 [root] DEBUG: Imported auxiliary module "modules.auxiliary.browser"
2025-06-11 08:25:51,332 [root] DEBUG: Imported auxiliary module "modules.auxiliary.digisig"
2025-06-11 08:25:51,379 [root] DEBUG: Imported auxiliary module "modules.auxiliary.disguise"
2025-06-11 08:25:51,394 [root] DEBUG: Imported auxiliary module "modules.auxiliary.human"
2025-06-11 08:25:51,410 [lib.api.screenshot] DEBUG: Importing 'PIL.ImageChops'
2025-06-11 08:25:51,410 [lib.api.screenshot] ERROR: No module named 'PIL'
2025-06-11 08:25:51,410 [root] DEBUG: Imported auxiliary module "modules.auxiliary.screenshots"
2025-06-11 08:25:51,488 [root] DEBUG: Imported auxiliary module "modules.auxiliary.tlsdump"
2025-06-11 08:25:51,488 [root] DEBUG: Initialized auxiliary module "Browser"
2025-06-11 08:25:51,503 [root] DEBUG: attempting to configure 'Browser' from data
2025-06-11 08:25:51,503 [root] DEBUG: module Browser does not support data configuration, ignoring
2025-06-11 08:25:51,503 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.browser"...
2025-06-11 08:25:51,503 [root] DEBUG: Started auxiliary module modules.auxiliary.browser
2025-06-11 08:25:51,503 [root] DEBUG: Initialized auxiliary module "DigiSig"
2025-06-11 08:25:51,503 [root] DEBUG: attempting to configure 'DigiSig' from data
2025-06-11 08:25:51,503 [root] DEBUG: module DigiSig does not support data configuration, ignoring
2025-06-11 08:25:51,503 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.digisig"...
2025-06-11 08:25:51,503 [modules.auxiliary.digisig] DEBUG: Checking for a digital signature
2025-06-11 08:25:51,675 [modules.auxiliary.digisig] DEBUG: File is not signed
2025-06-11 08:25:51,675 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2025-06-11 08:25:51,675 [root] DEBUG: Started auxiliary module modules.auxiliary.digisig
2025-06-11 08:25:51,675 [root] DEBUG: Initialized auxiliary module "Disguise"
2025-06-11 08:25:51,675 [root] DEBUG: attempting to configure 'Disguise' from data
2025-06-11 08:25:51,675 [root] DEBUG: module Disguise does not support data configuration, ignoring
2025-06-11 08:25:51,675 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.disguise"...
2025-06-11 08:25:51,675 [modules.auxiliary.disguise] INFO: Disguising GUID to 0cc594cc-feba-4a5b-a55d-bf6cf6b2e84f
2025-06-11 08:25:51,675 [root] DEBUG: Started auxiliary module modules.auxiliary.disguise
2025-06-11 08:25:51,675 [root] DEBUG: Initialized auxiliary module "Human"
2025-06-11 08:25:51,675 [root] DEBUG: attempting to configure 'Human' from data
2025-06-11 08:25:51,675 [root] DEBUG: module Human does not support data configuration, ignoring
2025-06-11 08:25:51,675 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.human"...
2025-06-11 08:25:51,675 [root] DEBUG: Started auxiliary module modules.auxiliary.human
2025-06-11 08:25:51,675 [root] DEBUG: Initialized auxiliary module "Screenshots"
2025-06-11 08:25:51,675 [root] DEBUG: attempting to configure 'Screenshots' from data
2025-06-11 08:25:51,691 [root] DEBUG: module Screenshots does not support data configuration, ignoring
2025-06-11 08:25:51,691 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.screenshots"...
2025-06-11 08:25:51,691 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2025-06-11 08:25:51,691 [root] DEBUG: Started auxiliary module modules.auxiliary.screenshots
2025-06-11 08:25:51,691 [root] DEBUG: Initialized auxiliary module "TLSDumpMasterSecrets"
2025-06-11 08:25:51,691 [root] DEBUG: attempting to configure 'TLSDumpMasterSecrets' from data
2025-06-11 08:25:51,691 [root] DEBUG: module TLSDumpMasterSecrets does not support data configuration, ignoring
2025-06-11 08:25:51,691 [root] DEBUG: Trying to start auxiliary module "modules.auxiliary.tlsdump"...
2025-06-11 08:25:51,691 [modules.auxiliary.tlsdump] INFO: lsass.exe found, pid 696
2025-06-11 08:25:51,722 [lib.api.process] INFO: Monitor config for <Process 696 lsass.exe>: C:\tmp_gell1p8\dll\696.ini
2025-06-11 08:25:51,722 [lib.api.process] INFO: Option 'procmemdump' with value '1' sent to monitor
2025-06-11 08:25:51,722 [lib.api.process] INFO: Option 'import_reconstruction' with value '1' sent to monitor
2025-06-11 08:25:51,722 [lib.api.process] INFO: Option 'unpacker' with value '2' sent to monitor
2025-06-11 08:25:51,722 [lib.api.process] INFO: Option 'norefer' with value '1' sent to monitor
2025-06-11 08:25:51,722 [lib.api.process] INFO: Option 'no-iat' with value '1' sent to monitor
2025-06-11 08:25:51,722 [lib.api.process] INFO: Option 'tlsdump' with value '1' sent to monitor
2025-06-11 08:25:51,722 [lib.api.process] INFO: 64-bit DLL to inject is C:\tmp_gell1p8\dll\yOjggjR.dll, loader C:\tmp_gell1p8\bin\xkGaAUPF.exe
2025-06-11 08:25:51,785 [root] DEBUG: Loader: IAT patching disabled.
2025-06-11 08:25:51,785 [root] DEBUG: Loader: Injecting process 696 with C:\tmp_gell1p8\dll\yOjggjR.dll.
2025-06-11 08:25:51,832 [root] DEBUG: 696: Python path set to 'C:\Users\Packager\AppData\Local\Programs\Python\Python310-32'.
2025-06-11 08:25:51,832 [root] INFO: Disabling sleep skipping.
2025-06-11 08:25:51,832 [root] DEBUG: 696: Full process memory dumps enabled.
2025-06-11 08:25:51,832 [root] DEBUG: 696: Import reconstruction of process dumps enabled.
2025-06-11 08:25:51,832 [root] DEBUG: 696: Active unpacking of payloads enabled
2025-06-11 08:25:51,832 [root] DEBUG: 696: CAPE debug - unrecognised key norefer.
2025-06-11 08:25:51,832 [root] DEBUG: 696: TLS secret dump mode enabled.
2025-06-11 08:25:51,847 [root] DEBUG: 696: InternalYaraScan: Scanning 0x00007FF84A790000, size 0x1f4542
2025-06-11 08:25:51,847 [root] DEBUG: 696: InternalYaraScan hit: RtlInsertInvertedFunctionTable
2025-06-11 08:25:51,847 [root] DEBUG: 696: RtlInsertInvertedFunctionTable 0x00007FF84A7A090E, LdrpInvertedFunctionTableSRWLock 0x00007FF84A8FB4F0
2025-06-11 08:25:51,847 [root] DEBUG: 696: Monitor initialised: 64-bit capemon loaded in process 696 at 0x00007FF8234D0000, thread 4648, image base 0x00007FF60D500000, stack from 0x0000008EFACF4000-0x0000008EFAD00000
2025-06-11 08:25:51,847 [root] DEBUG: 696: Commandline: C:\Windows\system32\lsass.exe
2025-06-11 08:25:51,863 [root] DEBUG: 696: Hooked 5 out of 5 functions
2025-06-11 08:25:51,863 [root] DEBUG: InjectDllViaThread: Successfully injected Dll into process via RtlCreateUserThread.
2025-06-11 08:25:51,863 [root] DEBUG: Successfully injected DLL C:\tmp_gell1p8\dll\yOjggjR.dll.
2025-06-11 08:25:51,863 [lib.api.process] INFO: Injected into 64-bit <Process 696 lsass.exe>
2025-06-11 08:25:51,863 [root <truncated>

Machine

Name	Label	Manager	Started On	Shutdown On	Route
win10-2	win10-2	KVM	2025-06-11 10:22:10	2025-06-11 10:39:28	none

File Details

File Name	powershell.exe
File Type	PE32 executable (console) Intel 80386, for MS Windows
File Size	431104 bytes
MD5	83767e18db29b51a804a9e312d0ed99c
SHA1	e6bcade7272afdf52d963d0626a1dd4d26b39a7e
SHA256	1ee3d7c80d075d64f97d04d036e558043f2f6bc959c87cd5b0a6d53b96b96a0f [VT] [MWDB] [Bazaar]
SHA3-384	1968c652ca9d612c7db09b50dd932d854f3be25f67da06be505d55c08fa1097f628c04efd3bbb633b463ec02e28ba17e
CRC32	E23E1B09
TLSH	T1DF947D836BD45291EC3BC431DC3745610622BCB9DAD09BDB99C8F67D09702D09A3EE6B
Ssdeep	6144:i0ye4FWwO9sV1yZywi/PzNKXzJ7BapCK5d3klRzULOnWyjLsPhAQzqOP:ixW2KXzJ4pdd3klnnWosPhnzqI
PE	File Strings BinGraph Vba2Graph

VirusTotal (0/76)

Full Results

Engine	Result	Engine	Result	Engine	Result

servermode

~J;Q%

kn-IN

`~BW^

{{{yzzzQooo&aab

System.Collections.Concurrent

runtimeversion

Wj0_f

System.Security.Cryptography.Cng

ga-IE

L<#s"W+>

nMicrosoft.PowerShell.UnmanagedPSEntry

tk-TM

en-SG

System.Net.WebHeaderCollection

6.7c7

.idata$6

4S5e5

System.Security.Claims

fffgx

+oN/BJCChbdd

.idata$4

;(;4;@;L;X;d;p;|;

>'>L>k>s>y>

2pw`^

je_;E=#!

u G;}

.rdata$zz

mscorlib

System.Diagnostics.StackTrace

yi-001

zh-CN

es-BO

el-GR

de-DE

t4SSSj

GetStartupInfoW

P&.KP%V

mscoree.dll

8(8h8p8

System.Threading.Tasks.Parallel

PQSSWQQ

.rdata$T$brc

5+6N6{6

System.Collections.Specialized

System.Net.WebSockets

th-TH

mk-MK

se-FI

en-NZ

sr-Latn-RS

en-TT

__dllonexit

= =,=8=D=P=\=h=t=

System.IO.FileSystem.Primitives

fclose

u76n5

System.Private.DataContractSerialization

si-LK

en-IN

VerSetConditionMask

1(141@1L1X1d1p1|1

tr-TR

zh-HK

RegEnumKeyExW

ne-NP

NetFrameworkV4IsInstalled

ha-Latn

es-419

%s\%s.mui

bs-Latn

=2>s>

/PSConsoleFile

.text$zy

5 5@5\5`5|5

ta-LK

System.Windows

wcsrchr

sma-NO

te-IN

Y)(=DMTr

2MLL_

sr-Cyrl-RS

af-ZA

gl-ES

ug-CN

3 3(30383@3H3P3X3`3l3x3

FileVersion

mn-MN

Microsoft.Win32.Registry.AccessControl

5(525N5~5

p1D`

fr-CA

bs-BA-Cyrl

ff-Latn

$m@T\q

tzm-Tfng

.?AVlength_error@std@@

6 6,686D6P6\6h6t6

!gY?v

fr-ML

System.Xml.Linq

Locale

hy-AM

mn-Mong

System.IO.Compression.ZipFile

nnnnp

==="jjj

System.IO.FileSystem.AccessControl

ar-JO

>R>b>

System.ComponentModel

=@=]=z=

System.Xml.XPath.XmlDocument

</security>

sr-Cyrl

:T:d:p:x:

3JDDDMTq

:2:T:b:

AABQvvv

ar-KW

_callnewh

System.Diagnostics.TextWriterTraceListener

System.Security.Cryptography.Csp

en-IE

;(;6;M;U;[;z;

or-IN

2lrrrlkZ

rrr%zzz

xmlns="urn:schemas-microsoft-com:asm.v1"

PJ0'P.V

__set_app_type

System.Net.Http

%s\%s

co-FR

memcpy_s

< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<

bad allocation

ku-Arab-IQ

mn-Cyrl

ar-MA

PWWWh<1@

</trustInfo>

System.Threading.Tasks

es-CR

)```}

`.data

</windowsSettings>

@22,9Zu

: :,:8:D:P:\:h:t:

7/8:8

SOFTWARE\Microsoft\PowerShell\%1!ls!

Q^IIIJJJdffwwy

SetLastError

mni-IN

2R<{

.rsrc$01

IDATx

Microsoft.Win32.Primitives

ar-OM

PhH0@

quz-EC

sl-SI

040904B0

Microsoft Corporation

LoadLibraryExW

0%090x0

memcmp

</application>

moh-CA

ll|lll

System.Net

.idata

je_HE=%)

G=W}*7

4-4l4

System.ServiceModel.Security

en-ZW

_XcptFilter

sr-Latn-CS

CreateFileMappingW

Rg555>8JIdffiz

wwwchhi

3#3?3_3

9$909<9H9T9`9l9x9

_lock

System.Xml

%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

System.Net.NetworkInformation

System.Net.Sockets

MSH_SECURITY

en-PH

ta-IN

.^\~n

;?Q4T

az-Latn-AZ

om-ET

CoTaskMemAlloc

System.Runtime

VerifyVersionInfoW

.?AVbad_alloc@std@@

es-GT

System.Reflection.DispatchProxy

2(2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2

UnmapViewOfFile

CoInitialize

8OOPy{z{

<?xml version='1.0' encoding='utf-8' standalone='yes'?>

System.Reflection.TypeExtensions

es-PR

System.Private.CoreLib

kk-KZ

OOOvwwwz

my-MM

PropVariantClear

ATL.DLL

ZV=;YL

5>6S6

6q44788Q

4(444@4L4X4d4p4|4

System.Diagnostics.FileVersionInfo

_initterm

;+<4<9<@<G<c<o<

CoInitializeEx

System.ComponentModel.EventBasedAsync

.?AVlogic_error@std@@

tt-RU

_CxxThrowException

chr-Cher-US

System.IO.FileSystem.DriveInfo

kr-NG

ms-MY

v~Jgn~k

SYSTEM\CurrentControlSet\Control\MiniNT

Microsoft.PowerShell.CoreCLR.AssemblyLoadContext

:[:c:z:

.idata$5

|=G #4_

2 2$2(2,2024282<2@2`2

\[&+X

sah-RU

3I4p4

666F6

.?AVout_of_range@std@@

ios_base::eofbit set

6#656B6b6

LeaveCriticalSection

:6:T:a:

7$787@7T7\7d7h7l7t7x7

:+**1~}

de-LU

st-ZA

WnQ5558GIIffi

cy-GB

System.Runtime.Serialization

System.Diagnostics.Tools

sms-FI

en-ZA

br-FR

es-PY

es-AR

sr-SP-Latn

RegQueryValueExW

wcschr

de-AT

.rdata$zz$brc

OR@69I

am-ET

Microsoft

VarFileInfo

fil-PH

ps-AF

System.Runtime.Serialization.Json

System.Runtime.Extensions

.?AVexception@@

sq-AL

ibb-NG

t!jdW

ve-ZA

.ni.dll

</compatibility>

gsw-FR

8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8

C&<W]

4-474T4e4o4

gn-PY

ar-TN

8'9R9

InternalName

NqN555GGIdfi

SetConsoleTitleW

=$=D=

System.Runtime.Serialization.Primitives

eu-ES

_controlfp

9(959U9s9

System.Security.SecureString

Ph|3@

en-AU

4n65788Iddx

km-KH

.text$yd

wjieeM*/

malloc

5558===

nR<E&m)

vffvfgfx{

00090W0

7(747@7L7X7d7p7|7

hr-BA

zu-ZA

System.Resources.Reader

sd-Arab-PK

hi-IN

.data$r$brc

oc-FR

585Q5X5f5

en-029

_vsnwprintf

fr-HT

System.IO.Compression

smn-FI

syr-SY

System.Reflection.Emit.ILGeneration

System.Diagnostics.Process

sk-SK

ar-SA

=R=x=

.rsrc$02

??0exception@@QAE@ABQBD@Z

8O9`:

noprofile

CreateFileW

_unlock

<$<0<<<H<T<`<l<x<

6 6(6,60686L6T6\6d6h6l6t6

System.Threading.Tasks.Extensions

smj-NO

System.Xml.Serialization

zh-TW

System.Diagnostics.Contracts

gghhipppzz

Q4tO[

fr-BE

2+2A2d2

fr-RE

SleepConditionVariableSRW

_exit

o_F+L

System.Collections.NonGeneric

ky-KG

kf_#fk

en-US

ca-ES

ku-Arab

@.rsrc

RegGetValueW

ConsoleHostAssemblyName

/)(?LS

OLEAUT32.dll

System.Core

imimTSTqt

.bss$00

eHH;?9#

<-=U=m=v=

AcquireSRWLockExclusive

bs-Cyrl

7&8:8V8p8

.text$di

@@@{9998

FindClose

System.ServiceModel

nl-NL

FormatMessageW

,QQRq}}}

et-EE

vct*j

ti-ET

System.Xml.XDocument

System.Net.Security

;5;B;b;

ConsoleSchemaVersion

QqL4588^

ii-CN

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Windows PowerShell (x86).lnk

da-DK

ddbelJ%'{8

8;;<jZYZ

LegalCopyright

CoUninitialize

bs-BA-Latn

445=vuv

xgl~~

System.Reflection.Metadata

prs-AF

ca-ES-valencia

nl-BE

>X?]?o?

System.Collections.Immutable

>(>4>@>L>X>d>p>|>

7,7N7W7h7

10.0.17763.1 (WinBuild.160101.0800)

haw-US

dIDAT

fr-MC

GetCurrentProcessId

7 7,787D7P7\7h7t7

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0

.\%s.mui

ro-MD

B|?![

es-PE

<,<8<X<d<

SOFTWARE\Microsoft\PowerShell\%1!ls!\PowerShellEngine

pa-Arab

System.Threading.Overlapped

SOFTWARE\Microsoft\PowerShell\3

arn-CL

.tls$ZZZ

;7WA]

pl-PL

CoCreateInstance

bg-BG

=$>8>

System.Runtime.Numerics

vi-VN

]XzI2s

4477888Q8^GGGGHGB

is-IS

rw-RW

.CRT$XLA

sr-Latn-ME

dsb-DE

<(<7<><{<

sw-KE

GetFileAttributesW

ar-QA

uz-Latn

.bss$zz

WriteConsoleW

2&2E2P2c2

ne-IN

u h\3@

System.Text.RegularExpressions

72geeh.

8(848@8L8X8d8p8|8

lo-LA

System.Security.Cryptography.Pkcs

.rdata$zzzdbg

System.ServiceModel.NetTcp

7"7+7A7

qps-Latn-x-sh

nnnWWWWnnnnnnonoooooo,

p:fez#b^ee

LoadStringW

version

9 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9

Whp1@

fr-LU

.CRT$XIA

.rdata

6$606<6H6T6`6l6x6

uz-Cyrl-UZ

tzm-Latn

vuurNNN

2_3i3I4S4

6q8G8>G8JJIfiwy

System.Linq

System.ServiceModel.Http

fr-029

VhPT@

GetStdHandle

ur-PK

: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:

ms-BN

ios_base::failbit set

.rdata$00

System.ServiceProcess.ServiceController

fr-CM

ar-SY

8'8,818S8Y8`8e8r8

System.Diagnostics.Tracing

bs-Cyrl-BA

quc-Latn

.CRT$XIZ

System.Net.Primitives

System.IO.FileSystem.Watcher

ti-ER

ba-RU

es-PA

IsWow64Process

sa-IN

WriteFile

System.Threading.AccessControl

.data$dk00$brc

Ph\3@

he-IL

FileDescription

!This program cannot be run in DOS mode.

powershell.exe

iec=~

xtttstw}'

az-Latn

=g=r=

System.Security.AccessControl

2clk[Y%

System.Globalization

System.Text.Encoding.CodePages

en-ID

>1>7>@>G>

dz-BT

qps-ploca

475B5-6c6h6

GetLocaleInfoW

System.Runtime.Loader

7(747:7A7J7P7X7^7k7s7y7

be-BY

181F1y1

lt-LT

PhL3@

sBf9:u

@RSDS8Ek

System.IO.UnmanagedMemoryStream

FindResourceExW

USER32.dll

nb-NO

ja-JP

System.Runtime.Handles

10.0.17763.1

%ProgramData%\Microsoft\Windows\Start Menu\Programs\System Tools\Windows PowerShell.lnk

Wht^@

1 1(1@1|1

zh-CHT

fr-FR

WakeAllConditionVariable

System.Security.Cryptography.Primitives

.psc1

memcpy

.idata$3

.?AV_com_error@@

?'?:?

PowerShellVersion

System.Threading.ThreadPool

%windir%\System32\WindowsPowerShell\v1.0\powershell.exe

1E2`2{2

2A2I2Y2h2p2y2

p~W+q:

sr-SP-Cyrl

__wgetmainargs

ReleaseSRWLockExclusive

gd-GB

9!9Q9k9s9y9

pvF^;

System.Private.Uri

8 8(848T8\8d8p8

ru-MD

mn-Mong-MN

v|ggw

%windir%\System32\WindowsPowerShell\v1.0\

SetErrorMode

?,?4?:?

EnterCriticalSection

.CRT$XCU

es-NI

System.Reflection.Primitives

2$202<2H2T2`2l2x2

de-CH

xxysgfg

f~~~~~v

PWh0T@

bn-BD

QueryPerformanceCounter

xh-ZA

System.Xml.XmlDocument

ConsoleHostShortcutTargetX86

sr-Latn

5(545@5L5X5d5p5|5

it-CH

az-Cyrl-AZ

.?AVruntime_error@std@@

;I<~<

string too long

z!X'pU

Qhl3@

PWhH0@

QQSV3

OV;QF

ar-DZ

??0exception@@QAE@ABV0@@Z

=!=-=8===B=H=R=\=l=u=

es-HN

SetThreadUILanguage

msvcrt.dll

StringFileInfo

<)<<<

System.Security.Cryptography.OpenSsl

fi-FI

<description>PowerShell</description>

ExpandEnvironmentStringsW

memmove_s

System.Threading.Tasks.Dataflow

System.Xml.XPath.XDocument

ml-IN

en-GB

ar-EG

</requestedPrivileges>

Ph<3@

SearchPathW

GetCurrentProcess

<#<2<;<N<h<

cs-CZ

<assembly

__setusermatherr

8@8c8

??0exception@@QAE@XZ

so-SO

GetSystemDefaultUILanguage

ka-GE

zzzuuuuuoho

invalid string position

ts-ZA

ff-Latn-SN

_except_handler4_common

System.Globalization.Calendars

System.Globalization.Extensions

2,282j2

_itow_s

fa-IR

System.Threading.Thread

es-ES

.data$zz$brc

GetTickCount

zjje_HB)

PowerShell.EXE

;';r;

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

9 9(90989@9H9T9t9

.text$mn

__uncaught_exception

</application>

+),NN

SOFTWARE\Microsoft\PowerShell

System.Reflection.Emit

LocalFree

RuntimeVersion

.text$zz

.CRT$XIY

%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell(x86).lnk

ios_base::badbit set

TerminateProcess

</assembly>

smj-SE

5$505<5H5T5`5l5x5

sNR44788Id

Microsoft.Win32.Registry

mn-Mong-CN

YO;;GL

Wpggghgiipxzzyzz

1-1o1

fr-CI

en-BZ

Translation

kok-IN

en-MY

_wfopen

System.Reflection.Extensions

rm-CH

MSH_MAIN

%systemroot%\system32\windowspowershell\v1.0\powershell_ise.exe

1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1

mr-IN

272M2l2

Qhx[@

level="asInvoker"

0 0,080D0P0\0h0t0

se-NO

iu-Latn

yiiie_+

CoreCLR.dll

9 xlE

System.Security.Principal.Windows

?$?0?<?H?T?`?l?x?

it-IT

uk-UA

ar-AE

System.Xml.ReaderWriter

CompareStringW

nGe:4

/PSConsoleFile/PSVersion/text()

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

tg-Cyrl-TJ

System.Linq.Expressions

fr-MA

System.Numerics.Vectors

zh-MO

es-CL

1r1w1

<requestedExecutionLevel

wcsncmp

quc-Latn-GT

zh-Hans

sr-Cyrl-BA

ko-KR

eeHH;:?9 AoR

> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>

tg-Cyrl

zh-SG

ProductVersion

uz-Latn-UZ

;H;\;l;|;

QPh03@

hr-HR

Wh0T@

iu-CA-Latn

sv-FI

.text$x

System.ComponentModel.Primitives

System.Diagnostics.TraceSource

3M3^3w3~364K4

.?AVfailure@ios_base@std@@

__p__commode

@@j@#

6:6E6K6^6q6

wo-SN

fr-CD

jw<;D@

.\%s\%s.mui

jfe_HE

= =$=(=,=0=4=8=<=@=D=H=L=P=T=X=\=`=d=h=l=p=t=x=|=

tRj.V

7/7O7V7

qps-ploc

QhX[@

System.IO.Pipes

gu-IN

__CxxFrameHandler3

8!9H9a9

wcstoul

manifestVersion="1.0"

_onexit

Microsoft.CSharp

OLE32.dll

.xdata$x

%s\%s\%s.mui

ar-LY

ar-YE

en-CA

4666>>>>888A>A=)

.CRT$XIAA

System.Xml.XmlSerializer

ha-Latn-NG

3 3,383D3P3\3h3t3

GetModuleHandleW

System.Reflection

System.Text.Encoding

tn-ZA

ks-Arab

sd-Arab

090E0V0\0}0

4+464P4v4

3$3b3~3

System.Threading.Timer

.rdata$sxdata

Windows

0Wj j

System.Numerics

System.Text.Encodings.Web

es-US

.CRT$XLZ

Rsn^^^ddfffffwwyyz

1_1l1{1

.giats

#p~&<

.text$lp01powershell.exe!20_pri7

xwxjsst,eef

bs-Latn-BA

fr-SN

iu-Cans

hu-HU

quz-BO

WWQ4478^g

t^^dddht

ur-IN

ru-RU

}rnPPIj

=#>6>L>]>d>~>

.idata$2

hsb-DE

pa-Arab-PK

ig-NG

sr-BA-Cyrl

tzm-Arab-MA

powershell.pdb

GetModuleFileNameW

999f9

System.IO.Packaging

System.Net.Requests

pa-IN

OriginalFilename

System.Security.Principal

ro-RO

System.Console

ohnpnpxx

?what@exception@@UBEPBDXZ

__;E?9#"

uiAccess="false"

System.ComponentModel.Annotations

System.AppContext

sr-Cyrl-CS

en-JM

zzyjeeH::999r6

.tls$

System

6)7\7

quz-PE

System.Collections

pt-PT

tn-BW

.CRT$XCAA

.CRT$XCA

nH]|hCd

System.Diagnostics.Debug

System.Security.Cryptography.X509Certificates

.bss$01

.gfids

2^&+3m

es-DO

chr-Cher

9$:U:k:t:

6A7K7

sr-Cyrl-ME

KERNEL32.dll

zh-CHS

az-Cyrl

iu-Latn-CA

lv-LV

es-SV

ADVAPI32.dll

System.Net.Http.WinHttpHandler

System.Runtime.InteropServices

System.Runtime.Serialization.Xml

System.IO.FileSystem

System.Runtime.InteropServices.RuntimeInformation

Microsoft.VisualBasic

System.ComponentModel.TypeConverter

Operating System

; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;

CorBindToRuntimeEx

System.Diagnostics.DiagnosticSource

.00cfg

PSh 0@

_wcsicmp

8/8a8

Y__^[

System.Net.Ping

??1type_info@@UAE@XZ

UnhandledExceptionFilter

3Rh,^@

WjUX+

GetFileType

FreeLibrary

GetModuleHandleExW

;+<X<

System.Linq.Queryable

es-ES_tradnl

E]X8[

qps-plocm

u.j.W

_cexit

zh-Hant

fr-CH

CloseHandle

es-CU

5[5t5

GetVersionExW

@.reloc

es-UY

se-SE

ks-Deva-IN

tNSSSj

4o5y5'616

MapViewOfFile

es-CO

.bss$dk00

273J3

tzm-Latn-DZ

;7<h<

:,/w5

System.ComponentModel.DataAnnotations

:A;c;

System.Private.ServiceModel

G<YvP

CompanyName

VS_VERSION_INFO

Windows PowerShell

LoadResource

_purecall

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

GetLastError

GetCurrentThreadId

eredre

ConsoleHostShortcutTarget

nso-ZA

ar-IQ

la-001

GetSystemTimeAsFileTime

ff-NG

PRich/V

4 4,484D4P4\4h4t4

_amsg_exit

__p__fmode

as-IN

.CRT$XCZ

bsearch

es-VE

t%hX2@

sma-SE

?terminate@@YAXXZ

PWWh8_@

=3,KT

System.IO

lb-LU

ar-LB

System.ObjectModel

System.Net.NameResolution

Qhh[@

4688s

2`kbZ

System.Reflection.Emit.Lightweight

System.Xml.XPath

sv-SE

|8NDq

bin-NG

yo-NG

nn-NO

O!D(b

Start

t"r{Y

r\\XXpnC

sr-Latn-BA

fy-NL

Sleep

psconsolefile

iu-Cans-CA

System.Net.WebSockets.Client

es-EC

tpppxxxz

es-MX

^RSVYZf

uz-Cyrl

SetUnhandledExceptionFilter

zzzvvvvvu

System.Dynamic.Runtime

.data

f+M}`)T

System.Security.Cryptography.Encoding

sZKyjSStfOXhK

pap-029

GetUserDefaultUILanguage

bn-IN

1+++Z::;

sr-BA-Latn

wiieK/

??1exception@@UAE@XZ

.text

<!<)<5<><C<I<S<]<m<}<

System.Data.Common

en-HK

POWERSHELL

sd-Deva-IN

memset

System.ServiceModel.Duplex

mi-NZ

System.Security.Cryptography.Algorithms

fsmO*

System.ServiceModel.Primitives

mt-MT

System.Linq.Parallel

ar-BH

tzm-Tfng-MA

System.Runtime.CompilerServices.VisualC

.rdata$brc

RegOpenKeyExW

RegCloseKey

System.Resources.ResourceManager

":B@ny

System.Text.Encoding.Extensions

GetProcAddress

pt-BR

fo-FO

.bss$pr00

dv-MV

de-LI

System.Buffers

System.Threading

uuuJ~~~

ProductName

FindFirstFileW

_wcsnicmp

fvffffffffx

bo-CN

System.IO.MemoryMappedFiles

kl-GL

&+01**HHHI$

System.ServiceModel.Web

id-ID

PE Information

Image Base	Entry Point	Reported Checksum	Actual Checksum	Minimum OS Version	PDB Path	Compile Time	Import Hash	Icon	Icon Exact Hash	Icon Similarity Hash	Icon DHash
0x00400000	0x000099d0	0x00072304	0x00072304	10.0	powershell.pdb	2030-01-23 22:46:06	d1a922c94a1f407cb2bbcad033c8ed7a		211310fa36c43b67f4b9dd836a6d1e84	3ef19c85b9689424e7450af5fb583bf6	10acd8b2b2ece609

Version Infos

CompanyName	Microsoft Corporation
FileDescription	Windows PowerShell
FileVersion	10.0.17763.1 (WinBuild.160101.0800)
InternalName	POWERSHELL
LegalCopyright	Â© Microsoft Corporation. All rights reserved.
OriginalFilename	PowerShell.EXE
ProductName	MicrosoftÂ® WindowsÂ® Operating System
ProductVersion	10.0.17763.1
Translation	0x0409 0x04b0

Sections

Name	RAW Address	Virtual Address	Virtual Size	Size of Raw Data	Characteristics	Entropy
.text	0x00000400	0x00001000	0x0000ed48	0x0000ee00	IMAGE_SCN_CNT_CODE\|IMAGE_SCN_MEM_EXECUTE\|IMAGE_SCN_MEM_READ	5.67
.data	0x0000f200	0x00010000	0x000008f0	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ\|IMAGE_SCN_MEM_WRITE	4.26
.idata	0x0000f600	0x00011000	0x00000ce4	0x00000e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.28
.rsrc	0x00010400	0x00012000	0x00057d88	0x00057e00	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_READ	5.31
.reloc	0x00068200	0x0006a000	0x00001158	0x00001200	IMAGE_SCN_CNT_INITIALIZED_DATA\|IMAGE_SCN_MEM_DISCARDABLE\|IMAGE_SCN_MEM_READ	6.40

Name	Offset	Size	Language	Sub-language	Entropy	File type
MUI	0x00069cb0	0x000000d8	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.65	None
RT_ICON	0x00012c48	0x00002fbe	LANG_ENGLISH	SUBLANG_ENGLISH_US	7.90	None
RT_ICON	0x00015c08	0x00004228	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.24	None
RT_ICON	0x00019e30	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.34	None
RT_ICON	0x0001c3d8	0x00001a68	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.17	None
RT_ICON	0x0001de40	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.58	None
RT_ICON	0x0001eee8	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.70	None
RT_ICON	0x0001f870	0x000006b8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.76	None
RT_ICON	0x0001ff28	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.91	None
RT_ICON	0x00020408	0x00000668	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	None
RT_ICON	0x00020a70	0x000002e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.03	None
RT_ICON	0x00020d58	0x000001e8	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.99	None
RT_ICON	0x00020f40	0x00000128	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.73	None
RT_ICON	0x00021068	0x00000ea8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.26	None
RT_ICON	0x00021f10	0x000008a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.02	None
RT_ICON	0x000227b8	0x000006c8	LANG_ENGLISH	SUBLANG_ENGLISH_US	6.24	None
RT_ICON	0x00022e80	0x00000568	LANG_ENGLISH	SUBLANG_ENGLISH_US	4.68	None
RT_ICON	0x000233e8	0x00042028	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.16	None
RT_ICON	0x00065410	0x000025a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.39	None
RT_ICON	0x000679b8	0x000010a8	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.76	None
RT_ICON	0x00068a60	0x00000988	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.89	None
RT_ICON	0x000693e8	0x00000468	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.59	None
RT_GROUP_ICON	0x00020390	0x00000076	LANG_ENGLISH	SUBLANG_ENGLISH_US	2.96	None
RT_GROUP_ICON	0x00069850	0x000000bc	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.12	None
RT_VERSION	0x00069910	0x0000039c	LANG_ENGLISH	SUBLANG_ENGLISH_US	3.46	None
RT_MANIFEST	0x000125a0	0x000006a3	LANG_ENGLISH	SUBLANG_ENGLISH_US	5.10	None

Imports

Name	Address
?terminate@@YAXXZ	0x411144
_onexit	0x411148
__dllonexit	0x41114c
_unlock	0x411150
_lock	0x411154
??1type_info@@UAE@XZ	0x411158
_initterm	0x41115c
_controlfp	0x411160
_except_handler4_common	0x411164
_vsnwprintf	0x411168
_wcsicmp	0x41116c
_wcsnicmp	0x411170
bsearch	0x411174
memcpy	0x411178
_wfopen	0x41117c
_itow_s	0x411180
wcstoul	0x411184
??0exception@@QAE@ABQBD@Z	0x411188
wcschr	0x41118c
memmove_s	0x411190
__uncaught_exception	0x411194
__setusermatherr	0x411198
__p__fmode	0x41119c
_cexit	0x4111a0
_exit	0x4111a4
exit	0x4111a8
__set_app_type	0x4111ac
__wgetmainargs	0x4111b0
_amsg_exit	0x4111b4
__p__commode	0x4111b8
_XcptFilter	0x4111bc
_CxxThrowException	0x4111c0
_callnewh	0x4111c4
?what@exception@@UBEPBDXZ	0x4111c8
??1exception@@UAE@XZ	0x4111cc
??0exception@@QAE@ABV0@@Z	0x4111d0
??0exception@@QAE@XZ	0x4111d4
malloc	0x4111d8
wcsncmp	0x4111dc
wcsrchr	0x4111e0
free	0x4111e4
_purecall	0x4111e8
memcpy_s	0x4111ec
__CxxFrameHandler3	0x4111f0
fclose	0x4111f4
memcmp	0x4111f8
memset	0x4111fc

Name	Address

Name	Address
GetModuleFileNameW	0x411020
GetModuleHandleExW	0x411024
LoadLibraryExW	0x411028
MapViewOfFile	0x41102c
CreateFileMappingW	0x411030
FreeLibrary	0x411034
LoadResource	0x411038
FindResourceExW	0x41103c
UnmapViewOfFile	0x411040
GetVersionExW	0x411044
GetProcAddress	0x411048
GetUserDefaultUILanguage	0x41104c
GetSystemDefaultUILanguage	0x411050
SearchPathW	0x411054
SetErrorMode	0x411058
VerifyVersionInfoW	0x41105c
GetTickCount	0x411060
GetSystemTimeAsFileTime	0x411064
EnterCriticalSection	0x411068
GetCurrentProcessId	0x41106c
QueryPerformanceCounter	0x411070
TerminateProcess	0x411074
SetUnhandledExceptionFilter	0x411078
UnhandledExceptionFilter	0x41107c
GetLocaleInfoW	0x411080
GetStartupInfoW	0x411084
SleepConditionVariableSRW	0x411088
FindFirstFileW	0x41108c
LeaveCriticalSection	0x411090
CompareStringW	0x411094
SetConsoleTitleW	0x411098
SetLastError	0x41109c
VerSetConditionMask	0x4110a0
GetCurrentProcess	0x4110a4
GetStdHandle	0x4110a8
WriteFile	0x4110ac
WakeAllConditionVariable	0x4110b0
ExpandEnvironmentStringsW	0x4110b4
LocalFree	0x4110b8
WriteConsoleW	0x4110bc
AcquireSRWLockExclusive	0x4110c0
SetThreadUILanguage	0x4110c4
GetCurrentThreadId	0x4110c8
GetModuleHandleW	0x4110cc
FindClose	0x4110d0
CreateFileW	0x4110d4
GetFileAttributesW	0x4110d8
FormatMessageW	0x4110dc
ReleaseSRWLockExclusive	0x4110e0
Sleep	0x4110e4
GetLastError	0x4110e8
CloseHandle	0x4110ec
IsWow64Process	0x4110f0
GetFileType	0x4110f4

Name	Address
VariantClear	0x411118
SysFreeString	0x41111c
SysAllocString	0x411120
SafeArrayPutElement	0x411124
SysStringLen	0x411128
SafeArrayCreate	0x41112c

Name	Address
RegOpenKeyExW	0x411000
RegCloseKey	0x411004
RegQueryValueExW	0x411008
RegGetValueW	0x41100c
RegEnumKeyExW	0x411010

Name	Address
CoInitializeEx	0x4110fc
PropVariantClear	0x411100
CoInitialize	0x411104
CoTaskMemAlloc	0x411108
CoUninitialize	0x41110c
CoCreateInstance	0x411110

Name	Address
LoadStringW	0x411134

Name	Address
CorBindToRuntimeEx	0x41113c

Reports: JSON

Statistics (94.30)

Usage

Processing ( 93.63 seconds )

82.03 ProcessMemory
10.761 CAPE
0.831 BehaviorAnalysis
0.007 AnalysisInfo
0.001 Debug

Signatures ( 0.17 seconds )

0.031 antiav_detectreg
0.013 territorial_disputes_sigs
0.012 infostealer_ftp
0.009 ransomware_files
0.007 antianalysis_detectfile
0.007 antianalysis_detectreg
0.007 antiav_detectfile
0.007 infostealer_im
0.007 masquerade_process_name
0.006 ransomware_extensions
0.005 infostealer_bitcoin
0.005 infostealer_mail
0.003 antidebug_devices
0.003 antivm_vbox_files
0.003 antivm_vbox_keys
0.003 poullight_files
0.003 ursnif_behavior
0.002 antivm_generic_diskreg
0.002 antivm_parallels_keys
0.002 antivm_vmware_keys
0.002 ketrican_regkeys
0.002 geodo_banking_trojan
0.001 antivm_hyperv_keys
0.001 antivm_vbox_devices
0.001 antivm_vmware_files
0.001 antivm_vpc_keys
0.001 antivm_xen_keys
0.001 browser_security
0.001 bypass_firewall
0.001 registry_credential_store_access
0.001 darkcomet_regkeys
0.001 disables_backups
0.001 disables_browser_warn
0.001 disables_power_options
0.001 azorult_mutexes
0.001 cryptbot_files
0.001 echelon_files
0.001 qulab_files
0.001 revil_mutexes
0.001 limerat_regkeys
0.001 modirat_behavior
0.001 rat_pcclient
0.001 warzonerat_regkeys
0.001 recon_fingerprint
0.001 remcos_regkeys
0.001 lokibot_mutexes
0.001 suspicious_command_tools
0.001 uses_windows_utilities

Reporting ( 0.51 seconds )

0.469 CAPASummary
0.037 JsonDump

Signatures

Checks available memory

Queries the keyboard layout

SetUnhandledExceptionFilter detected (possible anti-debug)

At least one process apparently crashed during execution

Possible date expiration check, exits too soon after checking local time

process: FileCoAuth.exe, PID 2224

Anomalous file deletion behavior detected (10+)

file: C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_goouq1ya.wld.ps1

file: C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_3khquldv.ywa.psm1

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2133.5764.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2125.4072.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2052.6960.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2028.1120.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1913.1964.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1854.2316.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1845.6048.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1816.5756.1.odl

file: C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1741.6072.1.odl

Guard pages use detected - possible anti-debugging.

At least one IP Address, Domain, or File Name was found in a crypto call

ioc: https://go.microsoft.com/fwlink/

Resumed a thread in another process

thread_resumed: Process powershell.exe with process ID 6208 resumed a thread in another process with the process ID 6208

Creates RWX memory

Checks the system manufacturer, likely for anti-virtualization

Process: FileCoAuth.exe (2224)
registry		HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Process: FileCoAuth.exe (1584)
registry		HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
Process: FileCoAuth.exe (4864)
registry		HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer

Yara detections observed in process dumps, payloads or dropped files

Hit: PID 4988 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 2260 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 6112 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 2224 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 4864 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 1584 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Hit: PID 6208 triggered the Yara rule 'shellcode_get_eip' with data '['{ E8 00 00 00 00 58 }']'

Anomalous binary characteristics

anomaly: Entrypoint of binary is located outside of any mapped sections

Binary compilation timestomping detected

anomaly: Compilation timestamp is in the future

The PE file contains a suspicious PDB path

anomaly: the pdb path contains a suspicious string

pdbpath: powershell.pdb

Enumerates physical drives

physical drive access: \??\PHYSICALDRIVE0

physical drive access: \??\PhysicalDrive0

Attempts to interact with an Alternate Data Stream (ADS)

file: C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION

file: \??\Volume{01989354-0000-0000-0000-100000000000}\$Extend\$Quota:$Q:$INDEX_ALLOCATION

file: \??\Volume{01989354-0000-0000-0000-300300000000}\$Extend\$Quota:$Q:$INDEX_ALLOCATION

file: \??\Volume{01989354-0000-0000-0000-10e03f000000}\$Extend\$Quota:$Q:$INDEX_ALLOCATION

Screenshots

No screenshots available.

Hosts

No hosts contacted.

DNS

No domains contacted.

Summary

C:\Windows\System32\kernel.appcore.dll
\Device\CNG
C:\Users\Packager\AppData\Local\Temp\powershell.exe
C:\Users
C:\Users\Packager
C:\Users\Packager\AppData
C:\Users\Packager\AppData\Local
C:\Users\Packager\AppData\Local\Temp
C:\Users\Packager\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
C:\Users\Packager\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\a2ec49abfa14aeed.customDestinations-ms
C:\Windows\System32\mscoree.dll.local
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
C:\Windows\Microsoft.NET\Framework\*
C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll
C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll
C:\Users\Packager\AppData\Local\Temp\powershell.exe.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\Microsoft.NET\Framework\v4.0.30319\fusion.localgac
C:\Users\Packager\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\45cef8929f7918524d50f1f75c04b1c3\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\45cef8929f7918524d50f1f75c04b1c3\mscorlib.ni.dll.aux
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll.aux
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\*
C:\Users\Packager\AppData\Local\Temp\CRYPTSP.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.INI
C:\Windows\Microsoft.Net\assembly\GAC_32\System.Management.Automation.resources\v4.0_3.0.0.0_en-US_31bf3856ad364e35\System.Management.Automation.resources.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation.resources\v4.0_3.0.0.0_en-US_31bf3856ad364e35\System.Management.Automation.resources.dll
C:\Windows\Microsoft.Net\assembly\GAC\System.Management.Automation.resources\v4.0_3.0.0.0_en-US_31bf3856ad364e35\System.Management.Automation.resources.dll
C:\Windows\assembly\GAC_32\System.Management.Automation.resources\3.0.0.0_en-US_31bf3856ad364e35\System.Management.Automation.resources.dll
C:\Windows\assembly\GAC_MSIL\System.Management.Automation.resources\3.0.0.0_en-US_31bf3856ad364e35\System.Management.Automation.resources.dll
C:\Windows\assembly\GAC\System.Management.Automation.resources\3.0.0.0_en-US_31bf3856ad364e35\System.Management.Automation.resources.dll
C:\Users\Packager\AppData\Local\Temp\en-US\System.Management.Automation.resources.dll
C:\Users\Packager\AppData\Local\Temp\en-US\System.Management.Automation.resources\System.Management.Automation.resources.dll
C:\Users\Packager\AppData\Local\Temp\en-US\System.Management.Automation.resources.exe
C:\Users\Packager\AppData\Local\Temp\en-US\System.Management.Automation.resources\System.Management.Automation.resources.exe
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
C:\Users\Packager\AppData\Local\Temp\winnlsres.dll
C:\Windows\System32\winnlsres.dll
C:\Windows\System32\en-US\winnlsres.dll.mui
C:\Windows\sysnative\en-US\winnlsres.dll.mui
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1
C:\Users\Packager\AppData\Local\Temp\USERENV.dll
C:\Windows\System32\userenv.dll
C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement
C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet
C:\Program Files (x86)\WindowsPowerShell\Modules\Pester
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline
C:\Program Files\WindowsPowerShell\Modules\PackageManagement
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet
C:\Program Files\WindowsPowerShell\Modules\Pester
C:\Program Files\WindowsPowerShell\Modules\PSReadline
C:\Users\Packager\AppData\Local\Temp\profapi.dll
C:\Windows\System32\profapi.dll
C:\Windows\Temp
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
C:\Windows\System32\gpapi.dll
C:\Windows\System32\wldp.dll
C:\Users\Packager\AppData\Local\Temp\
C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_goouq1ya.wld.ps1
C:\Windows\System32\dnsapi.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\en-US\CRYPT32.dll.mui
C:\Windows\System32\catroot
C:\Windows\System32\catroot2
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1237.cat
C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0011~31bf3856ad364e35~amd64~~10.0.19041.1288.cat
C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_3khquldv.ywa.psm1
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.PowerShell.ConsoleHost.resources\v4.0_3.0.0.0_en-US_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\v4.0_3.0.0.0_en-US_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\Microsoft.Net\assembly\GAC\Microsoft.PowerShell.ConsoleHost.resources\v4.0_3.0.0.0_en-US_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\assembly\GAC_32\Microsoft.PowerShell.ConsoleHost.resources\3.0.0.0_en-US_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.resources\3.0.0.0_en-US_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Windows\assembly\GAC\Microsoft.PowerShell.ConsoleHost.resources\3.0.0.0_en-US_31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Users\Packager\AppData\Local\Temp\en-US\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Users\Packager\AppData\Local\Temp\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.dll
C:\Users\Packager\AppData\Local\Temp\en-US\Microsoft.PowerShell.ConsoleHost.resources.exe
C:\Users\Packager\AppData\Local\Temp\en-US\Microsoft.PowerShell.ConsoleHost.resources\Microsoft.PowerShell.ConsoleHost.resources.exe
\??\CONOUT$
C:\Users\Packager\AppData\Local\Microsoft\Windows\PowerShell
C:\Users\Packager\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\*
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\96b2b7229c43d2712ff1bf4906a723f6\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\96b2b7229c43d2712ff1bf4906a723f6\System.Configuration.ni.dll.aux
C:\Windows\System32\tzres.dll
C:\Windows\System32\en-US\tzres.dll.mui
C:\Windows\System32\en\tzres.dll.mui
C:\Windows\Microsoft.Net\assembly\GAC_32\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll
C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\*
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.INI
C:\
C:\Users\Packager\Documents\WindowsPowerShell\Modules
C:\Program Files (x86)\WindowsPowerShell\Modules
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline\PSReadline.ni.dll
C:\Program Files (x86)\WindowsPowerShell\Modules\PSReadline\PSReadline.dll
C:\Windows\System32\WindowsPowerShell\v1.0\Modules
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline\PSReadline.psd1
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline\PSReadline.psm1
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline\PSReadline.cdxml
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline\PSReadline.xaml
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline\PSReadline.ni.dll
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSReadline\PSReadline.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
C:\Users\Packager\Documents\WindowsPowerShell\profile.ps1
C:\Users\Packager\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
C:\Program Files (x86)\Windows Defender\MsMpLics.dll
C:\Windows\System32\MsMpLics.dll
C:\Windows\System32\kernel32.dll
C:\ProgramData
C:\Program Files\Windows Defender\MsMpLics.dll
C:\Windows\System32\advapi32.dll
\??\CONIN$
\??\PhysicalDrive0
C:\Windows\System32\wbem\WmiPrvSE.exe
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe
C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\Globalization\Sorting\sortdefault.nls
C:\Windows\SystemResources\USER32.dll.mun
C:\Windows\System32\en-US\USER32.dll.mui
C:\Windows\System32\rpcss.dll
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
C:\Windows\System32\wtsapi32.dll
C:\Windows\System32\winsta.dll
C:\Windows\System32\wmiclnt.dll
\??\WMIDataDevice
C:\Windows\System32\samcli.dll
C:\Windows\System32\srvcli.dll
C:\Windows\System32\netutils.dll
C:\Windows\System32\logoncli.dll
C:\Windows\System32\schedcli.dll
C:\Windows\System32\wkscli.dll
C:\Windows\System32\dsrole.dll
\??\PIPE\lsarpc
\??\PIPE\srvsvc
C:\Windows\System32\OemInfo.Ini
C:\Windows\System32\OemLogo.Bmp
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\CRYPTSP.dll
C:\Windows\System32\windows.storage.dll
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\Wldp.dll
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1951.2224.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.aodl
C:\Windows\sysnative\en-US\tzres.dll.mui
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1951.2224.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1741.6072.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1816.5756.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1845.6048.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1854.2316.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1913.1964.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2028.1120.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2052.6960.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2125.4072.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2133.5764.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odlsent
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth*.odlgz
C:\Program Files (x86)
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\settings\PreSignInSettingsConfig.json
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1952.1584.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1952.1584.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.2001.4864.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.2001.4864.1.odl
C:\Windows\System32\wbem\en-US\cimwin32.dll.mui
C:\Windows\System32
C:\Windows\System32\
C:\Windows
C:\Windows\
C:
\??\MountPointManager
C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION
\??\Volume{01989354-0000-0000-0000-100000000000}
\??\GLOBALROOT\Device\HarddiskVolume1
\??\Volume{01989354-0000-0000-0000-100000000000}\
\??\Volume{01989354-0000-0000-0000-100000000000}\$Extend\$Quota:$Q:$INDEX_ALLOCATION
\??\Volume{01989354-0000-0000-0000-300300000000}
\??\GLOBALROOT\Device\HarddiskVolume2
\??\Volume{01989354-0000-0000-0000-300300000000}\
\??\Volume{01989354-0000-0000-0000-300300000000}\$Extend\$Quota:$Q:$INDEX_ALLOCATION
\??\Volume{01989354-0000-0000-0000-10e03f000000}
\??\GLOBALROOT\Device\HarddiskVolume3
\??\Volume{01989354-0000-0000-0000-10e03f000000}\
\??\Volume{01989354-0000-0000-0000-10e03f000000}\$Extend\$Quota:$Q:$INDEX_ALLOCATION
\??\scsi#disk&ven_qemu&prod_harddisk#4&35424867&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
\??\PHYSICALDRIVE0
C:\Windows\System32\clusapi.dll
C:\Windows\System32\IPHLPAPI.DLL
\??\Nsi
\??\PIPE\wkssvc
C:\Windows\System32\iologmsg.dll
C:\Windows\System32\en-US\iologmsg.dll.mui
C:\Windows\System32\slc.dll
C:\Windows\System32\en-US\slc.dll.mui
C:\Windows\System32\sppc.dll
C:\Windows\System32\en-US\sppc.dll.mui
C:\Windows\System32\en-US\storagewmi.dll.mui
C:\Windows\System32\Syncreg.dll
C:\Windows\System32\en-US\Syncreg.dll.mui
C:\Windows\System32\tapi3.dll
C:\Windows\System32\en-US\tapi3.dll.mui
C:\Windows\System32\vdsutil.dll
C:\Windows\System32\en-US\vdsutil.dll.mui
C:\Windows\System32\vsstrace.dll
C:\Windows\System32\en-US\vsstrace.dll.mui
C:\Windows\System32\wbem\en-US\wmiutils.dll.mui
C:\Windows\System32\msasn1.dll
C:\Windows\System32\dhcpcsvc6.DLL
C:\Windows\System32\dhcpcsvc.dll
\DEVICE\NETBT_TCPIP_{CC6EEB36-5AE2-46BE-81A9-5F0B62ECF81F}
\DEVICE\NETBT_TCPIP_{27E3D6D8-A922-11EF-90C1-806E6F6E6963}
\Device\Afd\Endpoint
\Device\RasAcd
C:\Windows\System32\perfc009.dat
C:\Windows\System32\drivers\Synth3dVsc.sys
C:\Windows\System32\SystemResources\Synth3dVsc.sys.mun
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\WorkflowServiceHostPerformanceCounters.dll.mui
C:\Windows\System32\lsm.dll
C:\Windows\System32\en-US\lsm.dll.mui
C:\Windows\System32\HvHostSvc.dll
C:\Windows\System32\en-US\HvHostSvc.dll.mui
C:\Windows\System32\drivers\pacer.sys
C:\Windows\System32\drivers\en-US\pacer.sys.mui
C:\Windows\System32\FWPUCLNT.DLL
C:\Windows\System32\en-US\fwpuclnt.dll.mui
C:\Windows\System32\pnrpsvc.dll
C:\Windows\System32\en-US\pnrpsvc.dll.mui
C:\Windows\System32\azroles.dll
C:\Windows\System32\en-US\AzRoles.dll.mui
C:\Windows\System32\FXSRESM.dll
C:\Windows\System32\en-US\fxsresm.dll.mui
C:\Windows\System32\drivers\afd.sys
C:\Windows\System32\drivers\en-US\afd.sys.mui
C:\Windows\System32\drivers\fvevol.sys
C:\Windows\System32\drivers\en-US\fvevol.sys.mui
C:\Windows\System32\drivers\spaceport.sys
C:\Windows\System32\drivers\en-US\spaceport.sys.mui
C:\Windows\System32\drivers\refs.sys
C:\Windows\System32\drivers\en-US\refs.sys.mui
C:\Windows\System32\mispace.dll
C:\Windows\System32\en-US\mispace.dll.mui
C:\Windows\System32\drivers\vmbkmcl.sys
C:\Windows\System32\drivers\en-US\vmbkmcl.sys.mui
C:\Windows\System32\drivers\en\vmbkmcl.sys.mui
C:\Windows\System32\drivers\smbdirect.sys
C:\Windows\System32\drivers\en-US\smbdirect.sys.mui
C:\Windows\System32\cscsvc.dll
C:\Windows\System32\en-US\cscsvc.dll.mui
C:\Windows\System32\iphlpsvc.dll
C:\Windows\System32\en-US\iphlpsvc.dll.mui
C:\Windows\System32\drivers\dmvsc.sys
C:\Windows\System32\drivers\en-US\dmvsc.sys.mui
C:\Windows\System32\bthserv.dll
C:\Windows\System32\en-US\bthserv.dll.mui
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\en-US\ServiceModelPerformanceCounters.dll.mui
C:\Windows\System32\umpoext.dll
C:\Windows\System32\en-US\umpoext.dll.mui
C:\Windows\System32\drivers\tcpip.sys
C:\Windows\System32\drivers\en-US\tcpip.sys.mui
C:\Windows\System32\drivers\winnat.sys
C:\Windows\System32\drivers\en-US\winnat.sys.mui
C:\Windows\System32\drivers\http.sys
C:\Windows\System32\drivers\en-US\http.sys.mui
C:\Windows\System32\WindowsPowerShell\v1.0\PSEvents.dll
C:\Windows\System32\WindowsPowerShell\v1.0\en-US\PSEvents.dll.mui
C:\Windows\System32\drivers\dxgmms2.sys
C:\Windows\System32\drivers\en-US\dxgmms2.sys.mui
C:\Windows\System32\drivers\en\dxgmms2.sys.mui
C:\Windows\System32\wmp.dll
C:\Windows\System32\rdpcorets.dll
C:\Windows\System32\en-US\rdpcorets.dll.mui
C:\Windows\System32\drivers\srv2.sys
C:\Windows\System32\drivers\en-US\srv2.sys.mui
C:\Windows\System32\netlogon.dll
C:\Windows\System32\en-US\NetLogon.dll.mui
C:\Windows\System32\drivers\USBXHCI.SYS
C:\Windows\System32\drivers\en-US\usbxhci.sys.mui
C:\Windows\System32\drt.dll
C:\Windows\System32\en-US\drt.dll.mui
C:\Windows\System32\drivers\ndis.sys
C:\Windows\System32\drivers\en-US\ndis.sys.mui
C:\Windows\System32\advapi32res.dll
C:\Windows\System32\en-US\advapi32res.dll.mui
C:\Windows\System32\w32time.dll
C:\Windows\System32\en-US\w32time.dll.mui
C:\Windows\System32\drivers\mrxsmb.sys
C:\Windows\System32\drivers\en-US\mrxsmb.sys.mui
C:\Windows\System32\appvetwclientres.dll
C:\Windows\System32\wevtsvc.dll
C:\Windows\System32\en-US\wevtsvc.dll.mui
C:\Windows\System32\PeerDistSvc.dll
C:\Windows\System32\en-US\PeerDistSvc.dll.mui
C:\Windows\System32\WsmRes.dll
C:\Windows\System32\en-US\WsmRes.dll.mui
C:\Windows\System32\vid.dll
C:\Windows\System32\en-US\vid.dll.mui
C:\Windows\System32\mprddm.dll
C:\Windows\System32\en-US\mprddm.dll.mui
C:\Windows\System32\perfh009.dat
C:\Windows\System32\powrprof.dll
C:\Windows\System32\en-US\powrprof.dll.mui

C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_goouq1ya.wld.ps1
\??\CONOUT$
\??\CONIN$
\??\pipe\PIPE_EVENTROOT\CIMV2PROVIDERSUBSYSTEM
\??\WMIDataDevice
\??\PIPE\lsarpc
\??\PIPE\srvsvc
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1951.2224.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1951.2224.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1952.1584.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1952.1584.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.2001.4864.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.2001.4864.1.odl
C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION
\??\PIPE\wkssvc
\Device\Afd\Endpoint
\Device\RasAcd

C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_goouq1ya.wld.ps1
C:\Users\Packager\AppData\Local\Temp\__PSScriptPolicyTest_3khquldv.ywa.psm1
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1951.2224.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2133.5764.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2125.4072.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2052.6960.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.2028.1120.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1913.1964.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1854.2316.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1845.6048.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1816.5756.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-25.1741.6072.1.odl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.1952.1584.1.aodl
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-06-11.2001.4864.1.aodl

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Control Panel\International\User Profile
HKEY_CURRENT_USER\Control Panel\International\User Profile\Languages
HKEY_CURRENT_USER\Control Panel\International\Geo
HKEY_CURRENT_USER\Control Panel\International\Geo\Nation
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\Software\Classes\Applications\powershell.exe
HKEY_LOCAL_MACHINE\Software\Classes\Applications\powershell.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PropertyBag
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PropertyBag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\3\KnownFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\powershell.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\ConsoleHostShortcutTarget
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\NetFrameworkV4IsInstalled
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.PowerShell.ConsoleHost__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsRuntime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\CustomLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\ExtendedLocale
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.System.Management.Automation.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-64934406-199802361-3218922526-1001\Installer\Assemblies\C:|Users|Packager|AppData|Local|Temp|powershell.exe
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|Packager|AppData|Local|Temp|powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|Packager|AppData|Local|Temp|powershell.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-64934406-199802361-3218922526-1001\Installer\Assemblies\Global
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\WSMAN\ServiceStackVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Wintrust\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllPutSignedDataMsg
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\ChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxVerifySignatureCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxIssuerDepth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxPathCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableStrictChecksFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllOpenStoreProv
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPublisher\Safer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA\Blob
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust\PhysicalStores
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableAutoFlushProcessNameList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushFirstDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushNextDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllCreateIndirectData
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.11
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.12
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObjectEx\1.2.840.113549.1.9.16.2.4
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllEncodeObject
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2011
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2012
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2222
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2223
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.15
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.4
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.2
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.4.4
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\52C64B7E
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\ECCParameters
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\Safety Warning Level
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{9F3053C5-439D-4BF7-8A77-04F0450A1D9F}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AABA-8E78-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A42-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{DE351A43-8E59-11D0-8C47-00C04FC295EE}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptSIPDllGetCaps
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllVerifyEncodedSignature
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx2
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllImportPublicKeyInfoEx
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllConvertPublicKeyInfo
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCertificateChainPolicy
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\__PSLockdownPolicy
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.System.Management.Automation__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.System.Management.Automation__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.PowerShell.ConsoleHost.resources_en-US_31bf3856ad364e35
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ConsoleSessionConfiguration
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-64934406-199802361-3218922526-1001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\PSMODULEPATH
HKEY_CURRENT_USER\Environment
HKEY_CURRENT_USER\Environment\PSMODULEPATH
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.3.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.3.0.Microsoft.PowerShell.Security__31bf3856ad364e35
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Parameters\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\State
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\State\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Windows PowerShell\PowerShell
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International\Calendars\TwoDigitYearMax
HKEY_CURRENT_USER\Control Panel\International
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER\Software\Policies\Microsoft\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_CURRENT_USER\Control Panel\Desktop\LanguageConfiguration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\MpEngine
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\MpEngine
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_CURRENT_USER\Software\Microsoft\OneDrive
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\FileCoAuthTelemetryRampStatus
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2025
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2024
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
HKEY_CURRENT_USER\Software\Classes\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\AppID\FileCoAuth.exe
HKEY_LOCAL_MACHINE\Software\Classes\AppID\FileCoAuth.exe
HKEY_CURRENT_USER\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\Software\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{389510B7-9E58-40D7-98BF-60B911CB0EA9}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\TreatAs
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InprocHandler
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer32
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\AppID
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\LocalServer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\Elevation
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\Elevation
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\MainAccount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\UserFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\cid
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\DisplayName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\UserEmail
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\Business
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\SharePointOnPrem
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\FirstRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\EdpManaged
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\RootAddedToFavorites
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\TenantAddedToFavorites
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\HasMadeFirstUpload
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\IsUpgradeAvailable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\CrashDetectionKey
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\EnableADALForSilentBusinessConfig
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\LastKnownCloudFilesEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\WamWebAccountId
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\AuthenticationURLs
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\Tenants
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal\ScopeIdToMountPointPathCache
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\LastMigrationScanResult
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\PreSignInRampOverrides
HKEY_CURRENT_USER\Software\Microsoft\OneDrive\PreSignInSettingsOverrides
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SQMClient
HKEY_LOCAL_MACHINE\Software\Microsoft\SQMClient
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SQMClient\MSFTInternal
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SQMClient\IsTest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905E63B6-C1BF-494E-B29C-65B732D3D21A}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PropertyBag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\UpdateRingPostAuthConditions
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\ClickToRun\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\Applicability
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\Applicability\EnablePreviewBuilds
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\OneDrive
HKEY_CURRENT_USER\Software\Policies\Microsoft\OneDrive
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableEnterpriseUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableOrgInternalUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableTeamTier_Internal
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableFasterRingUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\DisablePersonalSync
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Cimom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Nls\Sorting\Ids
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\wmiprvse.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_CLASSES_ROOT\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InprocServer32\(Default)
HKEY_CLASSES_ROOT\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InprocServer32\Synchronization
HKEY_CLASSES_ROOT\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E245105B-B06E-11D0-AD61-00C04FD8FDFF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E245105B-B06E-11D0-AD61-00C04FD8FDFF}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E245105B-B06E-11D0-AD61-00C04FD8FDFF}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\Elevation
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-14
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-12
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-10

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Control Panel\International\User Profile\Languages
HKEY_CURRENT_USER\Control Panel\International\Geo\Nation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\InitFolderHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{AE50C081-EBD2-438A-8655-8A092E34987A}\InitFolderHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Recent
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_JumpListItems
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\ConsoleHostShortcutTarget
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\PowerShellVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\RuntimeVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\ConsoleHostAssemblyName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\NetFrameworkV4IsInstalled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\DllPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Threading
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\TrustLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\RemoteServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateAsUser
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInSharedBroker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateInBrokerForMediumILContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\Permissions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.Diagnostics.AsyncCausalityTracer\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\WSMAN\ServiceStackVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000000-0000-0000-0000-000000000000}\InProcServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProgramData
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\Default
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2781761E-28E0-4109-99FE-B9D127C57AFE}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertSyncDeltaTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxVerifySignatureCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxIssuerDepth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxPathCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\CryptnetPreFetchTriggerPeriodSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableWeakSignatureFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MinRsaPubKeyBitLength
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRsaPubKeyTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\ChainCacheResyncFiletime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\EnableStrictChecksFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakMD5AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakMD5ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakMD5AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartyAfterTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakSHA1AllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakSHA1ThirdPartySha256Allow
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Config\Default\WeakSHA1AllSha256Allow
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakRSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAThirdPartyFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default\WeakECDSAAllFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA\Blob
HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates\Root\ProtectedRoots\Certificates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072\Blob
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertLastSyncTime
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableAutoFlushProcessNameList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushFirstDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\AutoFlushNextDeltaSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Security\Safety Warning Level
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\__PSLockdownPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment\PSMODULEPATH
HKEY_CURRENT_USER\Environment\PSMODULEPATH
HKEY_CURRENT_USER\Control Panel\International\sYearMonth
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
HKEY_CURRENT_USER\Control Panel\Desktop\PreferredUILanguages
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\MpEngine_DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\AllowScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\FileCoAuthTelemetryRampStatus
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2025
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2024
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{94269C4E-071A-4116-90E6-52E557067E4E}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{A926714B-7BFC-4D08-A035-80021395FFA8}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{71DCE5D6-4B57-496B-AC21-CD5B54EB93FD}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\Interface\{6A821279-AB49-48F8-9A27-F6C59B4FF024}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\InprocServer32
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\ThreadingModel
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\AppID
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\MainAccount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\UserFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\cid
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\DisplayName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\UserEmail
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\Business
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\SharePointOnPrem
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\FirstRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\EdpManaged
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\RootAddedToFavorites
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\TenantAddedToFavorites
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\HasMadeFirstUpload
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\IsUpgradeAvailable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\CrashDetectionKey
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\EnableADALForSilentBusinessConfig
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\LastKnownCloudFilesEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\WamWebAccountId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts\Personal\LastMigrationScanResult
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SQMClient\MSFTInternal
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\SQMClient\IsTest
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Category
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Name
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParentFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Description
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\RelativePath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\ParsingName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalizedName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Icon
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResource
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\StreamResourceType
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\LocalRedirectOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Roamable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PreCreate
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Stream
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\PublishExpandedPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\DefinitionFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\FolderTypeID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\InitFolderHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\UpdateRingPostAuthConditions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\Applicability\EnablePreviewBuilds
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableEnterpriseUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableOrgInternalUpdate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableTeamTier_Internal
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\EnableFasterRingUpdate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\MachineId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\DisablePersonalSync
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Sink Transmit Buffer Size
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\DefaultRpcStackSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\000603xx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D4781CD6-E5D3-44DF-AD94-930EFE48A887}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9F6C78EF-FCE5-42FA-ABEA-3E7DF91921DC}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{9556DC99-828C-11CF-A37E-00AA003240C7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\EnableObjectValidation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B7B31DF9-D515-11D3-A11C-00105A1F515A}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{07435309-D440-41B7-83F3-EB82DB6C622F}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{21CD80A2-B305-4F37-9D4C-4534A8D9B568}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{06413D98-405C-4A5A-8D6F-19B8B7C6ACF7}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\InprocServer32\Synchronization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C683A5C-32B8-47cd-AC28-4B292414D032}\AppId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{027947E1-D731-11CE-A357-000000000001}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{1C1C45EE-4395-11D2-B60B-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{423EC01E-2E35-11D2-B604-00104B703EFD}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F50A28CF-5C9C-4F7E-9D80-E25E16E18C59}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E245105B-B06E-11D0-AD61-00C04FD8FDFF}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FD450835-CF1B-4C87-9FD2-5E0D42FDE081}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{6B3FC272-BF37-4968-933A-6DF9222A2607}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{0FC8C622-1728-4149-A57F-AD19D0970710}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FEC1B0AC-5808-4033-A915-C0185934581E}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{EB658B8A-7A64-4DDC-9B8D-A92610DB0206}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7C857801-7381-11CF-884D-00AA004B2E24}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\InprocServer32\ThreadingModel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71285C44-1DC0-11D2-B5FB-00104B703EFD}\AppID
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-14
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-12
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-10

HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-14
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-12
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-10

ntdll.dll.RtlWow64GetCurrentMachine
ntdll.dll.RtlWow64IsWowGuestMachineSupported

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Packager\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding
C:\Windows\System32\SecurityHealthHost.exe {08728914-3F57-4D52-9E31-49DAECA5A80A} -Embedding
C:\Windows\system32\wbem\wmiprvse.exe -Embedding

Local\SM0:6208:168:WilStaging_02
Local\SM0:2224:168:WilStaging_02
Local\SM0:1584:168:WilStaging_02
Local\SM0:4864:168:WilStaging_02
Local\SM0:1028:304:WilStaging_02

wuauserv
camsvc
smphost

No results

Sorry! No behavior.

Sorry! No strace.

Sorry! No tracee.

No hosts contacted.

No TCP connections recorded.

No UDP connections recorded.

No domains contacted.

HTTP Requests

No HTTP(s) requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No Suricata Extracted files.

Sorry! No dropped files.

Sorry! No CAPE files.

Sorry! No process dumps.