e95e5e7458461df6d8da25b6ce6e6baf833107a1


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-10-14 10:54:05 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
AgentServerRuntimedhcpcommon.exe
Type
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
SHA‑1
e95e5e7458461df6d8da25b6ce6e6baf833107a1
MD5
6d2e0014b5965596ddd772a533842696
First Seen
2025-09-14 13:55:45.556227
Last Analysis
2025-09-15 07:15:27.504701
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-08 09:49:58 UTC First VirusTotal submission
2025-09-19 07:07:40 UTC Latest analysis snapshot 10 days, 21 hours, 17 minutes
2025-10-14 10:54:05 UTC Report generation time 36 days, 1 hours, 4 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 58. Missed: 15. Coverage: 79.5%.

Detected Vendors

  • Xcitium
  • +57 additional vendors (names not provided)

List includes Xcitium plus an additional 57 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • Cynet
  • DrWeb
  • Jiangmin
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • TrendMicro
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Significant process manipulation (75.18% of behavior) suggests code injection, process hollowing, or privilege escalation techniques. The malware is actively compromising running processes to hide its activities.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
Process 3743 75.18%
System 494 9.92%
Registry 366 7.35%
File System 272 5.46%
Misc 44 0.88%
Crypto 40 0.80%
Synchronization 9 0.18%
Threading 6 0.12%
Device 3 0.06%
Hooking 1 0.02%
Windows 1 0.02%

MITRE ATT&CK Mapping

  • T1140 – decode data using Base64 in .NET
  • T1620 – invoke .NET assembly method
  • T1129 – link function at runtime on Windows
  • T1083 – get common file path
  • T1083 – check if file exists
  • T1027 – encrypt data using AES via .NET
  • T1564 – A process created a hidden window
  • T1202 – Uses Windows utilities for basic functionality
  • T1036 – A file was accessed within the Public folder.
  • T1548 – A file was accessed within the Public folder.
  • T1027 – The binary likely contains encrypted or compressed data
  • T1564.003 – A process created a hidden window
  • T1027.002 – The binary likely contains encrypted or compressed data
  • T1082 – Checks available memory
  • T1082 – Access the NetLogon registry key, potentially used for discovery or tampering
  • T1012 – Access the NetLogon registry key, potentially used for discovery or tampering
  • T1071 – Resolves a suspicious Top Level Domain (TLD)
  • T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
  • T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • T1071 – Reads from the memory of another process
  • T1071 – Reads data out of its own binary image
  • T1071 – Binary file triggered YARA rule
  • T1071 – A process attempted to delay the analysis task by a long amount of time.
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1059 – Executed a command line with /C or /R argument to terminate command shell on completion which can be used to hide execution
  • T1129 – The process attempted to dynamically load a malicious function
  • T1140 – Detected an attempt to pull out some data from the binary image
  • T1129 – The process tried to load dynamically one or more functions.
  • T1057 – The process has tried to detect the debugger probing the use of page guards.
  • T1083 – get common file path
  • T1140 – decode data using Base64 in .NET
  • T1129 – link function at runtime on Windows
  • T1083 – check if file exists
  • T1027 – encrypt data using AES via .NET
  • T1057 – The process attempted to detect a running debugger using common APIs
  • T1071 – The process behaves as a known keylogger (iSpy)

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.20 United States Akamai Technologies, Inc.
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 6 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.242061138153076 udp
192.168.56.13 224.0.0.252 49311 5355 5.740099906921387 udp
192.168.56.13 224.0.0.252 55150 5355 3.1715450286865234 udp
192.168.56.13 224.0.0.252 60010 5355 5.182020902633667 udp
192.168.56.13 224.0.0.252 62406 5355 3.1739799976348877 udp
192.168.56.13 224.0.0.252 63527 5355 4.895452976226807 udp
192.168.56.13 239.255.255.250 52252 3702 3.1812400817871094 udp
192.168.56.13 8.8.4.4 54879 53 7.742377042770386 udp
192.168.56.13 8.8.4.4 54881 53 7.460367918014526 udp
192.168.56.13 8.8.4.4 58697 53 22.882637977600098 udp
192.168.56.13 8.8.8.8 54879 53 8.741464138031006 udp
192.168.56.13 8.8.8.8 54881 53 8.460328102111816 udp
192.168.56.13 8.8.8.8 58697 53 21.88318705558777 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

102

Registry Set

35

Services Started

2

Services Opened

4

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\ci.dll,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0
Policy\Standards
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7\Name
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.76.6.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7
Show all (102 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.37!7\Name
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SpotifyStartupTask.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.92.1.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\ci.dll,-101
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.10.3.42!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.2!7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\79\52C64B7E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Volatile-KeyRoam-EXCLUSIVE

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS\FileDirectory %windir%\tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS\MaxFileSize 1048576
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS\ConsoleTracingMask 4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS\FileTracingMask 4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS\EnableConsoleTracing 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASMANCS\EnableFileTracing 0
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\0c2380bdb5c9a56c31fcae11c25795660fabbe3c\de3ac2963140ced18ea2a4eb64d0579dc88bfe60 H4sIAAAAAAAEAN2TsQ6CQBBEf4VQGwPByk4RiYpiDImFa3EsC148WHJA8PM9MbHwE26bLTZTvJnZmxsuAc4hgJJ5B7C2ZOb0Inf2g5MNqqEggFE2iitu/u4ZszL0I+X4IHySttaJTZJYGrPmSova2UpFhvAoUXPHZe+kZSnRRP/d/gLA94LAOg/QeDB0pD81FmqqsGjbQvTC/DajUAA91S3AKdpH3iG9RqssvoQ7f9Lf3ww9dngJBAAA
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32\FileDirectory %windir%\tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32\MaxFileSize 1048576
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32\ConsoleTracingMask 4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32\FileTracingMask 4294901760
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32\EnableConsoleTracing 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\winlogon_RASAPI32\EnableFileTracing 0
HKEY_CURRENT_USER\SOFTWARE\0c2380bdb5c9a56c31fcae11c25795660fabbe3c\de3ac2963140ced18ea2a4eb64d0579dc88bfe60 H4sIAAAAAAAEAIWOW0vDQBCF/0rok4KEXNpiffNSwYdCoGofHAnbzSRZmuwss7Mm/femgiCUIvN45vvO+Zg93gEUTA2rPno2HfroarxdXgPolqnHMnBX1ii6RS7nSZ6VaZIu80WySubTj2fvYxxxdnMuAnixgmxRovXoOmJkANOr5hQNxk4nl9jfERujmTzVArCuGtzh/t3gAHDvXGe0EkMWIM2yOImzfLmIVxlATVYq/mrJ/9W/eeSptwj7CZwE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\EnableFileTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\EnableAutoFileTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\EnableConsoleTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\FileTracingMask 18446744073709486080
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\ConsoleTracingMask 18446744073709486080
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\MaxFileSize 1048576
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASAPI32\FileDirectory %windir%\tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\EnableFileTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\EnableAutoFileTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\EnableConsoleTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\FileTracingMask 18446744073709486080
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\ConsoleTracingMask 18446744073709486080
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\MaxFileSize 1048576
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\SpotifyStartupTask_RASMANCS\FileDirectory %windir%\tracing
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\2F\AAF68885\LanguageList zh-CN
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\System32\fveui.dll,-843 BitLocker 驱动器加密
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\System32\fveui.dll,-844 BitLocker 数据恢复代理
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103 域名系统(DNS)服务器信任
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042 对等信任
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\system32\qagentrt.dll,-10 系统健康身份验证
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\LanguageList zh-CN

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
SSTPSVC
AudioSrv
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top