FormBook Trojan Disguised as Shipping Documents


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-10-20 13:34:20 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
Shipping documents.exe
Type
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
SHA‑1
bde843908783ea9da392e73fa0c447ea2c250fdf
MD5
5d86882d965a3d1e6e08cc2de6ef50d6
First Seen
2025-09-14 13:48:20.302196
Last Analysis
2025-09-15 07:15:25.043536
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-12 02:32:35 UTC First VirusTotal submission
2025-09-19 06:48:30 UTC Latest analysis snapshot 7 days, 4 hours, 15 minutes
2025-10-20 13:34:20 UTC Report generation time 38 days, 11 hours, 1 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 58. Missed: 15. Coverage: 79.5%.

Detected Vendors

  • Xcitium
  • +57 additional vendors (names not provided)

List includes Xcitium plus an additional 57 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • ClamAV
  • CMC
  • Jiangmin
  • NANO-Antivirus
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Webroot
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (78.90% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 778 78.90%
File System 151 15.31%
Registry 22 2.23%
Process 19 1.93%
Windows 5 0.51%
Misc 3 0.30%
Synchronization 3 0.30%
Threading 2 0.20%
Device 2 0.20%
Hooking 1 0.10%

MITRE ATT&CK Mapping

  • T1027.002 – packed with generic packer
  • T1027.002 – packed with UPX
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1027 – The binary likely contains encrypted or compressed data
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1027.002 – The binary likely contains encrypted or compressed data
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1005 – Searches for sensitive browser data
  • T1005 – Reads sensitive browser data
  • T1012 – Query OS Information
  • T1012 – Possibly does reconnaissance
  • T1027.002 – Creates a page with write and execute permissions
  • T1027.002 – Resolves API functions dynamically
  • T1055 – Writes into the memory of another process
  • T1055 – Modifies control flow of another process
  • T1057 – Enumerates running processes
  • T1071.001 – Downloads file
  • T1071.004 – Performs DNS request
  • T1082 – Enumerates running processes
  • T1082 – Query OS Information
  • T1083 – Searches for sensitive browser data
  • T1083 – Possibly does reconnaissance
  • T1095 – Connects to remote host
  • T1105 – Downloads file
  • T1106 – Tries to detect kernel debugger
  • T1106 – Makes direct system call to possibly evade hooking based monitoring
  • T1115 – Captures clipboard data
  • T1119 – Searches for sensitive browser data
  • T1119 – Reads sensitive browser data
  • T1129 – Loads a dropped DLL
  • T1497.003 – Delays execution
  • T1552.001 – Searches for sensitive browser data
  • T1555.003 – Reads sensitive browser data
  • T1564.003 – Creates process with hidden window
  • T1622 – Tries to detect debugger
  • T1622 – Tries to detect kernel debugger
  • T1129 – The process attempted to dynamically load a malicious function
  • T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
  • T1129 – The process tried to load dynamically one or more functions.
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1071 – Detected HTTP requests to some non white-listed domains
  • T1057 – The process attempted to detect a running debugger using common APIs

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.20 United States Akamai Technologies, Inc.
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 6 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.244745969772339 udp
192.168.56.13 224.0.0.252 49311 5355 5.728908061981201 udp
192.168.56.13 224.0.0.252 55150 5355 3.172900915145874 udp
192.168.56.13 224.0.0.252 60010 5355 5.283443927764893 udp
192.168.56.13 224.0.0.252 62406 5355 3.1775009632110596 udp
192.168.56.13 224.0.0.252 63527 5355 3.5457539558410645 udp
192.168.56.13 239.255.255.250 52252 3702 3.1810109615325928 udp
192.168.56.13 8.8.4.4 54879 53 7.931753873825073 udp
192.168.56.13 8.8.4.4 54881 53 6.400424003601074 udp
192.168.56.13 8.8.4.4 58697 53 21.821913957595825 udp
192.168.56.13 8.8.8.8 54879 53 8.932036876678467 udp
192.168.56.13 8.8.8.8 54881 53 7.400186061859131 udp
192.168.56.13 8.8.8.8 58697 53 20.82317590713501 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

40

Registry Set

25

Services Started

1

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\a44d88fba08a5547a1aaad50659b22d8
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\22165c4f0be62c48b2e3e9aef6ce3db3
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ae0727370bd4364ea1d3e75390877e70
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\94ba7772fb349a48ba2cc741623a1549
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\81fb1dc666658c4bb96e792ef5ce3051
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\c1b3326b5fa84f45970fa09da288db37
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\4b31ac339b3c6047a5607d10314f5a05
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Show all (40 total)

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\22165c4f0be62c48b2e3e9aef6ce3db3
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\4b31ac339b3c6047a5607d10314f5a05
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\81fb1dc666658c4bb96e792ef5ce3051
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\94ba7772fb349a48ba2cc741623a1549
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\a44d88fba08a5547a1aaad50659b22d8
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ae0727370bd4364ea1d3e75390877e70
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\c1b3326b5fa84f45970fa09da288db37
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a

Services Started (Top 15)

Service
VaultSvc

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top