Spyware Drops via PowerShell Defender Exclusions and Shellcode Loader


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-10-28 09:09:35 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
6k1rv.exe
Type
PE32 executable (GUI) Intel 80386, for MS Windows
SHA‑1
5e692ad5f156c44b6c1a98c412f1d5f66e34a9a7
MD5
b1df291235fdf41b2c892be0e0e011e7
First Seen
2025-09-14 13:33:52.027022
Last Analysis
2025-09-15 07:15:20.033525
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 17+ hours, this malware remained undetected — a half-day window that permitted the adversary to complete initial execution, establish basic persistence, and perform initial system enumeration.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-12 05:27:28 UTC First VirusTotal submission
2025-09-19 06:43:24 UTC Latest analysis snapshot 7 days, 1 hours, 15 minutes
2025-10-28 09:09:35 UTC Report generation time 46 days, 3 hours, 42 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 54. Missed: 18. Coverage: 75.0%.

Detected Vendors

  • Xcitium
  • +53 additional vendors (names not provided)

List includes Xcitium plus an additional 53 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Baidu
  • ClamAV
  • CMC
  • Fortinet
  • google_safebrowsing
  • huorong
  • Jiangmin
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • ViRobot
  • Webroot
  • Yandex
  • Zillya
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (73.24% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 364 73.24%
Process 36 7.24%
Network 28 5.63%
File System 26 5.23%
Registry 26 5.23%
Device 8 1.61%
Threading 6 1.21%
Hooking 1 0.20%
Misc 1 0.20%
Windows 1 0.20%

MITRE ATT&CK Mapping

  • T1005 – Searches for sensitive browser data
  • T1012 – Possibly does reconnaissance
  • T1027.002 – Creates a page with write and execute permissions
  • T1027.002 – Resolves API functions dynamically
  • T1053.005 – Schedules task
  • T1057 – Enumerates running processes
  • T1071.004 – Performs DNS request
  • T1082 – Query OS Information
  • T1082 – Enumerates running processes
  • T1083 – Searches for sensitive browser data
  • T1095 – Connects to remote host
  • T1119 – Searches for sensitive browser data
  • T1124 – Tries to detect analyzer sandbox
  • T1497.003 – Delays execution
  • T1497.003 – Tries to detect analyzer sandbox
  • T1552.001 – Searches for sensitive browser data
  • T1559.001 – Schedules task
  • T1562.001 – Modifies Windows Defender configuration
  • T1564.003 – Creates process with hidden window
  • T1564.003 – Query OS Information

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.
ukukuwgyyqyigueq.xyz 84.201.4.188 Germany Not known
gimmgqiyciskoseu.xyz 84.201.5.221 Germany Not known

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A
ukukuwgyyqyigueq.xyz A
kqqauykcwyuyowms.xyz A
ukkuikuueauckcii.xyz A
gimmgqiyciskoseu.xyz A
awagyiegqqqoyosy.xyz A
eesegsmoyqyswiso.xyz A
muaousemuweagiys.xyz A
imqeyakykmqcysas.xyz A
awakcysikkugkyyy.xyz A
ukyigkkaqoiisgam.xyz A
wowqmeyquycssscy.xyz A
mucuqyksgyywseeu.xyz A
awyouqwaeqyuaweu.xyz A
ysmwwycmmgekeggc.xyz A
oykaqgoegegkckma.xyz A
kqqgeoyygciqwmio.xyz A
sgmuummcwmmacwyi.xyz A
gikwoaeauguwamis.xyz A
sgswqoyqgguiomeu.xyz A
ukoogcywiwskqase.xyz A
oyokkocwwuckiuco.xyz A
oyakaqycsseuykqk.xyz A
oygagmioescwqwie.xyz A
oysqqkwycocaymek.xyz A
caaoogyeeyoeooui.xyz A
cawykeouksacosym.xyz A
imumcwooosmewguk.xyz A
gigekiwwigyyaquo.xyz A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 5 udp
53 106 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.244393825531006 udp
192.168.56.13 192.168.56.255 138 138 9.276124000549316 udp
192.168.56.13 224.0.0.252 49311 5355 5.76046085357666 udp
192.168.56.13 224.0.0.252 55150 5355 3.1731488704681396 udp
192.168.56.13 224.0.0.252 60010 5355 5.1837568283081055 udp
192.168.56.13 224.0.0.252 62406 5355 3.1792898178100586 udp
192.168.56.13 224.0.0.252 63527 5355 4.710832834243774 udp
192.168.56.13 239.255.255.250 52252 3702 3.1892149448394775 udp
192.168.56.13 8.8.4.4 50335 53 344.0722668170929 udp
192.168.56.13 8.8.4.4 50554 53 80.60349702835083 udp
192.168.56.13 8.8.4.4 52284 53 255.6037139892578 udp
192.168.56.13 8.8.4.4 52955 53 286.7442469596863 udp
192.168.56.13 8.8.4.4 53136 53 329.7124779224396 udp
192.168.56.13 8.8.4.4 53518 53 123.6036548614502 udp
192.168.56.13 8.8.4.4 53616 53 268.49438285827637 udp
192.168.56.13 8.8.4.4 53657 53 363.6037108898163 udp
192.168.56.13 8.8.4.4 53825 53 221.52519297599792 udp
192.168.56.13 8.8.4.4 53985 53 174.55646085739136 udp
192.168.56.13 8.8.4.4 54879 53 7.807667970657349 udp
192.168.56.13 8.8.4.4 54881 53 7.5416419506073 udp
192.168.56.13 8.8.4.4 55460 53 301.1037390232086 udp
192.168.56.13 8.8.4.4 55551 53 98.85330986976624 udp
192.168.56.13 8.8.4.4 55743 53 171.6037859916687 udp
192.168.56.13 8.8.4.4 56086 53 159.6035578250885 udp
192.168.56.13 8.8.4.4 56174 53 339.60332894325256 udp
192.168.56.13 8.8.4.4 56197 53 87.60331082344055 udp
192.168.56.13 8.8.4.4 56202 53 207.60347890853882 udp
192.168.56.13 8.8.4.4 56770 53 243.6031608581543 udp
192.168.56.13 8.8.4.4 56908 53 183.60310697555542 udp
192.168.56.13 8.8.4.4 57065 53 127.58755087852478 udp
192.168.56.13 8.8.4.4 57310 53 51.60357689857483 udp
192.168.56.13 8.8.4.4 57415 53 51.88450789451599 udp
192.168.56.13 8.8.4.4 57885 53 291.60312390327454 udp
192.168.56.13 8.8.4.4 58070 53 192.80666494369507 udp
192.168.56.13 8.8.4.4 58383 53 351.6031768321991 udp
192.168.56.13 8.8.4.4 58554 53 279.6031608581543 udp
192.168.56.13 8.8.4.4 58697 53 22.947810888290405 udp
192.168.56.13 8.8.4.4 58920 53 63.60358500480652 udp
192.168.56.13 8.8.4.4 59610 53 145.83754301071167 udp
192.168.56.13 8.8.4.4 60389 53 239.77554297447205 udp
192.168.56.13 8.8.4.4 60543 53 113.22837090492249 udp
192.168.56.13 8.8.4.4 60780 53 147.60308480262756 udp
192.168.56.13 8.8.4.4 60910 53 66.24444389343262 udp
192.168.56.13 8.8.4.4 61004 53 99.60337591171265 udp
192.168.56.13 8.8.4.4 61279 53 315.6037948131561 udp
192.168.56.13 8.8.4.4 61800 53 160.19719696044922 udp
192.168.56.13 8.8.4.4 61897 53 207.16630697250366 udp
192.168.56.13 8.8.4.4 62422 53 195.60375690460205 udp
192.168.56.13 8.8.4.4 62491 53 254.13453602790833 udp
192.168.56.13 8.8.4.4 62493 53 39.60331702232361 udp
192.168.56.13 8.8.4.4 62639 53 358.44682598114014 udp
192.168.56.13 8.8.4.4 62729 53 303.60338497161865 udp
192.168.56.13 8.8.4.4 62849 53 37.306658029556274 udp
192.168.56.13 8.8.4.4 62980 53 219.60352683067322 udp
192.168.56.13 8.8.4.4 63240 53 315.4628050327301 udp
192.168.56.13 8.8.4.4 63617 53 327.6036148071289 udp
192.168.56.13 8.8.4.4 64533 53 111.60359191894531 udp
192.168.56.13 8.8.4.4 64642 53 267.60343194007874 udp
192.168.56.13 8.8.4.4 64700 53 231.60310792922974 udp
192.168.56.13 8.8.4.4 64801 53 75.60364985466003 udp
192.168.56.13 8.8.4.4 64886 53 135.6031138896942 udp
192.168.56.13 8.8.8.8 50335 53 343.0727798938751 udp
192.168.56.13 8.8.8.8 50554 53 79.60366797447205 udp
192.168.56.13 8.8.8.8 52284 53 254.6039638519287 udp
192.168.56.13 8.8.8.8 52955 53 285.7441508769989 udp
192.168.56.13 8.8.8.8 53136 53 328.7135000228882 udp
192.168.56.13 8.8.8.8 53518 53 122.60356402397156 udp
192.168.56.13 8.8.8.8 53616 53 267.49436497688293 udp
192.168.56.13 8.8.8.8 53657 53 362.6038258075714 udp
192.168.56.13 8.8.8.8 53825 53 220.52573084831238 udp
192.168.56.13 8.8.8.8 53985 53 173.5572669506073 udp
192.168.56.13 8.8.8.8 54879 53 8.806725025177002 udp
192.168.56.13 8.8.8.8 54881 53 8.54120397567749 udp
192.168.56.13 8.8.8.8 55460 53 300.10362482070923 udp
192.168.56.13 8.8.8.8 55551 53 97.85389280319214 udp
192.168.56.13 8.8.8.8 55743 53 170.6043839454651 udp
192.168.56.13 8.8.8.8 56086 53 158.61121797561646 udp
192.168.56.13 8.8.8.8 56174 53 338.6039788722992 udp
192.168.56.13 8.8.8.8 56197 53 86.6040289402008 udp
192.168.56.13 8.8.8.8 56202 53 206.60348391532898 udp
192.168.56.13 8.8.8.8 56770 53 242.6034939289093 udp
192.168.56.13 8.8.8.8 56908 53 182.60387182235718 udp
192.168.56.13 8.8.8.8 57065 53 126.58816289901733 udp
192.168.56.13 8.8.8.8 57310 53 50.60364580154419 udp
192.168.56.13 8.8.8.8 57415 53 50.88486289978027 udp
192.168.56.13 8.8.8.8 57885 53 290.6037838459015 udp
192.168.56.13 8.8.8.8 58070 53 191.80750393867493 udp
192.168.56.13 8.8.8.8 58383 53 350.604043006897 udp
192.168.56.13 8.8.8.8 58554 53 278.6039879322052 udp
192.168.56.13 8.8.8.8 58697 53 21.947741985321045 udp
192.168.56.13 8.8.8.8 58920 53 62.60340690612793 udp
192.168.56.13 8.8.8.8 59610 53 144.83839583396912 udp
192.168.56.13 8.8.8.8 60389 53 238.7760238647461 udp
192.168.56.13 8.8.8.8 60543 53 112.24019503593445 udp
192.168.56.13 8.8.8.8 60780 53 146.60379600524902 udp
192.168.56.13 8.8.8.8 60910 53 65.24439287185669 udp
192.168.56.13 8.8.8.8 61004 53 98.60380291938782 udp
192.168.56.13 8.8.8.8 61279 53 314.60372591018677 udp
192.168.56.13 8.8.8.8 61800 53 159.19735503196716 udp
192.168.56.13 8.8.8.8 61897 53 206.16645789146423 udp
192.168.56.13 8.8.8.8 62422 53 194.6034460067749 udp
192.168.56.13 8.8.8.8 62491 53 253.13502383232117 udp
192.168.56.13 8.8.8.8 62493 53 38.6055908203125 udp
192.168.56.13 8.8.8.8 62639 53 357.45139503479004 udp
192.168.56.13 8.8.8.8 62729 53 302.6037030220032 udp
192.168.56.13 8.8.8.8 62849 53 36.30720591545105 udp
192.168.56.13 8.8.8.8 62980 53 218.60412883758545 udp
192.168.56.13 8.8.8.8 63240 53 314.46288990974426 udp
192.168.56.13 8.8.8.8 63617 53 326.60397696495056 udp
192.168.56.13 8.8.8.8 64533 53 110.60360884666443 udp
192.168.56.13 8.8.8.8 64642 53 266.60373282432556 udp
192.168.56.13 8.8.8.8 64700 53 230.6035258769989 udp
192.168.56.13 8.8.8.8 64801 53 74.60372996330261 udp
192.168.56.13 8.8.8.8 64886 53 134.60404086112976 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

140

Registry Set

6

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
Show all (140 total)
Key
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Classes\gs1097390340r.fdh
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\CRLs
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Volatile-KeyRoam-EXCLUSIVE
HKEY_CURRENT_USER\Volatile Environment
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy
HKEY_LOCAL_MACHINE\Software\Embarcadero\Locales
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase
HKEY_CURRENT_USER\Volatile Environment\LOGONSERVER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache\Timestamp
HKEY_CURRENT_USER\Software\Borland\Locales
HKEY_CLASSES_ROOT\gs1097390340r.fdh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_LOCAL_MACHINE\Software\CodeGear\Locales
HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_CURRENT_USER\Software\Embarcadero\Locales
HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
HKEY_CURRENT_USER\Software\3.6.1.9 3.6.1.9
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_CURRENT_USER\Software\CodeGear\Locales
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\Software\Classes\gs1097390340r.fdh \xe9\x7d\x78\xd8\x3f\xbd\x08\xe7\x6c\xd8\x40\x07\xb0\x0a\x1d\x10\xe5\x36\xff\xfe\xc2\x82\x60\x9d
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect 0x00000000
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\3e\52C64B7E\@%WINDIR%\system32\mlang.dll,-4386 English (United States)
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Cryptography\CertificateTemplateCache
HKEY_CLASSES_ROOT\gs1097390340r.fdh

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top