LockBit Variant Surfaces With Full Ransom Note Infrastructure and Stealthy Spread Behavior

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

w84cw.exe

Type

Microsoft Visual C++ compiled executable (generic)

SHA‑1

50f8757032f5a3b01a7f41c82ddba815a8333f76

MD5

82fe6b6fbb197ebc6e00893e71ca146a

First Seen

2025-11-14 19:25:10.373100

Last Analysis

2025-11-15 20:48:15.195755

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC)	Event	Elapsed
2025-10-26 00:11:53 UTC	First VirusTotal submission	—
2025-11-19 12:44:21 UTC	Latest analysis snapshot	24 days, 12 hours, 32 minutes
2025-11-20 08:29:03 UTC	Report generation time	25 days, 8 hours, 17 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 63. Missed: 10. Coverage: 86.3%.

Detected Vendors

Xcitium
+62 additional vendors (names not provided)

List includes Xcitium plus an additional 62 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
CMC
google_safebrowsing
SUPERAntiSpyware
TACHYON
Webroot
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (47.84% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
File System	154339	47.84%
Synchronization	148408	46.00%
Registry	8302	2.57%
System	8143	2.52%
Misc	1090	0.34%
Process	871	0.27%
Com	596	0.18%
Threading	407	0.13%
Device	311	0.10%
Services	80	0.02%
Crypto	16	0.00%
Windows	13	0.00%
Hooking	12	0.00%
Network	7	0.00%

MITRE ATT&CK Mapping

T1007 – enumerate services
T1134 – modify access privileges
T1614.001 – identify system language via API
T1027 – reference AES constants
T1129 – parse PE header
T1012 – query or enumerate registry value
T1222 – set file attributes
T1083 – enumerate files recursively
T1082 – enumerate disk volumes
T1083 – get common file path
T1135 – enumerate network shares
T1083 – check if file exists
T1083 – get file size
T1057 – get process heap flags
T1027 – encrypt data using AES
T1027 – encode data using XOR
T1129 – link function at runtime on Windows
T1082 – get disk information
T1057 – enumerate processes
T1518 – enumerate processes
T1057 – get process heap force flags
T1083 – enumerate files on Windows
T1059 – accept command line arguments
T1497.001 – reference anti-VM strings targeting VMWare
T1564.003 – hide graphical window
T1016 – get socket status
T1027 – encrypt data using AES via x86 extensions
T1082 – get disk size
T1129 – access PEB ldr_data
T1082 – get system information on Windows
T1129 – link many functions at runtime
T1033 – get token membership
T1016 – get local IPv4 addresses
T1112 – delete registry value
T1543.003 – stop service
T1489 – stop service
T1129 – get kernel32 base address
T1007 – query service status
T1027.005 – contain obfuscated stackstrings
T1543 – Attempts to stop active services
T1547 – Installs itself for autorun at Windows startup
T1543.003 – Attempts to stop active services
T1547.001 – Installs itself for autorun at Windows startup
T1539 – Touches a file containing cookies, possibly for information gathering
T1202 – Uses suspicious command line tools or Windows utilities
T1202 – Uses Windows utilities for basic functionality
T1562 – Attempts to stop active services
T1112 – Installs itself for autorun at Windows startup
T1070 – Clears Windows events or logs
T1562.001 – Attempts to stop active services
T1027 – The binary contains an unknown PE section name indicative of packing
T1027.002 – The binary contains an unknown PE section name indicative of packing
T1489 – Attempts to stop active services
T1486 – Appends a known LockBit ransomware file extension to files that have been encrypted
T1486 – Exhibits possible ransomware or wiper file modification behavior: mass_file_deletion overwrites_existing_files
T1486 – Creates a known LockBit ransomware decryption instruction / key file.
T1485 – Clears Windows events or logs
T1490 – Modifies boot configuration settings
T1082 – Checks available memory
T1057 – Expresses interest in specific running processes
T1057 – Enumerates running processes
T1071 – Dynamic (imported) function loading detected
T1071 – Attempts to connect to a dead IP:Port
T1071 – The PE file contains an overlay
T1071 – Likely virus infection of existing binary
T1071 – Yara detections observed in process dumps, payloads or dropped files
T1071 – Binary file triggered multiple YARA rules
T1059 – Modifies boot configuration settings
T1074 – Manipulates data from or to the Recycle Bin
T1091 – Checks for available system drives (often done to infect USB drives)
T1547.001 – Creates an autostart registry key pointing to binary in C:\Windows
T1547.001 – Creates an autostart registry key
T1497 – May sleep (evasive loops) to hinder dynamic analysis
T1070.004 – May delete shadow drive data (may be related to ransomware)
T1135 – Connects to many different private IPs via SMB (likely to spread or exploit)
T1057 – Queries a list of all running processes
T1120 – Checks for available system drives (often done to infect USB drives)
T1120 – Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
T1083 – Reads ini files
T1083 – Writes ini files
T1082 – Checks the free space of harddrives
T1080 – Spreads via windows shares (copies executable files to share folders)
T1090 – Found Tor onion address
T1486 – Modifies user documents (likely ransomware behavior)
T1486 – Writes a notice file (html or txt) to demand a ransom
T1490 – Uses bcdedit to modify the Windows boot settings

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.aieov.com	76.223.54.146	United States	Amazon.com, Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	4	udp
53	48	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.0786020755767822	udp
192.168.56.14	224.0.0.252	51209	5355	3.0207369327545166	udp
192.168.56.14	224.0.0.252	53401	5355	4.999695062637329	udp
192.168.56.14	224.0.0.252	55094	5355	5.579027891159058	udp
192.168.56.14	224.0.0.252	55848	5355	3.020937919616699	udp
192.168.56.14	8.8.4.4	49916	53	104.34361696243286	udp
192.168.56.14	8.8.4.4	50180	53	151.98456192016602	udp
192.168.56.14	8.8.4.4	50710	53	67.53171491622925	udp
192.168.56.14	8.8.4.4	50870	53	324.953556060791	udp
192.168.56.14	8.8.4.4	50914	53	249.26579093933105	udp
192.168.56.14	8.8.4.4	51262	53	310.59365797042847	udp
192.168.56.14	8.8.4.4	52815	53	7.961654901504517	udp
192.168.56.14	8.8.4.4	53449	53	365.3043260574341	udp
192.168.56.14	8.8.4.4	54579	53	53.18746209144592	udp
192.168.56.14	8.8.4.4	54683	53	202.30398511886597	udp
192.168.56.14	8.8.4.4	55827	53	263.6251690387726	udp
192.168.56.14	8.8.4.4	55914	53	133.73422694206238	udp
192.168.56.14	8.8.4.4	56399	53	180.71891903877258	udp
192.168.56.14	8.8.4.4	57742	53	379.65627908706665	udp
192.168.56.14	8.8.4.4	59068	53	339.20341897010803	udp
192.168.56.14	8.8.4.4	60117	53	85.70459508895874	udp
192.168.56.14	8.8.4.4	60713	53	277.98484992980957	udp
192.168.56.14	8.8.4.4	62022	53	166.35922288894653	udp
192.168.56.14	8.8.4.4	62112	53	37.9381000995636	udp
192.168.56.14	8.8.4.4	62548	53	231.01590609550476	udp
192.168.56.14	8.8.4.4	62800	53	296.23412704467773	udp
192.168.56.14	8.8.4.4	63205	53	216.65633296966553	udp
192.168.56.14	8.8.4.4	64753	53	118.79664492607117	udp
192.168.56.14	8.8.4.4	65148	53	23.484190940856934	udp
192.168.56.14	8.8.8.8	49916	53	103.34795498847961	udp
192.168.56.14	8.8.8.8	50180	53	150.99311709403992	udp
192.168.56.14	8.8.8.8	50710	53	66.53702306747437	udp
192.168.56.14	8.8.8.8	50870	53	323.95413994789124	udp
192.168.56.14	8.8.8.8	50914	53	248.26596403121948	udp
192.168.56.14	8.8.8.8	51262	53	309.59430408477783	udp
192.168.56.14	8.8.8.8	52815	53	8.953110933303833	udp
192.168.56.14	8.8.8.8	53449	53	364.3092439174652	udp
192.168.56.14	8.8.8.8	54579	53	52.094144105911255	udp
192.168.56.14	8.8.8.8	54683	53	201.30529308319092	udp
192.168.56.14	8.8.8.8	55827	53	262.62525391578674	udp
192.168.56.14	8.8.8.8	55914	53	132.7443070411682	udp
192.168.56.14	8.8.8.8	56399	53	179.7284541130066	udp
192.168.56.14	8.8.8.8	57742	53	378.6568720340729	udp
192.168.56.14	8.8.8.8	59068	53	338.204638004303	udp
192.168.56.14	8.8.8.8	60117	53	84.70611596107483	udp
192.168.56.14	8.8.8.8	60713	53	276.98595690727234	udp
192.168.56.14	8.8.8.8	62022	53	165.36715507507324	udp
192.168.56.14	8.8.8.8	62112	53	36.93894696235657	udp
192.168.56.14	8.8.8.8	62548	53	230.01577305793762	udp
192.168.56.14	8.8.8.8	62800	53	295.2350890636444	udp
192.168.56.14	8.8.8.8	63205	53	215.65668296813965	udp
192.168.56.14	8.8.8.8	64753	53	117.79796504974365	udp
192.168.56.14	8.8.8.8	65148	53	22.49109697341919	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

347

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\program.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\
HKEY_CURRENT_USER\SOFTWARE\LockBit
HKEY_CURRENT_USER\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\Software\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegateSuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder

Show all (347 total)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\SOFTWARE\LockBit\full
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\LockBit\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/xml
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FILEPROTOCOL_NOFINDFIRST_KB947853
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\FirstRunComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\file
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Log File Max Size
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LanmanWorkstation\NetworkProvider
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InprocHandler32
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{5B934B42-522B-4C34-BBFE-37A3EF7B9C90}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{a00ee528-ebd9-48b8-944a-8942113d46ac}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\Elevation
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RDPNP\NetworkProvider
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{374DE290-123F-4565-9164-39C4925E467B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InprocHandler
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{64693913-1C21-4F30-A98F-4E52906D3B56}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{64693913-1c21-4f30-a98f-4e52906d3b56}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{a00ee528-ebd9-48b8-944a-8942113d46ac}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\webclient\NetworkProvider
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{5B934B42-522B-4C34-BBFE-37A3EF7B9C90}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{EDC978D6-4D53-4B2F-A265-5805674BE568}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\DelegateFolders\NULL
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A00EE528-EBD9-48B8-944A-8942113D46AC}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\NULL
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{EDC978D6-4D53-4B2F-A265-5805674BE568}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A0953C92-50DC-43bf-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F8278C54-A712-415B-B593-B77A2BE0DDA9}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{f874310e-b6b7-47dc-bc84-b9e6b38f5903}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{e345f35f-9397-435c-8f95-4e922c26259e}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{4A04656D-52AA-49DE-8A09-CB178760E748}\Instance
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-500600000000}\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\Elevation
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_CURRENT_USER\Control Panel\International
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_CURRENT_USER_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\P9NP\NetworkProvider
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InprocServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-500600000000}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\control\NetworkProvider\HwOrder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-90d022000000}\
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\32\52C64B7E
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\ShellFolder
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F8278C54-A712-415B-B593-B77A2BE0DDA9}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{64693913-1C21-4F30-A98F-4E52906D3B56}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\{A0953C92-50DC-43bf-BE83-3742FED03C9C}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\file.exe
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{B7534046-3ECB-4C18-BE4E-64CD4CB7D6AC}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D105A4D4-344C-48EB-9866-EE378D90658B}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e345f35f-9397-435c-8f95-4e922c26259e}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{EDC978D6-4D53-4b2f-A265-5805674BE568}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A00EE528-EBD9-48B8-944A-8942113D46AC}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\NULL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\NetworkProvider
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{f8278c54-a712-415b-b593-b77a2be0dda9}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\vssadmin.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{89D83576-6BD1-4c86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\RDPNP\NetworkProvider
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_41040327\NULL
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_36354489\DelegateFolders\{3936E9E4-D92C-4EEE-A85A-BC16D5EA0819}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{daf95313-e44d-46af-be1b-cbacea2c3065}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace_41040327\{e88865ea-0e1c-4e20-9aa6-edcd0212c87c}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{3AD05575-8857-4850-9277-11B85BDB8E09}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{EDC978D6-4D53-4b2f-A265-5805674BE568}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}\ShellFolder

Registry Set (Top 25)

Key	Value
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Circular Kernel Context Logger\Status	0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Enter)	48 00 00 00 00 00 00 00 20 40 BA B2 0B 6D DB 01 00 00 00 00 00 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Leave)	48 00 00 00 00 00 00 00 C0 E9 CA B2 0B 6D DB 01 00 00 00 00 00 00 00 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Enter)	48 00 00 00 00 00 00 00 40 7A E7 B2 0B 6D DB 01 00 00 00 00 00 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Leave)	48 00 00 00 00 00 00 00 40 7A E7 B2 0B 6D DB 01 00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\Public	AE 88 18 C5 68 9A 0B F4 00 32 A9 75 38 45 61 91 3B A2 A8 FA C9 66 3B 67 CC 48 57 CD 9E FE 49 0E CA DD B4 CE 82 A6 1F 99 9E 90 7C 44 F9 C7 D2 AD 09 03 E4 BF 34 EE 6C D8 A3 C2 2C BD 6D FF 59 20 1E 0A 60 06 84 BD 1E 04 E8 BF 35 56 55 8A 5E F5 35 C7 97 9D F8 68 33 97 F8 24 E2 4C F9 2D 3F 3D 0F 89 B6 61 02 1D 1B 54 56 91 4F 94 79 AC 4D DE 2A 21 EC E8 54 55 D8 5A C2 B0 BD B8 1A 1B EB 41 1A 2E 48 84 F4 90 B1 E0 8F C6 4B 5A 6A F7 DB DC E2 11 54 4A E1 FA 0A E1 94 D0 4F 91 E7 C4 A8 9D 74 8B D6 8E 13 36 CB C3 59 43 0C 2E C5 97 CF 74 1A 92 48 E7 C2 1E 42 89 F0 3A 72 34 92 E2 DF 5B 19 3A 9D A3 D5 E0 8D 9F FC AA 18 39 2A BD 39 D8 E0 77 AC B7 99 41 05 AD C0 35 97 CA 58 D7 F4 25 49 E1 CC 0C 6C 6B DA FA DE 0A 53 DF FB 3E 42 20 56 85 84 7E 97 9E EA 39 DA 74 03 20 C6 53 78 D9 01 00 01
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\full	A4 BD C6 89 D2 4D DB BB D8 A7 0B 59 49 72 35 AF FC 85 46 19 93 CF 0F 3A B4 C7 14 AE 86 D8 B3 29 6E 84 A4 0B 58 16 CA B2 CC 10 56 4D 21 00 EA DE 11 B3 B1 50 A0 10 ED 41 00 4B 5C F6 05 61 1E F6 FB 84 ED F5 6A 85 1E F8 55 99 EB 75 BC F5 C4 F8 24 08 26 C7 E7 75 BB B5 89 8E 0C 7C 34 D8 E3 F4 3D FA 30 48 B2 B0 D8 15 67 80 28 12 C2 38 08 82 18 B4 0E F1 9D 80 73 DB 34 CA F7 CA 54 25 15 FA ED 23 70 C1 91 4A 2C 9B 3A 7B EF A5 E9 A6 61 39 6E BB 70 97 82 78 0E E7 3F 05 7C 1D 16 6B AF 87 3B A5 8A E5 CB A9 8E BE C7 0D CB C5 39 2B BE A3 24 38 83 C3 CA 17 D2 FC 94 B7 C8 C5 A1 BE 48 97 CD 5F 01 2C CD 4F F4 C7 3A EF 0B 6C 19 99 32 6A AD 03 40 CD 91 45 56 3F 68 C1 1E 06 C1 95 EC 69 38 F6 81 3C 1D 9E AF 5D 1C D1 F0 49 14 EC 23 64 E0 78 B9 2A 47 F3 F7 35 65 9D 98 BC AA 09 DC AA 5C 8F D4 D6 3C 03 DA B9 C3 EC DB FA 2C FF 06 10 94 45 94 B7 2A B3 3B 81 C1 D9 77 ED 63 24 45 83 59 BF 5F 94 F0 6B 35 05 D5 3E E1 65 B8 AB 22 49 2F 89 1A ED 54 C6 03 1D 3E 9F 47 5D 9D 23 C5 05 0A 7E 5B 91 C0 FB 24 15 9D A5 E8 22 33 68 10 94 32 5D 3C AC 1D 6
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count	226
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time	E9 07 01 00 03 00 16 00 14 00 1A 00 0C 00 60 03
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type	3
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“c”
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked	1
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\16000009\Element	—
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\250000e0\Element	—
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“C”
HKEY_CURRENT_USER\SOFTWARE\LockBit\full	\x01W\x92\xaa%e.\xc2\x17\xee\x90\x8f\xf9/\x86\xf6\xb8\x18\xaa\x02\x9d\x88\x98\xf2=\x9f-U\xf8\xf5\xd9\xbd)J\xc8\xbf\xaf \xe4\xce\xc6\xc8\x8c\x89\x07\x87\xa4\xdd5 J\xb6\xef\xa85\xce\|\xcc\xa7″\x1a\x14\x16\x00\xf6\xd78d\xb3t?U\|h\x83\x9a\xe7R\x92\x94\x80\x9b\xc9\x83\xb1\x99I\xccZ5\x18z\x0e\xb8\xd7\xd3\xcfn\x1b\xbe2\x06\xe8\x85Dz\xda\x87Hu\xad\x11\xa0O\xfe\x94\xf8A5\xfd>\xe4\x1b\x92\xcb\x91w\xcdI\xc2\xc1l\xb2\x8f\xda^\x82c\x89X\xdc\xf2\x9b :\x8f\xecz\xde\x82\x04\xe0\x81q\xacR\xd0\x0crj\xb3\x00g-\xc4\xd9\x04\x83O`RZZ2\x1a\xc9\xee\x87c\x96u\xc7\xa3\xf0\xaf\x13\xf3\xf44\xeaT\xee\x95\xda\x14\xfc\xe4\xc5m\xe3\x1a\x1aT4\xa5)\x17L\xd1\x16}\x0bn\xb2\x04\x8c \xd0\xde<+d\xed\xe0(#\xf6\x86\xad\xe1W\xee\xdaH}7\xf8\x19\x97\xcdAx7V\x92v\xaf\xab\xf2\x02\xa3\xbe\x9a\xc5\xc2\x91\xf3\xdcZ\x9b0\xa31\x88\xea\x96\xa5\x90_\xa2\x1f\xdfE>\xf17}\x9a\x8c\xf7\x8f\x8b\xa3\xf8″8K _!\xdd\x1ck\x808\xfeAt\xa8\xd59c\xe45\xf4′”\x91)\xf5\xb4\xcbsPui,\xf2\xe3e\xc2\x0e\xe2o\xcdg\xf2\x03p\x9b\x7f\xda\xe3\xec\xd9xg\x9bI\xe40z\xefbz\xf2T\xea/\xae\xca\x
HKEY_CURRENT_USER\SOFTWARE\LockBit\Public	\xb6J\xf5\x1a4\x85\xdf\xfd)\xa8 \xb9].\x916\xfe\xe7\x80UD\x8a\xdeEK7O\x8c\xc0\xa9\xf6\xdeU\x00?\xe2\x1d]\xbf\xb3!\xf7\xe44+\xe5[\xec\xdc\xd3u\xf33\xd6\x94\xcc\xe5f\xf9b\xe6\xdc&”\xec.,f\x99\x91[e\x83(\x1e\xaf\xa2\xd1\x13\xe9\x8c\xba\xee\x022\xe9\x00\xff\x8a:\x8b\x8e\xaa\xbbf\xd5\xd1\xc6\xac’G\xfb\xbd\xc4@\xa6\xf7>@\xbf\xb1\xf9\xa1\x9d;\xae\x12Xk\xaf\x81J_/\x0b\x0e=\xb8\xad\x86o3\xe2@KT$Z\x84\xefL,xkB\x08\x9a\xe4\x7f\xf6L\x80b\xc6\x1b\\x07]\\x9fq\xd9IO!,Zm\xacC\x0f\xe7\xa0\x02\xe1-Wt4\x8b_\xa6\xf4\x89\x14\xf3M\x9b\xf9\x87\xc6\xb4\x92 \xc3\x11z\x01L\x87\xdbP\xb9\x13L_\xf5’\x8aA\xc9\x9fXd s9\x06\x0c\xd7\xb9#[\xfb’\xf4\xac\x87X\x950 \x88\xc8\xeb\xe7\x90\xc9\xcf\xf30\xb1\xce\xd4_\x97\xe6\xadE\x92K\xc1\x85\x11\x80\xb5\x01\x00\x01
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“C”
SOFTWARE\LockBit\full	œ‚þSÆª„ƒƒdôNo¶G¸~p¼‰±½jyDÙ„û:T—Ô—ÜÄæV–úhk3u¨T OÊ4ì ÕÓ3°ÐHþK ùMÊQ‹ÁIMÝæüTxŽ.DÍ‰$ÒÃëFŽ{Â»\|[xè>‘àäùò¬Ý+Ž$äÿéLÑGÒå,N/šáÐµÜ““[˜ÆÓgöý¹\ºõ¸ÛÃÕ9ÒÏ”]`:¢º’•nNºÐæƒò@A¶¼>a&†É °Êå¶&+½}˜` ÃCÉFVè¡û3\|ááé?!çöŒÍõ>9Él¥‰ †üÐ“ªŸUb7ˆë*Š×à‚HÝ\€PE]¿éóú5Œ$õ“\\|q¾”Tªö&€]\åš;‹ ²Û#¬Yc/èhÒ KÉÞ¦Î¹9K€Jt~ukòÏ¯ :Í¨nœ’SZßÚÇ©öÖ ´˜}5¦0i·P®Óþß`ºà‹¬bá¶Å3ÁBºó?²ê¢†äí3q.Ó_TÂ¿écÃÄœ¯ú•€ aÐu ŸiâäË—–ÿyÀÌ;4ßÜp1‚ALó”ù`RÄÔÆctÁ×?Z/ˆ³”ªcB©ó:“Aå)ˆ0[g#ÌÚ._ÍÙ’ÏÎn4JJfËþË‰ õu/…ƒÞŸÐÕ0ùÝ–PƒX
SOFTWARE\LockBit\Public	Ì§soÃM§—ƒòoÜ¬
HKEY_CURRENT_USER\SOFTWARE\LockBit	—
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}	—
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“C”
HKEY_CURRENT_USER\Software\LockBit\full	06 85 2A CA F3 62 82 A2 3B DB 46 6D 66 A6 55 8E 48 09 86 4B EA 54 D6 42 7A 41 33 6E 8E D2 CF 13 A5 0
HKEY_CURRENT_USER\Software\LockBit\Public	E2 92 79 5E 3A 2B 26 A9 CA F8 62 3D FF AA B9 04 E0 D4 26 75 B6 63 03 D8 C4 43 2A 51 AB F0 C8 19 F8 C
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}\MaxCapacity	13491
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}\NukeOnDelete	0

Services Started (Top 15)

Service
VSS
swprv
wbengine
vds
WSearch

Services Opened (Top 15)

Service
QBFCService
QBVSS
LanmanWorkstation
wbengine
VaultSvc
wrapper
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
Sqlservr
sqlagent
sqladhlp
Culserver
RTVscan
sqlbrowser
SQLADHLP
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report