LockBit Executes Shadow-Copy Wipe, BCDEdit Tampering, and Network Enumeration


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-20 08:34:00 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
h6wi71c.exe
Type
Microsoft Visual C++ compiled executable (generic)
SHA‑1
4789f713e0651657241ba9e733d138fe7960b130
MD5
13419f9482bbb57dd0499746a2fd980a
First Seen
2025-11-14 19:58:16.944915
Last Analysis
2025-11-15 20:48:14.735343
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC) Event Elapsed
2025-10-27 21:46:40 UTC First VirusTotal submission
2025-11-19 12:44:04 UTC Latest analysis snapshot 22 days, 14 hours, 57 minutes
2025-11-20 08:34:00 UTC Report generation time 23 days, 10 hours, 47 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 71. Detected as malicious: 60. Missed: 11. Coverage: 84.5%.

Detected Vendors

  • Xcitium
  • +59 additional vendors (names not provided)

List includes Xcitium plus an additional 59 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • google_safebrowsing
  • MaxSecure
  • SUPERAntiSpyware
  • TACHYON
  • Yandex
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (47.37% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 184282 47.37%
Synchronization 171057 43.97%
System 17223 4.43%
Registry 8893 2.29%
Process 3166 0.81%
Network 2537 0.65%
Threading 701 0.18%
Com 578 0.15%
Device 327 0.08%
Misc 159 0.04%
Services 74 0.02%
Hooking 14 0.00%
Windows 10 0.00%
Crypto 4 0.00%

MITRE ATT&CK Mapping

  • T1543.003 – stop service
  • T1489 – stop service
  • T1129 – link many functions at runtime
  • T1083 – get common file path
  • T1016 – get local IPv4 addresses
  • T1007 – enumerate services
  • T1564.003 – hide graphical window
  • T1082 – get disk information
  • T1012 – query or enumerate registry value
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1112 – delete registry value
  • T1007 – query service status
  • T1082 – get system information on Windows
  • T1083 – enumerate files recursively
  • T1082 – get disk size
  • T1129 – link function at runtime on Windows
  • T1614.001 – identify system language via API
  • T1027 – encode data using XOR
  • T1083 – get file size
  • T1016 – get socket status
  • T1059 – accept command line arguments
  • T1027.005 – contain obfuscated stackstrings
  • T1033 – get token membership
  • T1135 – enumerate network shares
  • T1083 – check if file exists
  • T1134 – modify access privileges
  • T1129 – parse PE header
  • T1027 – reference AES constants
  • T1082 – enumerate disk volumes
  • T1027 – encrypt data using AES via x86 extensions
  • T1027 – encrypt data using AES
  • T1083 – enumerate files on Windows
  • T1222 – set file attributes
  • T1539 – Touches a file containing cookies, possibly for information gathering
  • T1547 – Installs itself for autorun at Windows startup
  • T1547.001 – Installs itself for autorun at Windows startup
  • T1202 – Uses suspicious command line tools or Windows utilities
  • T1202 – Uses Windows utilities for basic functionality
  • T1055 – Writes to the memory another process
  • T1112 – Installs itself for autorun at Windows startup
  • T1070 – Clears Windows events or logs
  • T1027 – The binary likely contains encrypted or compressed data
  • T1027.002 – The binary likely contains encrypted or compressed data
  • T1082 – Checks available memory
  • T1057 – Expresses interest in specific running processes
  • T1057 – Enumerates running processes
  • T1071 – The PE file contains an overlay
  • T1071 – Dynamic (imported) function loading detected
  • T1071 – Binary file triggered multiple YARA rules
  • T1071 – Attempts to connect to a dead IP:Port
  • T1071 – Likely virus infection of existing binary
  • T1059 – Modifies boot configuration settings
  • T1074 – Manipulates data from or to the Recycle Bin
  • T1486 – Exhibits possible ransomware or wiper file modification behavior: mass_file_deletion overwrites_existing_files
  • T1486 – Appends a known LockBit ransomware file extension to files that have been encrypted
  • T1486 – Creates a known LockBit ransomware decryption instruction / key file.
  • T1485 – Clears Windows events or logs
  • T1490 – Modifies boot configuration settings
  • T1045 – Manalize Local SandBox Packer Harvesting
  • T1083 – Manalize Local SandBox Find Crypto
  • T1129 – Manalize Local SandBox Find Crypto
  • T1027 – Manalize Local SandBox Find Crypto
  • T1564.003 – Manalize Local SandBox Find Crypto
  • T1083 – Manalize Local SandBox Strings
  • T1129 – Manalize Local SandBox Strings
  • T1027 – Manalize Local SandBox Strings
  • T1564.003 – Manalize Local SandBox Strings
  • T1083 – The binary presents some anomalies in its PE header and/or PE sections.
  • T1129 – The binary presents some anomalies in its PE header and/or PE sections.
  • T1027 – The binary presents some anomalies in its PE header and/or PE sections.
  • T1564.003 – The binary presents some anomalies in its PE header and/or PE sections.
  • T1059 – Apparent Internal Usage of CMD.EXE
  • T1091 – Checks for available system drives (often done to infect USB drives)
  • T1547.001 – Creates an autostart registry key pointing to binary in C:\Windows
  • T1547.001 – Creates an autostart registry key
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1070.004 – May delete shadow drive data (may be related to ransomware)
  • T1135 – Connects to many different private IPs via SMB (likely to spread or exploit)
  • T1057 – Queries a list of all running processes
  • T1120 – Checks for available system drives (often done to infect USB drives)
  • T1120 – Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
  • T1083 – Writes ini files
  • T1083 – Enumerates the file system
  • T1083 – Reads ini files
  • T1082 – Checks the free space of harddrives
  • T1080 – Spreads via windows shares (copies executable files to share folders)
  • T1090 – Found Tor onion address
  • T1486 – Modifies user documents (likely ransomware behavior)
  • T1486 – Writes a notice file (html or txt) to demand a ransom
  • T1490 – Uses bcdedit to modify the Windows boot settings

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
101.56.168.192.in-addr.arpa PTR
12.56.168.192.in-addr.arpa PTR
11.56.168.192.in-addr.arpa PTR
7.56.168.192.in-addr.arpa PTR
www.aieov.com A
13.56.168.192.in-addr.arpa PTR

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 2 udp
5355 22 udp
53 58 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.12 137 137 33.36192607879639 udp
192.168.56.14 192.168.56.255 137 137 3.0804290771484375 udp
192.168.56.14 224.0.0.252 50180 5355 33.14117908477783 udp
192.168.56.14 224.0.0.252 50870 5355 40.29818606376648 udp
192.168.56.14 224.0.0.252 50914 5355 37.45395302772522 udp
192.168.56.14 224.0.0.252 51209 5355 3.025973081588745 udp
192.168.56.14 224.0.0.252 51262 5355 40.203872203826904 udp
192.168.56.14 224.0.0.252 51614 5355 46.325380086898804 udp
192.168.56.14 224.0.0.252 52556 5355 43.646093130111694 udp
192.168.56.14 224.0.0.252 53401 5355 4.1479651927948 udp
192.168.56.14 224.0.0.252 53449 5355 43.59388208389282 udp
192.168.56.14 224.0.0.252 54683 5355 36.391133069992065 udp
192.168.56.14 224.0.0.252 55094 5355 5.60050106048584 udp
192.168.56.14 224.0.0.252 55827 5355 37.45405721664429 udp
192.168.56.14 224.0.0.252 55848 5355 3.0305261611938477 udp
192.168.56.14 224.0.0.252 55914 5355 33.047298192977905 udp
192.168.56.14 224.0.0.252 56399 5355 33.89125609397888 udp
192.168.56.14 224.0.0.252 57742 5355 43.64163613319397 udp
192.168.56.14 224.0.0.252 59068 5355 40.93904113769531 udp
192.168.56.14 224.0.0.252 60713 5355 37.892383098602295 udp
192.168.56.14 224.0.0.252 62022 5355 33.23507809638977 udp
192.168.56.14 224.0.0.252 62548 5355 37.36027407646179 udp
192.168.56.14 224.0.0.252 62800 5355 40.09446907043457 udp
192.168.56.14 224.0.0.252 64753 5355 32.9538140296936 udp
192.168.56.14 8.8.4.4 49916 53 32.59404921531677 udp
192.168.56.14 8.8.4.4 50582 53 251.31368708610535 udp
192.168.56.14 8.8.4.4 50710 53 22.234803199768066 udp
192.168.56.14 8.8.4.4 52116 53 165.04689121246338 udp
192.168.56.14 8.8.4.4 52815 53 7.6424171924591064 udp
192.168.56.14 8.8.4.4 53837 53 341.31329011917114 udp
192.168.56.14 8.8.4.4 54017 53 204.34410309791565 udp
192.168.56.14 8.8.4.4 54455 53 370.0626151561737 udp
192.168.56.14 8.8.4.4 54579 53 22.14066219329834 udp
192.168.56.14 8.8.4.4 56172 53 327.0626711845398 udp
192.168.56.14 8.8.4.4 56716 53 150.10994815826416 udp
192.168.56.14 8.8.4.4 56763 53 298.31298208236694 udp
192.168.56.14 8.8.4.4 56864 53 81.81323313713074 udp
192.168.56.14 8.8.4.4 57355 53 233.06245613098145 udp
192.168.56.14 8.8.4.4 59212 53 100.93822813034058 udp
192.168.56.14 8.8.4.4 60117 53 23.23498010635376 udp
192.168.56.14 8.8.4.4 61083 53 179.51625204086304 udp
192.168.56.14 8.8.4.4 61713 53 265.70396304130554 udp
192.168.56.14 8.8.4.4 62055 53 218.70380401611328 udp
192.168.56.14 8.8.4.4 62112 53 22.04752802848816 udp
192.168.56.14 8.8.4.4 62997 53 131.31272506713867 udp
192.168.56.14 8.8.4.4 63205 53 37.76568913459778 udp
192.168.56.14 8.8.4.4 63429 53 355.70338916778564 udp
192.168.56.14 8.8.4.4 63906 53 312.7031919956207 udp
192.168.56.14 8.8.4.4 64452 53 52.73654913902283 udp
192.168.56.14 8.8.4.4 64950 53 280.0627861022949 udp
192.168.56.14 8.8.4.4 65148 53 21.953327178955078 udp
192.168.56.14 8.8.4.4 65271 53 116.03169012069702 udp
192.168.56.14 8.8.4.4 65283 53 67.20322799682617 udp
192.168.56.14 8.8.8.8 49916 53 31.595380067825317 udp
192.168.56.14 8.8.8.8 50582 53 250.3132131099701 udp
192.168.56.14 8.8.8.8 50710 53 21.235122203826904 udp
192.168.56.14 8.8.8.8 52116 53 164.0473780632019 udp
192.168.56.14 8.8.8.8 52815 53 8.64126706123352 udp
192.168.56.14 8.8.8.8 53837 53 340.3141360282898 udp
192.168.56.14 8.8.8.8 54017 53 203.3085160255432 udp
192.168.56.14 8.8.8.8 54455 53 369.06347918510437 udp
192.168.56.14 8.8.8.8 54579 53 21.14110016822815 udp
192.168.56.14 8.8.8.8 56172 53 326.06340408325195 udp
192.168.56.14 8.8.8.8 56716 53 149.11816716194153 udp
192.168.56.14 8.8.8.8 56763 53 297.31354212760925 udp
192.168.56.14 8.8.8.8 56864 53 80.8136579990387 udp
192.168.56.14 8.8.8.8 57355 53 232.0633590221405 udp
192.168.56.14 8.8.8.8 59212 53 99.93813920021057 udp
192.168.56.14 8.8.8.8 60117 53 22.235313177108765 udp
192.168.56.14 8.8.8.8 61083 53 178.51675701141357 udp
192.168.56.14 8.8.8.8 61713 53 264.70362305641174 udp
192.168.56.14 8.8.8.8 62055 53 217.70433902740479 udp
192.168.56.14 8.8.8.8 62112 53 21.047039031982422 udp
192.168.56.14 8.8.8.8 62997 53 130.3132610321045 udp
192.168.56.14 8.8.8.8 63205 53 36.766993045806885 udp
192.168.56.14 8.8.8.8 63429 53 354.70355701446533 udp
192.168.56.14 8.8.8.8 63906 53 311.70417308807373 udp
192.168.56.14 8.8.8.8 64452 53 51.73473811149597 udp
192.168.56.14 8.8.8.8 64950 53 279.06331419944763 udp
192.168.56.14 8.8.8.8 65148 53 20.95340609550476 udp
192.168.56.14 8.8.8.8 65271 53 115.03578519821167 udp
192.168.56.14 8.8.8.8 65283 53 66.21349310874939 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

330

Registry Set

27

Services Started

7

Services Opened

47

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegateSuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\file.exe
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
Show all (330 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegate
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\Software\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\SOFTWARE\LockBit
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\SOFTWARE\LockBit\full
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\SOFTWARE\LockBit\Public
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\Attributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\FirstRunComplete
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{e345f35f-9397-435c-8f95-4e922c26259e}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{59031a47-3f72-44a7-89c5-5595fe6b30ee}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{f874310e-b6b7-47dc-bc84-b9e6b38f5903}\ShellFolder
HKEY_CURRENT_USER_Classes\Directory\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\NULL
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{9343812e-1c37-4a49-a12e-4b2d810d956b}\ShellFolder
HKEY_CURRENT_USER_Classes\Folder\Clsid
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A0953C92-50DC-43bf-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F874310E-B6B7-47DC-BC84-B9E6B38F5903}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F874310E-B6B7-47DC-BC84-B9E6B38F5903}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{89D83576-6BD1-4c86-9454-BEB04E94C819}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vssadmin.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{EDC978D6-4D53-4B2F-A265-5805674BE568}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\vssadmin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\LocalServer32
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{64693913-1c21-4f30-a98f-4e52906d3b56}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E88865EA-0E1C-4E20-9AA6-EDCD0212C87C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-500600000000}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InprocHandler32
HKEY_CURRENT_USER_Classes\Folder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A00EE528-EBD9-48B8-944A-8942113D46AC}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4cb0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\TreatAs
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{BD7A2E7B-21CB-41b2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{5B934B42-522B-4C34-BBFE-37A3EF7B9C90}\ShellFolder
HKEY_CURRENT_USER_Classes\Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\LocalServer
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{4336a54d-038b-4685-ab02-99bb52d3fb8b}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace
HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\NULL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{018D5C66-4533-4307-9B53-224DE2ED1FE6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{daf95313-e44d-46af-be1b-cbacea2c3065}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{5B934B42-522B-4C34-BBFE-37A3EF7B9C90}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{11016101-E366-4D22-BC06-4ADA335C892B}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{9343812e-1c37-4a49-a12e-4b2d810d956b}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA9F41D4-1A5D-41D0-A614-6DFD78DF5D05}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InprocHandler
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{EDC978D6-4D53-4B2F-A265-5805674BE568}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{E88865EA-0E1C-4E20-9AA6-EDCD0212C87C}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{89D83576-6BD1-4c86-9454-BEB04E94C819}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{EDC978D6-4D53-4b2f-A265-5805674BE568}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{1CF1260C-4DD0-4EBB-811F-33C572699FDE}\ShellFolder
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{64693913-1C21-4F30-A98F-4E52906D3B56}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\LocalServer
HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{04731B67-D933-450A-90E6-4ACD2E9408FE}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\MyComputer\RemovableDrives
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{E345F35F-9397-435C-8F95-4E922C26259E}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{9343812E-1C37-4A49-A12E-4B2D810D956B}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\Elevation
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A0953C92-50DC-43BF-BE83-3742FED03C9C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\NULL
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\MyComputer\RemovableDrives\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{031E4825-7B94-4dc3-B131-E946B44C8DD5}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{04731B67-D933-450a-90E6-4ACD2E9408FE}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER_Classes\Directory\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{64693913-1c21-4f30-a98f-4e52906d3b56}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{a00ee528-ebd9-48b8-944a-8942113d46ac}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{04731B67-D933-450a-90E6-4ACD2E9408FE}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{DAF95313-E44D-46AF-BE1B-CBACEA2C3065}\ShellFolder
HKEY_CURRENT_USER_Classes\Folder\DocObject
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{1CF1260C-4DD0-4ebb-811F-33C572699FDE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{A8CDFF1C-4878-43BE-B5FD-F8091C1C60D0}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\Instance
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\Instance\InitPropertyBag
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44B4-BED9-DE0991FF0623}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\Instance\InitPropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DA9F41D4-1A5D-41D0-A614-6DFD78DF5D05}\ProxyStubClsid32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{A00EE528-EBD9-48B8-944A-8942113D46AC}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{4336A54D-038B-4685-AB02-99BB52D3FB8B}\ShellFolder
HKEY_CURRENT_USER_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableDrives
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{BD7A2E7B-21CB-41B2-A086-B309680C6B7E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{98F275B4-4FFF-11E0-89E2-7B86DFD72085}
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{e88865ea-0e1c-4e20-9aa6-edcd0212c87c}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E579AB5F-1CC4-44b4-BED9-DE0991FF0623}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{031E4825-7B94-4DC3-B131-E946B44C8DD5}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\LocalServer32
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{F8278C54-A712-415B-B593-B77A2BE0DDA9}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{89D83576-6BD1-4C86-9454-BEB04E94C819}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{374DE290-123F-4565-9164-39C4925E467B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\ShellFolder
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER_Classes\AllFilesystemObjects
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{04271989-C4D2-E17A-CDE5-083CDEAE7ADE}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{64693913-1C21-4F30-A98F-4E52906D3B56}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{12a011e2-0000-0000-0000-500600000000}\
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{11016101-E366-4D22-BC06-4ADA335C892B}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{F8278C54-A712-415B-B593-B77A2BE0DDA9}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InprocHandler
HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Circular Kernel Context Logger\Status 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Enter) 48 00 00 00 00 00 00 00 80 D0 68 CA BA 24 DC 01 00 00 00 00 00 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Leave) 48 00 00 00 00 00 00 00 40 9E 80 CA BA 24 DC 01 00 00 00 00 00 00 00 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Enter) 48 00 00 00 00 00 00 00 20 9B B2 CA BA 24 DC 01 00 00 00 00 00 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Leave) 48 00 00 00 00 00 00 00 20 9B B2 CA BA 24 DC 01 00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\Public AE AD 6D 1A 64 CA 79 5A 45 20 6B 03 00 E7 A1 DC C8 4F 67 16 76 26 5E CE E2 27 B9 8C DB B2 82 AA A7 9B 5B AA 37 12 72 69 1B 0C B0 09 33 F0 C1 93 AC AB 88 76 FC 38 06 29 C8 5E 8E 83 89 34 B0 25 02 5E 61 4E 68 EB 10 00 9E 3B 74 78 6B 93 53 FD 73 7E 1E A4 E1 10 A7 54 BE 5E 8E 6C 28 4D 68 F9 B5 4D E8 D5 97 36 BB 5A AE 24 3B 74 55 12 A0 C7 0A 56 9C D8 6B 9C CD CD 4F 0B B0 58 41 72 7E A6 BC 1F 45 59 9B 6D CF 87 96 BC B5 C6 FC E6 68 CB A9 85 6F 81 BE CD AB 00 45 90 6E 31 28 5D D6 FA BB 14 14 3D 36 68 F4 A1 31 CF 03 FF BF 3D FE A0 38 C5 BA 88 18 57 FD 4F C2 64 44 18 D9 B1 80 3D 18 E6 D3 38 F6 7A 5F FC 0D D0 06 FF 5A 74 B1 18 E5 2C BF D6 BE 5E 98 47 47 3A DC E2 23 8A C7 1B 08 27 BA 11 EC A3 E8 D4 CB C6 78 1D 87 4C A0 43 67 40 86 16 E9 97 51 DA 38 DC 0A 30 6D 5E E0 E7 01 00 01
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\full 48 BA 40 07 DC 52 A6 46 C8 E6 B0 44 B9 66 D4 48 B4 68 5F 53 4F 55 54 B7 2A 9B 73 9C 63 EC 53 0E 33 FA 2F 94 C4 59 DB 48 06 A4 BE EB 44 A1 E9 81 D1 93 35 D2 5F 3A 25 4C 45 41 D5 4C 6F 8F 08 F8 E4 40 8D 11 33 BB 25 CD 50 F3 D5 C7 22 43 D6 B2 86 8A 12 05 9D 75 02 BF 16 F4 BB E0 94 C0 53 85 1E 7E 3F 96 41 D4 B2 35 F7 7F EA 7E 0B 5C 99 50 38 DD 75 8B 8F 17 98 32 01 CB 71 C6 A4 59 34 97 CD 94 30 16 C5 36 9F 26 12 A2 9B A7 AE 2A BA 70 56 01 C8 A6 B0 66 7F 74 CD DF D1 B7 19 07 49 83 46 70 35 99 54 CF 4C 42 C6 00 B9 F0 E1 F9 75 5D 68 55 BB 03 E6 F4 4D 21 66 B1 E9 D0 53 07 F0 9B BC A0 EC 61 13 B1 2F 76 6A DA 57 41 23 E4 61 4A 67 D6 95 12 EB 78 F0 7F 0E 51 1A 2E A0 A3 AA 3A 6F DA B5 B6 F9 31 6B DF FB 63 B8 E4 C0 BE DA D8 6D 78 8B 1A D1 DC F6 B7 9C 98 D5 C1 7C B2 E1 C9 B1 B7 59 42 C8 48 63 5E F2 C3 86 0E 2A 89 C5 6E EC BC F8 F1 93 F0 C8 4D DF FD B2 C5 BB C7 38 E7 22 08 BD 83 DB 54 C2 41 F3 C7 D5 63 45 2B 8A 10 5A 3A 47 EA 93 0F 9E D8 1A E2 CE E7 9C EB FF 73 5E B4 DD 3D 3A FE 4E 21 D0 35 5F D5 9B 46 DD C2 F7 8E F5 5F D5 E
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count 226
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time E9 07 09 00 06 00 0D 00 0E 00 1E 00 1A 00 8B 03
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type 3
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 “c”
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked 1
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\16000009\Element
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\250000e0\Element
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 “C”
HKEY_CURRENT_USER\SOFTWARE\LockBit\full k\x04\xca\x90\x1b\xc9.XS\xccC\xf2\x88I\xac+d<\xcb\xd4C\xf3\xf6\xc4*\x8b\xa6e~[\x98\x96p\x97\x05V\x17q\xe2\x97\xb5\xb2i\xd0\xa6\xb2\xd4\xec\x07\x0b\x1d\xf1\x99\xd1\x0bj\xfa\x7f\xe7\x1e\x92\x11\xaa\x05k\xbe\x1eAT\xb6t\xefq\xc8\x04\x84\xe0x$\x03\xae\xdd&\xc8\xbc\x19\xcd\x16y_\xd4\x03\x02X\x07P\x9e~\xce\xf5%\xf5\xbb’\x11\x0b\x80\x86\x07\xd4\xefs4\xa8\x1f\x07vt\xedS\x8bj\xe4\xbc\xc4\xc4mP\x12\xa4\xe7\xa5c\x1b\xa8\xdd’\xeb\x9e0″r\xaf\x9e\x06VMs\xa0\x17\x8a\xe8\x08<\xd6\x9d\xee\xbd\x04\x18w\x9d\xe1\x9d\x9d\xe8\x16\x92\xa2\xbd\x9aEK\xe3\xf0%\xa1CG\x12\xd6\x18\x9aK\x18
8w&\x15\xe5!\x94\xb3\x06\xbd{\xd5\x8f\xde\x17^\x8d\xa7b\xbf\xdbV\xb4\xa2\xc0r>\xdf\xf0\xce\x87’\xc7\x9bt\xf3C\xfcQ\xa0l\xdc\x10\x82%\xd3\xed\x9a\x8fL\x1f\x8e 5-\xfc>5\x0c\x96\xac\x0e\xfce\x96\x83\x94fgw?\xcck\x91\x9b]\x80{\xf6i\xc4zY\x1c\x80\xe8.Q,\x8epfz\x9d\xe6E\xbc\x06\x89\x7f, \x9c\xf9n\xd1B\xaa\x86\xfdwC\xd8\xc14\xe2\xf8\xbb\xa6-hOw\xf5g\x85\xe9\x84p\xc6\xc4\xe4\xd4^?Q\x1c\xcb\x89>\x81\xfer2\x81\xf2\xe8\xb7\x94Z\xd4\x9f\xaaC\x951v\xe0\x99\xe68\x0c\
HKEY_CURRENT_USER\SOFTWARE\LockBit\Public \xbeT\xe5a\xb1\xba^@Is8_\xe2sv\xcf\x1b\xffn\x13u\xc3Rj\xfeuX\xa3v5\x95p$\x89\xf6\x15\xc1,\x8f\xd0d\x05\xc3\xf4l;\xf5\x07MF\xc0\xfa’X5gJ\xf7\xc6\xd1\xd4’`\x1a\xb2\x16\xe9\x15z\xc03\xea!\xf3At\x9do\x1eN<j\xe5+\x03\xdc\xb6\xf2@\xd7\x16\x84@\xf7V\x0c\x1b-\x1c\xf0\xba\xdf\xfd,’\xbc#\xa4\xdf\xad\xecg\xbb\x80$\xc2″\xdc\x1a\x1b\xf5]\x08v\xbcV\xc8\xa9\xd1\x1d/*\xa7\xe0\xaa\x80A\x16\xb1pPk\x1b\xf5M+\x10\x91\xcd\xeaW\xa6zJ\x94S\xa9\xef\xd3\xa8\xb3\x13\xb6\xf1\x18\x14!v\x8e\x08Oq\xdd\xb7?(\xda\xb0Lkp\xa7\xf3\xc2E\x92\xe6m\xa2\xac\xf5g\xe8\xae*\x11\x9f\xd8W\xfc{Ppi;\x05\xfbnzE\xb2r\x18\xfa\x97\x08]\xc8\xda\x9d\xfd\x8by\x14\xec`”Z\xa9\xe4C\xe3\xba\x14\xa2\x94ju5A\x06\x93\x15\xeb;\xddP\x10\xb7\xb1\xc5%\xcb\x8d\x85’\x01\x00\x01
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 “C”
SOFTWARE\LockBit\full
3m
SOFTWARE\LockBit\Public “óG:Ï~ôù‹]ñÊvY’¢Z­Ap¶6©K «bòÞ0-ŠeZÁDWº
HKEY_CURRENT_USER\SOFTWARE\LockBit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01 “C”
HKEY_CURRENT_USER\Software\LockBit\full 47 96 E6 4C F0 2E AB 76 88 FA A2 79 08 A4 AC 7D 0C 01 7E 1A F7 B5 BE EA 48 42 06 3F CF 32 8A AC 19 8
HKEY_CURRENT_USER\Software\LockBit\Public D7 39 F9 67 61 61 D8 D6 50 D1 93 06 64 9F 9C 7B 35 E0 F0 97 F9 4D 61 E1 BA E9 5A 83 EF 8F 92 77 AC 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}\MaxCapacity 13491
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{12a011e2-0000-0000-0000-90d022000000}\NukeOnDelete 0

Services Started (Top 15)

Service
VSS
swprv
wbengine
vds
BITS
WSearch
PcaSvc

Services Opened (Top 15)

Service
wrapper
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
Sqlservr
sqlagent
sqladhlp
Culserver
RTVscan
sqlbrowser
SQLADHLP
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
sqlwriter
msmdsrv
tomcat6
zhudongfangyu
vmware-usbarbitator64

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top