Xcitium Logo

ree Converter Uninstall Component Loads Python Runtime Outside Standard Execution Context

  • February 17, 2026
Share with your community:


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-02-17 15:25:12 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
ueeds.exe
Type
Win64 Executable (generic)
SHA‑1
c28eee7e3c270049c8fe9c274709c59ef19d12ea
MD5
f2dfdf5be5f49d4d605386196c5c5734
First Seen
2026-02-17 08:37:06.178477
Last Analysis
2026-02-17 13:42:47.476930
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 5+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2026-01-06 07:53:26 UTC First VirusTotal submission
2026-02-17 14:34:40 UTC Latest analysis snapshot 42 days, 6 hours, 41 minutes
2026-02-17 15:25:12 UTC Report generation time 42 days, 7 hours, 31 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 70. Detected as malicious: 43. Missed: 27. Coverage: 61.4%.

Detected Vendors

  • Xcitium
  • +42 additional vendors (names not provided)

List includes Xcitium plus an additional 42 vendors per the provided summary.

Missed Vendors

  • Acronis
  • AhnLab-V3
  • Avira
  • Baidu
  • CAT-QuickHeal
  • CMC
  • DrWeb
  • F-Secure
  • Gridinsoft
  • huorong
  • Jiangmin
  • MaxSecure
  • NANO-Antivirus
  • Panda
  • Sangfor
  • SentinelOne
  • Skyhigh
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VBA32
  • VirIT
  • Xcitium
  • Yandex
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (78.57% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 22 78.57%
Process 3 10.71%
Registry 2 7.14%
Hooking 1 3.57%

MITRE ATT&CK Mapping

  • T1082 – check OS version
  • T1027 – encode data using XOR
  • T1497.001 – reference anti-VM strings targeting Xen
  • T1083 – enumerate files recursively
  • T1083 – enumerate files on Windows
  • T1082 – get disk information
  • T1129 – link function at runtime on Windows
  • T1082 – query environment variable
  • T1083 – get common file path
  • T1059 – accept command line arguments
  • T1083 – get file size
  • T1129 – parse PE header
  • T1057 – enumerate process modules
  • T1129 – link many functions at runtime
  • T1055 – Creates a process in a suspended state, likely for injection
  • T1539 – Touches a file containing cookies, possibly for information gathering
  • T1082 – Checks available memory
  • T1071 – The PE file contains an overlay
  • T1485 – Anomalous file deletion behavior detected (10+)
  • T1070.006 – Binary contains a suspicious time stamp
  • T1082 – Queries the volume information (name, serial number etc) of a device

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.20 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 4 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.2599010467529297 udp
192.168.56.13 224.0.0.252 49311 5355 5.747454881668091 udp
192.168.56.13 224.0.0.252 55150 5355 3.1888999938964844 udp
192.168.56.13 224.0.0.252 60010 5355 5.19931697845459 udp
192.168.56.13 224.0.0.252 62406 5355 3.1913199424743652 udp
192.168.56.13 224.0.0.252 63527 5355 4.522151947021484 udp
192.168.56.13 239.255.255.250 52252 3702 3.1969950199127197 udp
192.168.56.13 8.8.4.4 54879 53 7.821805000305176 udp
192.168.56.13 8.8.4.4 54881 53 7.290783882141113 udp
192.168.56.13 8.8.8.8 54879 53 8.82168197631836 udp
192.168.56.13 8.8.8.8 54881 53 8.29070782661438 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

228

Registry Set

28

Services Started

2

Services Opened

2

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4278CCC0-8710-543A-9036-F37DA6245536}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FA7937E4-AABA-5DC9-BE17-0D54955AA9B3}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\ActivateOnHostFlags
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4278CCC0-8710-543A-9036-F37DA6245536}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DelegateFolders
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Classes\https\URL Protocol
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CLASSES_ROOT\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
Show all (228 total)
Key
HKEY_CLASSES_ROOT\https
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WindowsSystemLauncherTestHooks
HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\AppID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4C6A-9C5A-D7AA65101E90}
HKEY_CURRENT_USER\Software\RegisteredApplications
HKEY_CURRENT_USER\SOFTWARE\RegisteredApplications\AppXpkywr67r0wf5bhddtfg25nmc88t8x2q3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FA7937E4-AABA-5DC9-BE17-0D54955AA9B3}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AF86E2E0-B12D-4c6a-9C5A-D7AA65101E90}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegateSuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FA7937E4-AABA-5DC9-BE17-0D54955AA9B3}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\PDFclick
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Uninstall.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4278CCC0-8710-543A-9036-F37DA6245536}\ProxyStubClsid32\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CTLs
HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CRLs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001801B2
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft
HKEY_LOCAL_MACHINE\Software\Microsoft
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WindowProperties\721288
HKEY_CURRENT_USER\Software\Microsoft\Edge\Extensions
HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Edge\Extensions
HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenEnabled
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\My
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A01C4
HKEY_CURRENT_USER\Software\Microsoft
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Disallowed
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\Root
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0188
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CTLs
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\trust
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\CRLs
HKEY_CURRENT_USER\Software\Microsoft\Edge\SmartScreenPuaEnabled
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon\
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\CTLs
HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\Certificates
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000802AA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Edge\
HKEY_CURRENT_USER\Software\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\IEToEdge
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs
HKEY_CURRENT_USER\Software\Microsoft\Windows
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\trust
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs
HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Policies\Microsoft
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\trust\CRLs
HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WindowProperties
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates
HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\TrustedPeople
HKEY_CURRENT_USER\Software\Microsoft\Edge
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Disallowed
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Edge
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates
HKEY_CURRENT_USER\Software\Microsoft\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Uninstall.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display

Registry Set (Top 25)

Key Value
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries `$\xb2!\xea:i\x10\xa2\xdc\x08\x00+00\x9du\x04\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00F~\x05\x00\x00\xbd\x0e\x0cGs]XM\x9c\xed\xe9\x1e”\xe22\x82\xbd\x05\x00\x00\xfb\x9ay g\xad\xd1\x11\xab\xcd\x00\xc0O\xc3 6 \x01\x00\x00<\xa4\xe2\xff\xb9V\xf5K\x9ay\xccmB\x85`\x8a\xac\x00\x00\x00
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix Cookie:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix Visited:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC1C75 \xd7\x00\x00\x00\x00\x00\x00\x00\x04\x00\x04\x00\x01\x00\x05\x00\x01\x01\x00\x00\x02\x12\xf8\x00\x72\xed\x81\x01\xa5\xad\xcf\x00\xc7\x77\xd7\x00\xdb\xb4\xef\x00\x7e\x01\x02\x00\x00\x00\x00\x7f\x45\x01\x01\x31\x8e\x00\x01\xbf\x1e\x01\x01\xcf\x2a\x01\x02\x12\xf8\x00\x02\x19\xed\x01\x02\x1c\x41\x01\x02\xbc\x94\x01\x02\xe6\x38\x01\x04\x93\x1a…
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75 \x07\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x59\x0f\x1c\x01\x05\x00\x83\x00\x02\x00\x07\x80\x0b\x01\x24\x00\x66\x00\x66\x00\x73\x96\x00\x00\x00\x00\x38\x01\x24\x00\x66\x00\xf9\xf9\x09\x00\x76\x00\x00\x00\x59\x00\x00\x00\x73\x68\x65\x6c\x6c\x5c\x72\x6f\x61\x6d\x69\x6e\x67\x5c\x73\x65\x74\x74\x69\x6e\x67\x73\x79\x6e\x63…
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix Cookie:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries \xfb\x9a\x79\x09\x67\xad\xd1\x11\xab\xcd\x00\xc0\x4f\xc3\x09\x36\x3d\x03\x00\x00\x4e\x3a\xaa\x90\xba\x1c\x33\x42\xb8\xbb\x53\x57\x73\xd4\x84\x49\x87\x01\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46\xa8\x0b\x00\x00\x60\x78\xa4\x09\xb0\x11\xa5\x4d\xaf\xa5\x26\xd8\x61\x98\xa7\x80\xbf\x02\x00\x00\x60\xb8\x1d\xb4\xe4…
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix Visited:
HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon\failed_count 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\dr 1
HKEY_CURRENT_USER\Software\Microsoft\Edge\ThirdParty\StatusCodes \x
HKEY_CURRENT_USER\Software\Microsoft\Edge\UsageStatsInSample 0x00000001
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault\S-1-5-21-4226853953-3309226944-3078887307-1000 REG_QWORD
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\usagestats 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Edge\StabilityMetrics\user_experience_metrics.stability.exited_cleanly 0x00000000
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\urlstats 0x00000000
HKEY_CURRENT_USER\Software\Microsoft\Edge\BLBeacon\state 0x00000002
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000001801B2\VirtualDesktop \x10\x00\x00\x00\x30\x30\x44\x56\xf5\x8e\xe5\x43\x5f\x8c\x9b\x45\xb5\x20\x89\x25\xe8\xad\x1f\xed
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A01C4\VirtualDesktop \x10\x00\x00\x00\x30\x30\x44\x56\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe \x20\xa1\xeb\xaf\x88\x7f\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000802AA\VirtualDesktop \x10\x00\x00\x00\x30\x30\x44\x56\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000B0188\VirtualDesktop \x10\x00\x00\x00\x30\x30\x44\x56\xf5\x8e\xe5\x43\x5f\x8c\x9b\x45\xb5\x20\x89\x25\xe8\xad\x1f\xed
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Search\JumplistData\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\WindowsPowerShell\v1.0\powershell.exe REG_QWORD
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WindowProperties\721288\WindowTabManagerFileMappingId {86CEAFED-8A5E-4002-94FF-C26AD1693FFC}
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob \x03\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x9e\x99\xa4\x8a\x99\x60\xb1\x49\x26\xbb\x7f\x3b\x02\xe2\x2d\xa2\xb0\xab\x72\x80\x14\x00\x00\x00\x01\x00\x00\x00\x14\x00\x00\x00\x9c\x5f\x00\xdf\xaa\x01\xd7\x30\x2b\x38\x88\xa2\xb8\x6d\x4a\x9c\xf2\x11\x91\x83\x04\x00\x00\x00\x01\x00\x00\x00\x10\x00\x00\x00\xc6\x15\x09\x25\xcf\xea\x59\x41\xdd…
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-4226853953-3309226944-3078887307-1000\%ProgramFiles%%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe \xf3\xef\x60\xbe\x88\x7f\xdc\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00
HKEY_CURRENT_USER\Software\Microsoft\EdgeUpdate\ClientState\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\lastrun 13412231406630589

Services Started (Top 15)

Service
WSearch
BITS

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Like what you see? Share with a friend.