c89e53c95a0a6b365f123e66bb38ffa8835658ac


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-12 11:57:08 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
c89e53c95a0a6b365f123e66bb38ffa8835658ac
Type
Win32 EXE
SHA‑1
c89e53c95a0a6b365f123e66bb38ffa8835658ac
MD5
e70ecc9f6b2bdfb66d6ac8d6469549d8
First Seen
2025-09-05 07:16:07.865962
Last Analysis
2025-09-05 10:02:35.714813
Dwell Time
0 days, 2 hours, 46 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-04 17:25:29 UTC First VirusTotal submission
2025-09-09 07:40:37 UTC Latest analysis snapshot 4 days, 14 hours, 15 minutes
2025-09-12 11:57:08 UTC Report generation time 7 days, 18 hours, 31 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 64. Missed: 9. Coverage: 87.7%.

Detected Vendors

  • Xcitium
  • +63 additional vendors (names not provided)

List includes Xcitium plus an additional 63 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (76.93% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 1647 76.93%
Registry 262 12.24%
File System 188 8.78%
Process 17 0.79%
Network 16 0.75%
Threading 6 0.28%
Misc 2 0.09%
Synchronization 2 0.09%
Hooking 1 0.05%

MITRE ATT&CK Mapping

  • T1010 – enumerate gui resources
  • T1082 – enumerate disk volumes
  • T1027 – encrypt data using RC4 KSA
  • T1614 – get geographical location
  • T1056.001 – log keystrokes via application hook
  • T1082 – query environment variable
  • T1134 – modify access privileges
  • T1083 – enumerate files recursively
  • T1129 – parse PE header
  • T1033 – get session user name
  • T1087 – get session user name
  • T1027 – encrypt data using AES
  • T1115 – open clipboard
  • T1083 – enumerate files on Windows
  • T1614.001 – get keyboard layout
  • T1083 – check if file exists
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1082 – get system information on Windows
  • T1027 – encode data using XOR
  • T1555.003 – gather firefox profile information
  • T1543.003 – stop service
  • T1489 – stop service
  • T1027 – encrypt data using RC4 PRGA
  • T1562.001 – disable system features via registry on Windows
  • T1012 – query or enumerate registry value
  • T1082 – get disk information
  • T1115 – read clipboard data
  • T1112 – delete registry key
  • T1543.003 – pause service
  • T1007 – enumerate services
  • T1012 – query or enumerate registry key
  • T1027 – reference AES constants
  • T1055.012 – use process replacement
  • T1620 – use process replacement
  • T1112 – delete registry value
  • T1059.003 – create reverse shell
  • T1007 – query service status
  • T1543.003 – continue service
  • T1083 – get common file path
  • T1543.003 – start service
  • T1543.003 – modify service
  • T1569.002 – modify service
  • T1059.003 – execute shell command and capture output
  • T1129 – link function at runtime on Windows
  • T1529 – shutdown system
  • T1056.001 – log keystrokes
  • T1113 – capture screenshot
  • T1070.004 – self delete
  • T1056.001 – log keystrokes via polling
  • T1082 – check OS version
  • T1129 – link many functions at runtime
  • T1222 – set file attributes
  • T1083 – get file size
  • T1564.003 – hide graphical window
  • T1123 – capture microphone audio
  • T1548.002 – bypass UAC via ICMLuaUtil
  • T1547.001 – persist via Run registry key
  • T1518 – get installed programs
  • T1539 – Touches a file containing cookies, possibly for information gathering
  • T1082 – Checks available memory
  • T1071 – Performs HTTP requests potentially not found in PCAP.
  • T1071 – HTTP traffic contains suspicious features which may be indicative of malware related traffic
  • T1071 – Looks up the external IP address
  • T1071 – A process attempted to delay the analysis task.
  • T1071 – Attempts to connect to a dead IP:Port
  • T1071 – Binary file triggered YARA rule
  • T1010 – Monitors user input
  • T1012 – Query OS Information
  • T1027.002 – Resolves API functions dynamically
  • T1055 – Injects a file into another process
  • T1056 – Combination of other detections shows multiple input capture behaviors
  • T1056.001 – Monitors keyboard input
  • T1056.004 – Monitors keyboard input
  • T1071.004 – Performs DNS request
  • T1082 – Query OS Information
  • T1095 – Connects to remote host
  • T1115 – Captures clipboard data
  • T1119 – Combination of other detections shows multiple input capture behaviors
  • T1497.003 – Delays execution
  • T1571 – Tries to connect using an uncommon port
  • T1095 – Unsuccessful connections attempts were detected (with 1 different IP:Port)
  • T1129 – The process tried to load dynamically one or more functions.
  • T1179 – The process behaves as a keylogger (keyboard capturing detected)
  • T1056 – The process behaves as a keylogger (keyboard capturing detected)
  • T1059 – Apparent Internal Usage of CMD.EXE
  • T1202 – Apparent Internal Usage of CMD.EXE
  • T1063 – It Tries to detect injection methods
  • T1055 – May try to detect the Windows Explorer process (often used for injection)
  • T1497 – May sleep (evasive loops) to hinder dynamic analysis
  • T1056 – Sample has functionality to log and monitor keystrokes, analyze it with the keystroke simulation cookbook
  • T1056 – Installs a global keyboard hook
  • T1057 – May try to detect the Windows Explorer process (often used for injection)
  • T1560 – Public key (encryption) found
  • T1571 – Detected TCP or UDP traffic on non-standard ports
  • T1219 – Detected Remcos RAT
  • T1105 – Downloads files from webservers via HTTP
  • T1105 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
  • T1105 – Some HTTP requests failed (404). It is likely that the sample will exhibit less behavior.
  • T1095 – Downloads files from webservers via HTTP
  • T1095 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
  • T1071 – Downloads files from webservers via HTTP
  • T1071 – Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable)
  • T1071 – C2 URLs / IPs found in malware configuration

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
45.88.186.160 Not known
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.msftncsi.com 23.200.3.20 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
TESORO.dynuddns.com A
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 62 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.2508599758148193 udp
192.168.56.13 224.0.0.252 54881 5355 5.7321789264678955 udp
192.168.56.13 224.0.0.252 55150 5355 3.1746809482574463 udp
192.168.56.13 224.0.0.252 60010 5355 5.183929920196533 udp
192.168.56.13 224.0.0.252 62406 5355 3.17932391166687 udp
192.168.56.13 224.0.0.252 63527 5355 4.530497074127197 udp
192.168.56.13 239.255.255.250 52252 3702 3.212960958480835 udp
192.168.56.13 8.8.4.4 49311 53 5.242098093032837 udp
192.168.56.13 8.8.4.4 50554 53 65.74373412132263 udp
192.168.56.13 8.8.4.4 53518 53 110.22844409942627 udp
192.168.56.13 8.8.4.4 53985 53 162.25917506217957 udp
192.168.56.13 8.8.4.4 54879 53 7.102986097335815 udp
192.168.56.13 8.8.4.4 55551 53 80.10339593887329 udp
192.168.56.13 8.8.4.4 55743 53 159.6816918849945 udp
192.168.56.13 8.8.4.4 56086 53 145.32593703269958 udp
192.168.56.13 8.8.4.4 56197 53 71.22817802429199 udp
192.168.56.13 8.8.4.4 56202 53 201.25937509536743 udp
192.168.56.13 8.8.4.4 56908 53 174.04049396514893 udp
192.168.56.13 8.8.4.4 57065 53 112.71224093437195 udp
192.168.56.13 8.8.4.4 57310 53 32.2280650138855 udp
192.168.56.13 8.8.4.4 57415 53 36.8064489364624 udp
192.168.56.13 8.8.4.4 58070 53 175.25923490524292 udp
192.168.56.13 8.8.4.4 58697 53 7.7446300983428955 udp
192.168.56.13 8.8.4.4 58920 53 45.22806406021118 udp
192.168.56.13 8.8.4.4 59610 53 127.07204794883728 udp
192.168.56.13 8.8.4.4 60543 53 98.35331106185913 udp
192.168.56.13 8.8.4.4 60780 53 136.22867107391357 udp
192.168.56.13 8.8.4.4 60910 53 51.384767055511475 udp
192.168.56.13 8.8.4.4 61004 53 84.22827100753784 udp
192.168.56.13 8.8.4.4 61800 53 149.22852993011475 udp
192.168.56.13 8.8.4.4 61897 53 192.29061198234558 udp
192.168.56.13 8.8.4.4 62422 53 188.25974988937378 udp
192.168.56.13 8.8.4.4 62493 53 22.44741702079773 udp
192.168.56.13 8.8.4.4 62849 53 18.22872805595398 udp
192.168.56.13 8.8.4.4 62980 53 206.6534390449524 udp
192.168.56.13 8.8.4.4 64533 53 97.22856092453003 udp
192.168.56.13 8.8.4.4 64801 53 58.22848701477051 udp
192.168.56.13 8.8.4.4 64886 53 123.22800993919373 udp
192.168.56.13 8.8.8.8 49311 53 6.228327989578247 udp
192.168.56.13 8.8.8.8 50554 53 64.7441918849945 udp
192.168.56.13 8.8.8.8 53518 53 109.22847390174866 udp
192.168.56.13 8.8.8.8 53985 53 161.26756501197815 udp
192.168.56.13 8.8.8.8 54879 53 8.087526082992554 udp
192.168.56.13 8.8.8.8 55551 53 79.10345792770386 udp
192.168.56.13 8.8.8.8 55743 53 158.68171501159668 udp
192.168.56.13 8.8.8.8 56086 53 144.32251501083374 udp
192.168.56.13 8.8.8.8 56197 53 70.22868990898132 udp
192.168.56.13 8.8.8.8 56202 53 200.2596559524536 udp
192.168.56.13 8.8.8.8 56908 53 173.04141902923584 udp
192.168.56.13 8.8.8.8 57065 53 111.71287107467651 udp
192.168.56.13 8.8.8.8 57310 53 31.22919797897339 udp
192.168.56.13 8.8.8.8 57415 53 35.807106018066406 udp
192.168.56.13 8.8.8.8 58070 53 174.26007103919983 udp
192.168.56.13 8.8.8.8 58697 53 8.743988990783691 udp
192.168.56.13 8.8.8.8 58920 53 44.22900700569153 udp
192.168.56.13 8.8.8.8 59610 53 126.07266592979431 udp
192.168.56.13 8.8.8.8 60543 53 97.35348510742188 udp
192.168.56.13 8.8.8.8 60780 53 135.2288749217987 udp
192.168.56.13 8.8.8.8 60910 53 50.38501000404358 udp
192.168.56.13 8.8.8.8 61004 53 83.22874093055725 udp
192.168.56.13 8.8.8.8 61800 53 148.22833395004272 udp
192.168.56.13 8.8.8.8 61897 53 191.29231095314026 udp
192.168.56.13 8.8.8.8 62422 53 187.25958800315857 udp
192.168.56.13 8.8.8.8 62493 53 21.447491884231567 udp
192.168.56.13 8.8.8.8 62849 53 19.22809100151062 udp
192.168.56.13 8.8.8.8 62980 53 205.6507740020752 udp
192.168.56.13 8.8.8.8 64533 53 96.22895407676697 udp
192.168.56.13 8.8.8.8 64801 53 57.22850203514099 udp
192.168.56.13 8.8.8.8 64886 53 122.22842192649841 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

341

Registry Set

35

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\ZoneMap\Ranges\
HKEY_USERS\S-1-5-20\Software
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_USERS\S-1-5-19\SOFTWARE\Rmc-HHCQ04
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\okmode
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Rmc-HHCQ04
HKEY_USERS\S-1-5-19\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_USERS\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\override
HKEY_USERS\.DEFAULT\Software\Rmc-HHCQ04
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\hlight
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_USERS\S-1-5-20\SOFTWARE\Rmc-HHCQ04
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\del
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_USERS\S-1-5-21-4005801669-2598574594-602355426-1001\Software
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\exepath
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\group
Show all (341 total)
Key
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\name
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_USERS\S-1-5-21-4005801669-2598574594-602355426-1001\Software\Rmc-HHCQ04\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\licence
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_USERS\.DEFAULT\Software
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\time
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\CooLib
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\elev
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\UID
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
HKEY_CURRENT_USER\ZoneMap\Ranges\
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\elev
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\del
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\time
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\UID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\okmode
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\group
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\licence
HKEY_USERS\S-1-5-19\Software\Rmc-HHCQ04
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\hlight
HKEY_USERS\S-1-5-20\Software\Rmc-HHCQ04
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\exepath
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\override
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\CooLib
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\CurrentBuildNumber
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Rmc-HHCQ04
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-4c-57-b3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F0D39F9C-D829-42B5-B5C7-A3D502281D3E}\52-54-00-4c-57-b3
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F0D39F9C-D829-42B5-B5C7-A3D502281D3E}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A168AADC-1674-49DA-AD4F-4F27DF8760D0}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\SdbUpdates\ManifestedMergeStubSdbs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000323-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\Software\Policies
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\software.exe
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_TOKEN_BINDING
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Disable8And16BitMitigation
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions\TenantRestrictionsPlugin.dll
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_TOKEN_BINDING
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex\{00000323-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{2B0F765D-C0E9-4171-908E-08A611B84FF6}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\OLE\Tracing
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\dnscache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex\{00000323-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000323-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_LOCAL_MACHINE\Software\Classes\PackagedCom
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TreatAsClassIndex
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Containers
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_LOCAL_MACHINE\Software\WOW6432Node
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ClassIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip6
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Rmc-HHCQ04\\exepath 6A B6 B0 13 DC 20 0C 06 27 B2 A2 BF E6 DE 77 BA EA 3A F8 C5 E2 92 16 D4 C1 36 6C E8 FC 31 12 BE DA 01 F2 00 C9 67 01 01 AA 93 35 D5 72 07 C5 BE 42 76 A8 66 6F F9 9F 5A 0C A0 A1 ED 49 5B 53 94 85 4A 1A 33 07 92 AE 48 64 02 97 E8 C1 10 9C 6A 2D C8 5D 64 55 CC EA F6 08 63 ED 6B 29 D1 2A 36 E0 87 28 5F 59 F4 01 B8 4C 98 82 EA 87 54 BD 00
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Rmc-HHCQ04\\UID 721057513
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Rmc-HHCQ04\\licence E880687B3DA7CF71C0153C8A4014A440
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Rmc-HHCQ04\\time 1696410702
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\exepath J\xb6\xb0\x13\xdc ,\x06’\xb2\xa2\xbf\xe6\xdew\xba\xea:\xcd\xc5\xf1\x92\x0f\xd4\xc46f\xe8\xd21
\xbe\xde\x01\xf1\x00\xd2g\x11\x01\xa4\x931\xd5O\x07\xe9\xbe\v\xa8fk\xf9\x8cZ\x01\xa0\x90\xed\x13[S\x94\x90J\x0f3[\x92
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\licence E880687B3DA7CF71C0153C8A4014A440
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\time 1757031973
HKEY_CURRENT_USER\SOFTWARE\Rmc-HHCQ04\UID 18446744071718394750
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\UID 1924864361
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\exepath
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\licence E880687B3DA7CF71C0153C8A4014A440
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\time 1755736655
HKEY_CURRENT_USER\Software\Rmc-HHCQ04
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\licence
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\time
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\UID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04
HKEY_USERS\S-1-5-21-1560258661-3990802383-1811730007-1000\Software\Rmc-HHCQ04\exepath
S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Rmc-HHCQ04\exepath J¶°Ü ,’²¢¿æÞwºê:îÅù’ÔØ6lèÒ1
¾Ôõ
S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Rmc-HHCQ04\licence E880687B3DA7CF71C0153C8A4014A440
S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Rmc-HHCQ04\time 1756682969
S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Rmc-HHCQ04\UID 3244947159
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable 0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings F
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix Cookie:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix Visited:
{F0D39F9C-D829-42B5-B5C7-A3D502281D3E}\WpadDecisionReason 1
{F0D39F9C-D829-42B5-B5C7-A3D502281D3E}\WpadDecisionTime ം᫡᫏ǜD
{F0D39F9C-D829-42B5-B5C7-A3D502281D3E}\WpadDecision 0
{F0D39F9C-D829-42B5-B5C7-A3D502281D3E}\WpadNetworkName Network 2
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\exepath 4A B6 B0 13 DC 20 2C 06 27 B2 A2 BF E6 DE 77 BA EA 3A CD C5 F1 92 0F D4 C4 36 66 E8 D2 31 0A BE DE 0
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\time 1757012115
HKEY_CURRENT_USER\Software\Rmc-HHCQ04\UID -1900836604

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top