Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-18 06:48:01 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
6ue1f3s.exe
Type
PE32 executable (GUI) Intel 80386, for MS Windows
SHA‑1
5b380b69aef6e8ab192050cdfa86dc0b422f3026
MD5
16da77e352389663ef0f9e1d391a3f5b
First Seen
2025-09-05 07:11:43.521671
Last Analysis
2025-09-05 10:02:32.133681
Dwell Time
0 days, 7 hours, 33 minutes
Extended Dwell Time Impact
For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2025-09-01 02:31:19 UTC | First VirusTotal submission | — |
| 2025-09-09 07:09:21 UTC | Latest analysis snapshot | 8 days, 4 hours, 38 minutes |
| 2025-09-18 06:48:01 UTC | Report generation time | 17 days, 4 hours, 16 minutes |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 73. Detected as malicious: 69. Missed: 4. Coverage: 94.5%.
Detected Vendors
- Xcitium
- +68 additional vendors (names not provided)
List includes Xcitium plus an additional 68 vendors per the provided summary.
Missed Vendors
- Acronis
- Baidu
- CMC
- SUPERAntiSpyware
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
Behavioral Storyline — How the Malware Operates
Intensive file system activity (51.20% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.
Behavior Categories (weighted)
Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.
| Category | Weight | Percentage |
|---|---|---|
| File System | 222917 | 51.20% |
| Synchronization | 112473 | 25.83% |
| System | 92909 | 21.34% |
| Registry | 5442 | 1.25% |
| Misc | 507 | 0.12% |
| Process | 379 | 0.09% |
| Com | 302 | 0.07% |
| Threading | 173 | 0.04% |
| Device | 150 | 0.03% |
| Services | 58 | 0.01% |
| Crypto | 55 | 0.01% |
| Network | 17 | 0.00% |
| Hooking | 6 | 0.00% |
| Windows | 3 | 0.00% |
MITRE ATT&CK Mapping
- T1134 – acquire debug privileges
- T1129 – parse PE header
- T1027 – encrypt data using RC4 PRGA
- T1555 – gather classicftp information
- T1555.003 – gather firefox profile information
- T1555 – gather cyberduck information
- T1555 – gather total-commander information
- T1555 – gather ultrafxp information
- T1555 – gather bitkinex information
- T1027 – encode data using XOR
- T1027.005 – contain obfuscated stackstrings
- T1555 – gather filezilla information
- T1129 – access PEB ldr_data
- T1003 – Steals private information from local Internet browsers
- T1555 – Steals private information from local Internet browsers
- T1552 – Steals private information from local Internet browsers
- T1555.003 – Steals private information from local Internet browsers
- T1552.001 – Steals private information from local Internet browsers
- T1082 – Checks available memory
- T1082 – Collects information to fingerprint the system
- T1012 – Collects information to fingerprint the system
- T1071 – Binary file triggered YARA rule
- T1071 – Yara detections observed in process dumps, payloads or dropped files
- T1005 – Steals private information from local Internet browsers
- T1005 – Searches for sensitive browser data
- T1005 – Reads sensitive browser data
- T1005 – Searches for sensitive application data
- T1005 – Searches for sensitive FTP data
- T1005 – Reads sensitive FTP data
- T1005 – Reads sensitive application data
- T1005 – Searches for sensitive mail data
- T1005 – Reads sensitive mail data
- T1005 – Tries to read cached credentials of various applications
- T1012 – Reads system data
- T1012 – Possibly does reconnaissance
- T1012 – Searches for sensitive browser data
- T1012 – Searches for sensitive FTP data
- T1012 – Reads sensitive FTP data
- T1012 – Reads sensitive application data
- T1012 – Searches for sensitive application data
- T1012 – Searches for sensitive mail data
- T1012 – Reads sensitive mail data
- T1071.004 – Performs DNS request
- T1082 – Reads system data
- T1083 – Searches for sensitive browser data
- T1083 – Searches for sensitive application data
- T1083 – Searches for sensitive FTP data
- T1083 – Searches for sensitive mail data
- T1083 – Reads sensitive browser data
- T1095 – Connects to remote host
- T1119 – Searches for sensitive browser data
- T1119 – Reads sensitive browser data
- T1119 – Searches for sensitive application data
- T1119 – Searches for sensitive FTP data
- T1119 – Reads sensitive FTP data
- T1119 – Reads sensitive application data
- T1119 – Searches for sensitive mail data
- T1119 – Reads sensitive mail data
- T1119 – Tries to read cached credentials of various applications
- T1134 – Enables process privileges
- T1217 – Searches for sensitive browser data
- T1497.003 – Delays execution
- T1552.001 – Searches for sensitive browser data
- T1552.001 – Searches for sensitive application data
- T1552.001 – Searches for sensitive FTP data
- T1552.001 – Searches for sensitive mail data
- T1552.001 – Reads sensitive browser data
- T1552.002 – Searches for sensitive browser data
- T1552.002 – Searches for sensitive FTP data
- T1552.002 – Reads sensitive FTP data
- T1552.002 – Reads sensitive application data
- T1552.002 – Searches for sensitive application data
- T1552.002 – Searches for sensitive mail data
- T1552.002 – Reads sensitive mail data
- T1555.003 – Reads sensitive browser data
- T1129 – The process tried to load dynamically one or more functions.
- T1045 – Manalize Local SandBox Packer Harvesting
- T1027 – encode data using XOR
- T1129 – access PEB ldr_data
- T1134 – acquire debug privileges
- T1129 – parse PE header
- T1555.003 – gather firefox profile information
- T1555 – gather bitkinex information
- T1555 – gather classicftp information
- T1555 – gather cyberduck information
- T1555 – gather filezilla information
- T1555 – gather total-commander information
- T1555 – gather ultrafxp information
- T1027 – encrypt data using RC4 PRGA
- T1071 – Detected one or more anomalous HTTP requests
- T1071 – Detected HTTP requests to some non white-listed domains
- T1107 – The process attempted to delete its original binary
- T1070 – The process attempted to delete its original binary
- T1081 – Detected an attempt to access Browser data that may contain sensible informations (e.g. user credentials)
- T1119 – Detected an attempt to access Browser data that may contain sensible informations (e.g. user credentials)
- T1082 – Queries for the computername
- T1082 – The process tried to collect informations about the system reading some known registry keys
- T1012 – The process tried to collect informations about the system reading some known registry keys
- T1081 – The process attempted to collect credentials from installed FTP clients
- T1119 – The process attempted to collect credentials from installed FTP clients
- T1081 – The process attempted to collect informations related to installed instant messaging clients
- T1119 – The process attempted to collect informations related to installed instant messaging clients
- T1027.005 – contain obfuscated stackstrings
- T1134 – Created network traffic indicative of malicious activity
- T1129 – Created network traffic indicative of malicious activity
- T1027 – Created network traffic indicative of malicious activity
- T1555.003 – Created network traffic indicative of malicious activity
- T1555 – Created network traffic indicative of malicious activity
- T1027.005 – Created network traffic indicative of malicious activity
- T1036 – Creates files inside the user directory
- T1497 – Checks if the current process is being debugged
- T1497 – May sleep (evasive loops) to hinder dynamic analysis
- T1003 – Tries to harvest and steal browser information (history, passwords, etc)
- T1003 – Tries to harvest and steal ftp login credentials
- T1552.002 – Tries to harvest and steal Putty information (sessions, passwords, etc)
- T1518.001 – Checks if the current process is being debugged
- T1082 – Queries the cryptographic machine GUID
- T1082 – Checks if Microsoft Office is installed
- T1114 – Tries to search for mail accounts
- T1005 – Tries to harvest and steal browser information (history, passwords, etc)
- T1005 – Tries to harvest and steal ftp login credentials
- T1095 – Posts data to webserver
- T1071 – Posts data to webserver
- T1071 – C2 URLs / IPs found in malware configuration
- T1071 – Uses a known web browser user agent for HTTP communication
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| www.aieov.com | 76.223.54.146 | United States | Amazon.com, Inc. |
| gamesarena.gdn | 52.16.171.153 | Ireland | Amazon Technologies Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
DNS Queries
| Request | Type |
|---|---|
| 5isohu.com | A |
| www.aieov.com | A |
| gamesarena.gdn | A |
Contacted IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
Port Distribution
| Port | Count | Protocols |
|---|---|---|
| 137 | 1 | udp |
| 138 | 1 | udp |
| 5355 | 4 | udp |
| 53 | 86 | udp |
UDP Packets
| Source IP | Dest IP | Sport | Dport | Time | Proto |
|---|---|---|---|---|---|
| 192.168.56.14 | 192.168.56.255 | 137 | 137 | 7.027415037155151 | udp |
| 192.168.56.14 | 192.168.56.255 | 138 | 138 | 13.027359962463379 | udp |
| 192.168.56.14 | 224.0.0.252 | 51209 | 5355 | 6.9562249183654785 | udp |
| 192.168.56.14 | 224.0.0.252 | 53401 | 5355 | 8.244554996490479 | udp |
| 192.168.56.14 | 224.0.0.252 | 55094 | 5355 | 9.512349843978882 | udp |
| 192.168.56.14 | 224.0.0.252 | 55848 | 5355 | 6.957237958908081 | udp |
| 192.168.56.14 | 8.8.4.4 | 49916 | 53 | 69.52677488327026 | udp |
| 192.168.56.14 | 8.8.4.4 | 50180 | 53 | 88.60469603538513 | udp |
| 192.168.56.14 | 8.8.4.4 | 50582 | 53 | 348.1988878250122 | udp |
| 192.168.56.14 | 8.8.4.4 | 50710 | 53 | 55.15224099159241 | udp |
| 192.168.56.14 | 8.8.4.4 | 50870 | 53 | 180.02641105651855 | udp |
| 192.168.56.14 | 8.8.4.4 | 50914 | 53 | 141.4017460346222 | udp |
| 192.168.56.14 | 8.8.4.4 | 51262 | 53 | 178.54235291481018 | udp |
| 192.168.56.14 | 8.8.4.4 | 51614 | 53 | 239.7923698425293 | udp |
| 192.168.56.14 | 8.8.4.4 | 52116 | 53 | 305.2299950122833 | udp |
| 192.168.56.14 | 8.8.4.4 | 52556 | 53 | 225.6526439189911 | udp |
| 192.168.56.14 | 8.8.4.4 | 52815 | 53 | 10.830042839050293 | udp |
| 192.168.56.14 | 8.8.4.4 | 53449 | 53 | 211.24731993675232 | udp |
| 192.168.56.14 | 8.8.4.4 | 54017 | 53 | 319.589234828949 | udp |
| 192.168.56.14 | 8.8.4.4 | 54579 | 53 | 45.58904695510864 | udp |
| 192.168.56.14 | 8.8.4.4 | 54683 | 53 | 117.01146483421326 | udp |
| 192.168.56.14 | 8.8.4.4 | 55827 | 53 | 149.63700103759766 | udp |
| 192.168.56.14 | 8.8.4.4 | 55914 | 53 | 83.90237593650818 | udp |
| 192.168.56.14 | 8.8.4.4 | 56399 | 53 | 102.90209484100342 | udp |
| 192.168.56.14 | 8.8.4.4 | 56716 | 53 | 302.55820298194885 | udp |
| 192.168.56.14 | 8.8.4.4 | 56763 | 53 | 376.91790199279785 | udp |
| 192.168.56.14 | 8.8.4.4 | 56864 | 53 | 264.04233503341675 | udp |
| 192.168.56.14 | 8.8.4.4 | 57355 | 53 | 341.0579319000244 | udp |
| 192.168.56.14 | 8.8.4.4 | 57742 | 53 | 225.54230189323425 | udp |
| 192.168.56.14 | 8.8.4.4 | 59068 | 53 | 201.25569200515747 | udp |
| 192.168.56.14 | 8.8.4.4 | 59212 | 53 | 272.6208829879761 | udp |
| 192.168.56.14 | 8.8.4.4 | 60117 | 53 | 59.90208101272583 | udp |
| 192.168.56.14 | 8.8.4.4 | 60713 | 53 | 155.69874691963196 | udp |
| 192.168.56.14 | 8.8.4.4 | 61083 | 53 | 316.80794501304626 | udp |
| 192.168.56.14 | 8.8.4.4 | 61713 | 53 | 355.3082709312439 | udp |
| 192.168.56.14 | 8.8.4.4 | 62022 | 53 | 102.65224289894104 | udp |
| 192.168.56.14 | 8.8.4.4 | 62055 | 53 | 333.94846296310425 | udp |
| 192.168.56.14 | 8.8.4.4 | 62112 | 53 | 40.54211497306824 | udp |
| 192.168.56.14 | 8.8.4.4 | 62548 | 53 | 131.38637685775757 | udp |
| 192.168.56.14 | 8.8.4.4 | 62800 | 53 | 164.01092505455017 | udp |
| 192.168.56.14 | 8.8.4.4 | 62997 | 53 | 286.97990703582764 | udp |
| 192.168.56.14 | 8.8.4.4 | 63205 | 53 | 117.15162205696106 | udp |
| 192.168.56.14 | 8.8.4.4 | 63906 | 53 | 379.5581479072571 | udp |
| 192.168.56.14 | 8.8.4.4 | 64452 | 53 | 240.01121592521667 | udp |
| 192.168.56.14 | 8.8.4.4 | 64753 | 53 | 74.33942985534668 | udp |
| 192.168.56.14 | 8.8.4.4 | 64950 | 53 | 362.55790185928345 | udp |
| 192.168.56.14 | 8.8.4.4 | 65148 | 53 | 26.183387994766235 | udp |
| 192.168.56.14 | 8.8.4.4 | 65271 | 53 | 278.30844497680664 | udp |
| 192.168.56.14 | 8.8.4.4 | 65283 | 53 | 258.26161003112793 | udp |
| 192.168.56.14 | 8.8.8.8 | 49916 | 53 | 68.53389692306519 | udp |
| 192.168.56.14 | 8.8.8.8 | 50180 | 53 | 87.61574292182922 | udp |
| 192.168.56.14 | 8.8.8.8 | 50582 | 53 | 347.2000799179077 | udp |
| 192.168.56.14 | 8.8.8.8 | 50710 | 53 | 54.15848684310913 | udp |
| 192.168.56.14 | 8.8.8.8 | 50870 | 53 | 179.03231000900269 | udp |
| 192.168.56.14 | 8.8.8.8 | 50914 | 53 | 140.41366505622864 | udp |
| 192.168.56.14 | 8.8.8.8 | 51262 | 53 | 177.55398082733154 | udp |
| 192.168.56.14 | 8.8.8.8 | 51614 | 53 | 238.80391597747803 | udp |
| 192.168.56.14 | 8.8.8.8 | 52116 | 53 | 304.2304048538208 | udp |
| 192.168.56.14 | 8.8.8.8 | 52556 | 53 | 224.65236902236938 | udp |
| 192.168.56.14 | 8.8.8.8 | 52815 | 53 | 11.823844909667969 | udp |
| 192.168.56.14 | 8.8.8.8 | 53449 | 53 | 210.2478768825531 | udp |
| 192.168.56.14 | 8.8.8.8 | 54017 | 53 | 318.58932399749756 | udp |
| 192.168.56.14 | 8.8.8.8 | 54579 | 53 | 44.59001302719116 | udp |
| 192.168.56.14 | 8.8.8.8 | 54683 | 53 | 116.02428197860718 | udp |
| 192.168.56.14 | 8.8.8.8 | 55827 | 53 | 148.64026498794556 | udp |
| 192.168.56.14 | 8.8.8.8 | 55914 | 53 | 82.90333199501038 | udp |
| 192.168.56.14 | 8.8.8.8 | 56399 | 53 | 101.91161799430847 | udp |
| 192.168.56.14 | 8.8.8.8 | 56716 | 53 | 301.56955885887146 | udp |
| 192.168.56.14 | 8.8.8.8 | 56763 | 53 | 375.9178488254547 | udp |
| 192.168.56.14 | 8.8.8.8 | 56864 | 53 | 263.05403304100037 | udp |
| 192.168.56.14 | 8.8.8.8 | 57355 | 53 | 340.0694649219513 | udp |
| 192.168.56.14 | 8.8.8.8 | 57742 | 53 | 224.55433082580566 | udp |
| 192.168.56.14 | 8.8.8.8 | 59068 | 53 | 200.2557499408722 | udp |
| 192.168.56.14 | 8.8.8.8 | 59212 | 53 | 271.6209559440613 | udp |
| 192.168.56.14 | 8.8.8.8 | 60117 | 53 | 58.903549909591675 | udp |
| 192.168.56.14 | 8.8.8.8 | 60713 | 53 | 154.7075879573822 | udp |
| 192.168.56.14 | 8.8.8.8 | 61083 | 53 | 315.8193278312683 | udp |
| 192.168.56.14 | 8.8.8.8 | 61713 | 53 | 354.3195049762726 | udp |
| 192.168.56.14 | 8.8.8.8 | 62022 | 53 | 101.65379405021667 | udp |
| 192.168.56.14 | 8.8.8.8 | 62055 | 53 | 332.94899702072144 | udp |
| 192.168.56.14 | 8.8.8.8 | 62112 | 53 | 39.5438129901886 | udp |
| 192.168.56.14 | 8.8.8.8 | 62548 | 53 | 130.38981699943542 | udp |
| 192.168.56.14 | 8.8.8.8 | 62800 | 53 | 163.01382303237915 | udp |
| 192.168.56.14 | 8.8.8.8 | 62997 | 53 | 285.9829330444336 | udp |
| 192.168.56.14 | 8.8.8.8 | 63205 | 53 | 116.16322088241577 | udp |
| 192.168.56.14 | 8.8.8.8 | 63906 | 53 | 378.56908082962036 | udp |
| 192.168.56.14 | 8.8.8.8 | 64452 | 53 | 239.01122999191284 | udp |
| 192.168.56.14 | 8.8.8.8 | 64753 | 53 | 73.35019183158875 | udp |
| 192.168.56.14 | 8.8.8.8 | 64950 | 53 | 361.5581970214844 | udp |
| 192.168.56.14 | 8.8.8.8 | 65148 | 53 | 25.184924840927124 | udp |
| 192.168.56.14 | 8.8.8.8 | 65271 | 53 | 277.31580090522766 | udp |
| 192.168.56.14 | 8.8.8.8 | 65283 | 53 | 257.26418805122375 | udp |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
328
Registry Set
1
Services Started
2
Services Opened
2
Registry Opened (Top 25)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaxSxSHashCount |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker\Alias |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309}\(Default) |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\COMAccessPermissionsSD |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Alias |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DNSCache |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense |
| HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Diagnostics\PerfTrack\TraceProfile |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinRM\Alias |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5CMapsPackageSvcRpc%5CInterface |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CryptSvc\Alias |
| HKEY_LOCAL_MACHINE\SYSTEM\Maps\CurrentOperation |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DoSvc\Alias |
| HKEY_CURRENT_USER\Software\QtWeb.NET\QtWeb Internet Browser\AutoComplete |
| HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\nlasvc |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Alias |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\NoGuiAccess |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker\Parameters\ServiceManifest |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SYSTEM\Maps\QueuedPackageIds |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\CoInitializeSecurityAllowComCapability |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309} |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NlaSvc\Alias |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\CoInitializeSecurityAllowInteractiveUsers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5CMosHostSvcRpc%5CInterface |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanworkstation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\BinarySignaturePolicy |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinRM |
| HKEY_LOCAL_MACHINE\System\Maps |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5COdmlSvcRpc%5CInterface |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\COM_UnmarshalingPolicy |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SCMConfig\EnableSvchostMitigationPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tapisrv |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\CoInitializeSecurityParam |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\ImpersonationLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\CoInitializeSecurityAppID |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309}\InprocHandler |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\dosvc |
Show all (328 total)
| Key |
|---|
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\AuthenticationLevel |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\DefaultRpcStackSize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\CoInitializeSecurityAllowLowBox |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\svchost.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat |
| HKEY_LOCAL_MACHINE\System\Maps\Storage |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SCMConfig\SvchostHeapReportingThresholdInKB |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dhcp\Alias |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TapiSrv\Alias |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker\Parameters\LegacyCOMBehavior |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker\Parameters\ServiceDll |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\CoInitializeSecurityAllowCrossContainer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default) |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker\Parameters |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5CMapsPackageSvcRpc%5CInterface\SecurityDescriptor |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5CMosHostSvcRpc%5CInterface\SecurityDescriptor |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Wecsvc\Alias |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WECSVC |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309}\ActivateOnHostFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\COM_RoSettings |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker\Parameters\ServiceMain |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\DynamicCodePolicy |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy |
| HKEY_LOCAL_MACHINE\SYSTEM\Maps\UpgradeCheck |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CAlpcPort%5CDefaultRpcAccess |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SYSTEM\Maps\InstallUpdateStarted |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5COdmlSvcRpc%5CInterface\SecurityDescriptor |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CAlpcPort%5CDefaultRpcAccess\SecurityDescriptor |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\RpcExceptionFilterMode |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DHCP |
| HKEY_LOCAL_MACHINE\System\Maps\Storage\Volatile |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Alias |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\ExtensionPointsPolicy |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\AuthenticationCapabilities |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CryptSvc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\NetworkService\SystemCritical |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C03E1B1-EB13-4DF1-8943-2FE8E7D5F309}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup |
| HKEY_LOCAL_MACHINE\Software\Microsoft\SecurityManager\TransientObjects\%5C%5C.%5CRpc%5CMapsStorageSvcRpc%5CInterface |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MapsBroker |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\FinalizerActivityBypass |
| HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions |
| HKEY_CURRENT_USER\Software\Martin Prikryl |
| HKEY_CURRENT_USER\Software\AppDataLow |
| HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\CurrentVersion |
| HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita\imap.auth.pass |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\FossaMail\CurrentVersion |
| HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts |
| HKEY_CURRENT_USER\Software\IncrediMail\Identities |
| HKEY_LOCAL_MACHINE\Software\SimonTatham\PuTTY\Sessions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Postbox\Postbox\CurrentVersion |
| HKEY_CURRENT_USER\Software\Ghisler\Total Commander\FtpIniName |
| HKEY_CURRENT_USER\Software |
| HKEY_CURRENT_USER\Software\VanDyke\SecureFX\Config Path |
| HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts |
| HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita\msa.smtp.auth.pass |
| HKEY_CURRENT_USER\Software\WinChips\UserAccounts |
| HKEY_CURRENT_USER\Software\Wow6432Node |
| HKEY_CURRENT_USER\Software\Google |
| HKEY_LOCAL_MACHINE\Software\Martin Prikryl |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\SeaMonkey\CurrentVersion |
| HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook |
| HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Pale Moon\CurrentVersion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Apple Computer, Inc.\Safari\InstallDir |
| HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Waterfox\CurrentVersion |
| HKEY_LOCAL_MACHINE\Software\NCH Software\Fling\Accounts |
| HKEY_CURRENT_USER\Software\RegisteredApplications |
| HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox\Path |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\CurrentVersion |
| HKEY_CURRENT_USER\Software\Classes |
| HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 |
| HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts |
| HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Flock\CurrentVersion |
| HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook |
| HKEY_CURRENT_USER\Software\NCH Software\Fling\Accounts |
| HKEY_LOCAL_MACHINE\SOFTWARE\8pecxstudios\Cyberfox86\RootDir |
| HKEY_CURRENT_USER\Software\Adobe |
| HKEY_CURRENT_USER\Software\LinasFTP\Site Manager |
| HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\SeaMonkey\CurrentVersion |
| HKEY_CURRENT_USER\Software\Bitvise\BvSshClient\LastUsedProfile |
| HKEY_LOCAL_MACHINE\Software\9bis.com\KiTTY\Sessions |
| HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\IceDragon\Setup\SetupPath |
| HKEY_LOCAL_MACHINE\gamesarena.gdn/settings/settingsdu/fre.php\98F7EC |
| HKEY_CURRENT_USER\Software\Microsoft |
| HKEY_CURRENT_USER\Software\Policies |
| HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings\LastPassword |
| HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities |
| HKEY_CURRENT_USER\Software\Mozilla |
| HKEY_CURRENT_USER\Software\Netscape |
| HKEY_LOCAL_MACHINE\SOFTWARE\K-Meleon\CurrentVersion |
| HKEY_CURRENT_USER\Software\Python |
| HKEY_CURRENT_USER\Software\Sysinternals |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Firewall and network protection |
| HKEY_CURRENT_USER\Software\7-Zip |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\TreatAs |
| HKEY_CURRENT_USER\SOFTWARE\flaska.net\trojita |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
| HKEY_CURRENT_USER\Software\VanDyke\SecureFX |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{15C23079-E719-4E7C-BD9C-F20983A9480F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\DownloadManager |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Family options |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433} |
| HKEY_CURRENT_USER\Software\ChangeTracker |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D71BECE8-17B8-4636-832C-D010D4F847F7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDD8A353-2577-40A0-BB02-22A99A86B34F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityHealthService.exe |
| HKEY_LOCAL_MACHINE\????????????????????????????????????? |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FEEED48-1AE6-4C15-9D6E-27DD3DF6CAC8} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler |
| HKEY_CURRENT_USER\Software\Ghisler\Total Commander |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\App and Browser protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CleanPC |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9} |
| HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\InprocHandler32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Enterprise Customization |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security |
| HKEY_CURRENT_USER\Software\Chromium |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocServer32 |
| HKEY_CURRENT_USER\Software\AutoIt v3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD0F0FC-7043-4A81-BBFA-9F68ADC97122} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocServer32 |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State\Dynamic |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3C03EBDD-BE8F-4E39-8B9C-EA0B1EA8395C} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocServer32 |
| HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD032184-B0DE-4962-BBAC-146621F0770E} |
| HKEY_CURRENT_USER\Software\appdatalow |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device performance and health |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD} |
| HKEY_CURRENT_USER\Software\ODBC |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SecurityHealthService.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\TreatAs |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\program.exe |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{37529A8C-668C-4D7B-8EC0-FFB545A337FC} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D} |
| HKEY_CURRENT_USER\Software\GNU |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{136FECC8-05C4-4DEA-AC27-4C0666C20320} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8956DE3F-472B-4FBC-AF5F-748F61CBC386} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler |
| HKEY_CURRENT_USER\Software\The Document Foundation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Systray |
| HKEY_CURRENT_USER\Software\Bitvise\BvSshClient |
| HKEY_CURRENT_USER\Software\JavaSoft |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001\Preference |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler |
Registry Set (Top 25)
| Key | Value |
|---|---|
| HKEY_LOCAL_MACHINE\gamesarena.gdn/settings/settingsdu/fre.php\98F7EC | — |
Services Started (Top 15)
| Service |
|---|
| WSearch |
| VaultSvc |
Services Opened (Top 15)
| Service |
|---|
| VaultSvc |
| clipsvc |
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.