397abecee7cb31a993e4322c9243f7542038a508


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-23 06:28:15 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
397abecee7cb31a993e4322c9243f7542038a508
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
397abecee7cb31a993e4322c9243f7542038a508
MD5
f280344de7cb67042d58c0f6ab34cb76
First Seen
2025-09-05 07:14:20.734990
Last Analysis
2025-09-05 10:02:31.419406
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-04 14:50:43 UTC First VirusTotal submission
2025-09-09 07:36:22 UTC Latest analysis snapshot 4 days, 16 hours, 45 minutes
2025-09-23 06:28:15 UTC Report generation time 18 days, 15 hours, 37 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 59. Missed: 14. Coverage: 80.8%.

Detected Vendors

  • Xcitium
  • +58 additional vendors (names not provided)

List includes Xcitium plus an additional 58 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • Cynet
  • Jiangmin
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • ViRobot
  • Webroot
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (59.41% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
Registry 3677 59.41%
System 1610 26.01%
File System 474 7.66%
Process 201 3.25%
Misc 82 1.32%
Network 60 0.97%
Device 26 0.42%
Threading 17 0.27%
Crypto 17 0.27%
Synchronization 15 0.24%
Com 5 0.08%
Windows 4 0.06%
Hooking 1 0.02%

MITRE ATT&CK Mapping

  • T1047 – access WMI data in .NET
  • T1083 – get common file path
  • T1082 – get OS version in .NET
  • T1620 – invoke .NET assembly method
  • T1140 – decode data using Base64 in .NET
  • T1056.001 – log keystrokes
  • T1033 – get session user name
  • T1087 – get session user name
  • T1012 – query or enumerate registry key
  • T1056.001 – log keystrokes via polling
  • T1547.009 – persist via lnk shortcut
  • T1012 – query or enumerate registry value
  • T1620 – load .NET assembly
  • T1083 – check if file exists
  • T1112 – delete registry value
  • T1082 – get number of processors
  • T1082 – query environment variable
  • T1057 – find process by PID
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1547.001 – persist via Run registry key
  • T1113 – capture screenshot
  • T1070.004 – self delete
  • T1082 – get hostname
  • T1560.002 – compress data using GZip in .NET
  • T1082 – get disk size
  • T1614.001 – get keyboard layout
  • T1033 – get session integrity level
  • T1033 – Collects and encrypts information about the computer likely to send to C2 server
  • T1082 – Checks available memory
  • T1497 – Checks for mouse movement
  • T1112 – Installs itself for autorun at Windows startup
  • T1547 – Installs itself for autorun at Windows startup
  • T1547.001 – Installs itself for autorun at Windows startup
  • T1071 – Reads data out of its own binary image
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1071 – At least one IP Address, Domain, or File Name was found in a crypto call
  • T1071 – Binary file triggered YARA rule
  • T1568 – Connects to a Dynamic DNS Domain
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1560 – Collects and encrypts information about the computer likely to send to C2 server
  • T1056.001 – Monitors keyboard input
  • T1056.004 – Monitors keyboard input
  • T1057 – Enumerates running processes
  • T1071.004 – Performs DNS request
  • T1082 – Enumerates running processes
  • T1095 – Connects to remote host
  • T1112 – Installs system startup script or application
  • T1134 – Enables process privileges
  • T1547.001 – Installs system startup script or application
  • T1568 – Performs DNS request for known DDNS domain
  • T1571 – Tries to connect using an uncommon port

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
jerrytech2020.duckdns.org 196.251.85.186 Nigeria internet-security-cheapyhost
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
jerrytech2020.duckdns.org A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 51 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.2451329231262207 udp
192.168.56.13 224.0.0.252 49311 5355 5.731137990951538 udp
192.168.56.13 224.0.0.252 55150 5355 3.174576997756958 udp
192.168.56.13 224.0.0.252 60010 5355 5.185574054718018 udp
192.168.56.13 224.0.0.252 62406 5355 3.1767079830169678 udp
192.168.56.13 224.0.0.252 63527 5355 3.995159864425659 udp
192.168.56.13 239.255.255.250 52252 3702 3.183116912841797 udp
192.168.56.13 8.8.4.4 50554 53 79.57222390174866 udp
192.168.56.13 8.8.4.4 53518 53 126.54143404960632 udp
192.168.56.13 8.8.4.4 53985 53 195.33840894699097 udp
192.168.56.13 8.8.4.4 54879 53 7.744699001312256 udp
192.168.56.13 8.8.4.4 54881 53 6.572622060775757 udp
192.168.56.13 8.8.4.4 55551 53 97.82246994972229 udp
192.168.56.13 8.8.4.4 55743 53 191.75970101356506 udp
192.168.56.13 8.8.4.4 56086 53 173.50992894172668 udp
192.168.56.13 8.8.4.4 56197 53 83.16619896888733 udp
192.168.56.13 8.8.4.4 57065 53 143.77591490745544 udp
192.168.56.13 8.8.4.4 57310 53 36.275315046310425 udp
192.168.56.13 8.8.4.4 57415 53 50.85398483276367 udp
192.168.56.13 8.8.4.4 58697 53 14.268141984939575 udp
192.168.56.13 8.8.4.4 58920 53 51.822712898254395 udp
192.168.56.13 8.8.4.4 59610 53 159.15056490898132 udp
192.168.56.13 8.8.4.4 60543 53 121.91659188270569 udp
192.168.56.13 8.8.4.4 60780 53 160.15062594413757 udp
192.168.56.13 8.8.4.4 60910 53 65.2129738330841 udp
192.168.56.13 8.8.4.4 61004 53 105.07283186912537 udp
192.168.56.13 8.8.4.4 61800 53 178.07288789749146 udp
192.168.56.13 8.8.4.4 62493 53 31.384848833084106 udp
192.168.56.13 8.8.4.4 62849 53 21.916255950927734 udp
192.168.56.13 8.8.4.4 64533 53 112.1820719242096 udp
192.168.56.13 8.8.4.4 64801 53 67.54111003875732 udp
192.168.56.13 8.8.4.4 64886 53 144.7914469242096 udp
192.168.56.13 8.8.8.8 50554 53 78.57338094711304 udp
192.168.56.13 8.8.8.8 53518 53 125.54193305969238 udp
192.168.56.13 8.8.8.8 53985 53 194.33895087242126 udp
192.168.56.13 8.8.8.8 54879 53 8.74406099319458 udp
192.168.56.13 8.8.8.8 54881 53 7.556566953659058 udp
192.168.56.13 8.8.8.8 55551 53 96.82263493537903 udp
192.168.56.13 8.8.8.8 55743 53 190.76159501075745 udp
192.168.56.13 8.8.8.8 56086 53 172.51093983650208 udp
192.168.56.13 8.8.8.8 56197 53 82.16749691963196 udp
192.168.56.13 8.8.8.8 56908 53 205.11944389343262 udp
192.168.56.13 8.8.8.8 57065 53 142.77622294425964 udp
192.168.56.13 8.8.8.8 57310 53 35.27627491950989 udp
192.168.56.13 8.8.8.8 57415 53 49.854182958602905 udp
192.168.56.13 8.8.8.8 58697 53 15.260128021240234 udp
192.168.56.13 8.8.8.8 58920 53 50.83521103858948 udp
192.168.56.13 8.8.8.8 59610 53 158.1505889892578 udp
192.168.56.13 8.8.8.8 60543 53 120.91703391075134 udp
192.168.56.13 8.8.8.8 60780 53 159.15137195587158 udp
192.168.56.13 8.8.8.8 60910 53 64.21404099464417 udp
192.168.56.13 8.8.8.8 61004 53 104.07371687889099 udp
192.168.56.13 8.8.8.8 61800 53 177.0736050605774 udp
192.168.56.13 8.8.8.8 62493 53 30.386788845062256 udp
192.168.56.13 8.8.8.8 62849 53 20.917248010635376 udp
192.168.56.13 8.8.8.8 64533 53 111.1826548576355 udp
192.168.56.13 8.8.8.8 64801 53 66.54249501228333 udp
192.168.56.13 8.8.8.8 64886 53 143.79201984405518 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

173

Registry Set

9

Services Started

2

Services Opened

3

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ActivateOnHostFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\409
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\TypeLibIndex
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\software.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\(Default)
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
Show all (173 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\MonitorRegistry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\TreatAs
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\software.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer\UseFindFirstFileEnumeration
HKEY_LOCAL_MACHINE\Software\Classes\PackagedCom
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\Com+Enabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PackagedCom\ProgIdIndex
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\9
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\175699735028d995e9c0a2f5302a1cc7bf9813280e61e
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32\Class
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_CLASSES_ROOT\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseRyuJIT
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OAQ6D7C2OYFMS6BY %APPDATA%\%SAMPLENAME%
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\software C:\Users\Bruno\AppData\Roaming\software.exe
HKEY_CURRENT_USER\SOFTWARE\112106DC2E632806E522\91E582DD0FE0224A74B326FAA35161958AAE425DF4B6151646B9C330E7BD5487 \x00H\x00\x00\x1f\x8b\x08\x00\x00\x00\x00\x00\x04\x00\xed|\x7f|\x1b\xd5\xb1\xef\xec\xae\xb4\xbb\x92%9\xb2c\xd9I\xec\xa0\xfc (\xb1#\xe2\xfc\x80\x18\x12\x12\xc7\xce\x0f711qH\x02\x04\x12Y\xda8Jd\xadY\xc9 \x86&(\x05J)\x04H)-)\xa5\x17\xda\xd2\xdb\xf4\xd7+\xb7\xa5\x05\xfa\xb8\xd0G)\xd0\x16.\xf4B\xfbh\xd3\x94<n{\xcbm\xfb\xfa\xbb\xd0w{\xe1~gv%\xd9q(\xed\xfb\xbc\xcf\xfb\xe3}\x9e\x13\xcd\x99\x993g\xce\x9c\x999s\xce\xae\x95\xf4^z;iD\xe4\xc3\xe7\xad\xb7\x88\x1e”\xf7g%\xbd\xf3O \x9f\xc8\x19\x8fD\xe8\xcb\x81gg<\xa4lxv\xc6\xe6\xdd\xd9B|\xd8\xb1\x07\x9d\xd4P<\x9d\xca\xe7\xedb|\xc0\x8a;#\xf9x6\x1f\xef\xde\xd8\x1f\x1f\xb23V2\x1c\x0e\xce\xf6t\xf4\xad&\xda\xa0h\xf4\xfd\xc0\xf1tY\xef+43^\xa3\xf4\xb9F\xe8.\xef\xb7;\x00\xe2\xf8\xec\x14r\x92\xe0\xaak7Q\xb5\xa5{]>\xffh\xb4\xf2\x06\x16\xe5\xbf\xd5\xb6\xd2\xb8\xe2\xd0\xbb\x91\\xbdwi\xa7_d\xe8\xaf\xf0\xc5\x84\x1f\xd8g\x8e!M\xd0\xeb\xc6\xd0\xc9\xa2uU\x11\xed\x1b+\YY\xab:A\xc5\xce\xa4Sp\xd81b\x1bl\x94\x85\xae\x1a/\x87\xa1+\x93\x8e\x95\xb3\xd3\x9e\xad%O\xd7\x9a r\xa7\x8c$zq\x87\xdb\xae\x93
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\InstalledWin32AppsRevision {CDDF7E48-BEE8-49F9-8A8A-791AB6AC4F4F}
HKEY_USERS\%SID%\Software\Microsoft\Windows\CurrentVersion\Run\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42 %USERPROFILE%\AppData\Roaming\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\175699735028d995e9c0a2f5302a1cc7bf9813280e61e
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42 C:\Users\<USER>\AppData\Roaming\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42.exe
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Run\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42 C:\Users\<USER>\AppData\Roaming\58b09f78ed25e76e2c9e5abf0e10af50a63e2c5e480ae3ed160569b7baa28b42.exe
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile Binary Data

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
wscsvc
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top