152f467b59cfc8463e017cadde485d5371b8c5ac - threatlabsnews.xcitium.com

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

152f467b59cfc8463e017cadde485d5371b8c5ac

Type

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

SHA‑1

152f467b59cfc8463e017cadde485d5371b8c5ac

MD5

3cbc3f0be7ecb32d18320c83821fa10d

First Seen

2025-09-05 07:13:10.300812

Last Analysis

2025-09-05 10:02:31.933258

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-09-04 07:23:45 UTC	First VirusTotal submission	—
2025-09-09 07:34:47 UTC	Latest analysis snapshot	5 days, 0 hours, 11 minutes
2025-09-26 07:47:12 UTC	Report generation time	22 days, 0 hours, 23 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 58. Missed: 15. Coverage: 79.5%.

Detected Vendors

Xcitium
+57 additional vendors (names not provided)

List includes Xcitium plus an additional 57 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
ClamAV
CMC
Cynet
Jiangmin
SentinelOne
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
ViRobot
Zillya
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (48.12% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
File System	61427	48.12%
Synchronization	60054	47.05%
System	3040	2.38%
Registry	2128	1.67%
Process	441	0.35%
Com	292	0.23%
Misc	171	0.13%
Threading	61	0.05%
Device	19	0.01%
Windows	6	0.00%
Hooking	5	0.00%
Crypto	5	0.00%
Services	2	0.00%

MITRE ATT&CK Mapping

T1620 – invoke .NET assembly method
T1003 – Harvests information related to installed mail clients
T1552 – Harvests information related to installed mail clients
T1552.001 – Harvests information related to installed mail clients
T1055 – Writes to the memory another process
T1055 – Writes an executable to the memory of another process
T1027 – The binary likely contains encrypted or compressed data
T1027.002 – The binary likely contains encrypted or compressed data
T1114 – Harvests information related to installed mail clients
T1005 – Harvests information related to installed mail clients
T1082 – Checks available memory
T1071 – Terminates another process
T1071 – Yara detections observed in process dumps, payloads or dropped files
T1071 – Reads from the memory of another process
T1071 – The PE file contains a PDB path
T1106 – Guard pages use detected – possible anti-debugging.
T1005 – Searches for sensitive browser data
T1005 – Reads sensitive browser data
T1005 – Searches for sensitive mail data
T1005 – Reads sensitive mail data
T1005 – Searches for sensitive application data
T1005 – Searches for sensitive FTP data
T1005 – Tries to read cached credentials of various applications
T1012 – Query OS Information
T1012 – Searches for sensitive mail data
T1012 – Reads sensitive mail data
T1012 – Possibly does reconnaissance
T1012 – Searches for sensitive application data
T1012 – Searches for sensitive FTP data
T1027.002 – Creates a page with write and execute permissions
T1027.002 – Resolves API functions dynamically
T1047 – Queries OS version via WMI
T1047 – Collects hardware properties
T1055 – Modifies control flow of a process started from a created or modified executable
T1055.012 – Process Hollowing
T1057 – Enumerates running processes
T1071.004 – Performs DNS request
T1082 – Query OS Information
T1082 – Enumerates running processes
T1082 – Queries OS version via WMI
T1082 – Collects hardware properties
T1083 – Searches for sensitive browser data
T1083 – Possibly does reconnaissance
T1083 – Reads sensitive browser data
T1095 – Connects to remote host
T1119 – Searches for sensitive browser data
T1119 – Reads sensitive browser data
T1119 – Searches for sensitive mail data
T1119 – Reads sensitive mail data
T1119 – Searches for sensitive application data
T1119 – Searches for sensitive FTP data
T1119 – Tries to read cached credentials of various applications
T1134 – Enables process privileges
T1552.001 – Searches for sensitive browser data
T1552.001 – Reads sensitive browser data
T1552.002 – Searches for sensitive mail data
T1552.002 – Reads sensitive mail data
T1552.002 – Searches for sensitive application data
T1552.002 – Searches for sensitive FTP data
T1555.003 – Reads sensitive browser data
T1564.003 – Creates process with hidden window
T1129 – The process attempted to dynamically load a malicious function
T1057 – The process has tried to detect the debugger probing the use of page guards.
T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
T1129 – The process tried to load dynamically one or more functions.
T1057 – The process attempted to detect a running debugger using common APIs
T1082 – Queries for the computername
T1119 – Detected an attempt to access Browser data that may contain sensible informations (e.g. user credentials)
T1081 – Detected an attempt to access Browser data that may contain sensible informations (e.g. user credentials)
T1119 – The process tries to collect some email client informations
T1081 – The process tries to collect some email client informations
T1119 – The process attempted to collect credentials from installed FTP clients
T1081 – The process attempted to collect credentials from installed FTP clients
T1071 – The process originated SMTP requests

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.msftncsi.com	23.200.3.18	United States	Akamai Technologies, Inc.
www.aieov.com	76.223.54.146	United States	Amazon.com, Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
www.msftncsi.com	A
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	10	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.11	192.168.56.255	137	137	3.246490001678467	udp
192.168.56.11	224.0.0.252	49563	5355	3.175175905227661	udp
192.168.56.11	224.0.0.252	54650	5355	3.177363872528076	udp
192.168.56.11	224.0.0.252	55601	5355	4.074413061141968	udp
192.168.56.11	224.0.0.252	60205	5355	3.202315092086792	udp
192.168.56.11	224.0.0.252	62798	5355	5.737109899520874	udp
192.168.56.11	239.255.255.250	62184	3702	3.200058937072754	udp
192.168.56.11	8.8.4.4	51690	53	6.65123987197876	udp
192.168.56.11	8.8.4.4	51899	53	5.760309934616089	udp
192.168.56.11	8.8.4.4	56213	53	36.41584086418152	udp
192.168.56.11	8.8.4.4	59770	53	51.33841800689697	udp
192.168.56.11	8.8.4.4	63439	53	22.009499073028564	udp
192.168.56.11	8.8.8.8	51690	53	7.650074005126953	udp
192.168.56.11	8.8.8.8	51899	53	6.760021924972534	udp
192.168.56.11	8.8.8.8	56213	53	35.41605305671692	udp
192.168.56.11	8.8.8.8	59770	53	50.33790993690491	udp
192.168.56.11	8.8.8.8	63439	53	21.010452032089233	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

239

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
Policy\Standards
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectWrite
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_CURRENT_USER\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:\|Users\|<USER>\|Desktop\|software.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CURRENT_USER\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_CURRENT_USER\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_CURRENT_USER\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_CURRENT_USER\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_CURRENT_USER\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}

Show all (239 total)

Key
HKEY_CURRENT_USER\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_CURRENT_USER\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_CURRENT_USER\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_CURRENT_USER\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_CURRENT_USER\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\C:\|Users\|<USER>\|Desktop\|software.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_CURRENT_USER\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_CURRENT_USER\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\WBEM\CIMOM
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\SystemMetaData
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\StoreInit
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store
HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityStore\Cache\S-1-5-21-4226853953-3309226944-3078887307-1000
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4
HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\RealVNC\WinVNC4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\vncserver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_CURRENT_USER\Software\TightVNC\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST
HKEY_CURRENT_USER\SOFTWARE\RealVNC\WinVNC4
HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_LOCAL_MACHINE\Software\TightVNC\Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Profiles
HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_CURRENT_USER\Software\TigerVNC\Server
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_CURRENT_USER\Software\Microsoft\ActiveSync\Partners
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\RimArts\B2\Settings
HKEY_LOCAL_MACHINE\Software\TigerVNC\Server
HKEY_CURRENT_USER\Software\ORL\WinVNC3
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password
HKEY_CURRENT_USER\SOFTWARE\RealVNC\vncserver
HKEY_CURRENT_USER\SOFTWARE\FTPWare\COREFTP\Sites
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password
HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\RealVNC\WinVNC4
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI
HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Profiles
HKEY_CURRENT_USER\Software\IncrediMail\Identities
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:\|Users\|azure\|Downloads\|a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Users\|azure\|Downloads\|a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:\|Users\|azure\|Downloads\|a89d88037e6e7321b7da02290aab0139ddf7be1b697388dcc28fba708304682f.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a

Registry Set (Top 25)

Key	Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob	5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 04 00 00 00 01 00 00 00 10 00 00 00 0D BE 92 DE FF 7D 36 BB 48 C4 A6 B1 15 24 95 38 0F 00 00 00 01 00 00 00 20 00 00 00 53 FE B9 19 2E D4 80 F2 09 12 4A 2C 57 D7 E8 97 7A 2E 9F 39 46 1D BF 21 4D F1 12 CB 16 02 4F A2 14 00 00 00 01 00 00 00 14 00 00 00 78 B8 30 FD 63 AC 7B 89 4A 07 3B ED F6 8A 83 9C C3 52 02 65 19 00 00 00 01 00 00 00 10 00 00 00 B5 74 AF 30 C5 C1 BA 3A 69 A7 10 02 00 82 4D D0 03 00 00 00 01 00 00 00 14 00 00 00 01 74 E6 8C 97 DD F1 E0 EE EA 41 5E A3 36 A1 63 D2 B6 1A FD 20 00 00 00 01 00 00 00 F8 05 00 00 30 82 05 F4 30 82 03 DC A0 03 02 01 02 02 09 00 E0 EA 61 4C 28 56 32 64 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4C 31 0F 30 0D 06 03 55 04 08 0C 06 43 65 6E 74 65 72 31 0C 30 0A 06 03 55 04 07 0C 03 4C 6F 64 31 10 30 0E 06 03 55 04 0A 0C 07 47 6F 50 72 6F 78 79 31 10 30 0E 06 03 55 04 0B 0C 07 47 6F 50 72 6F 78 79 31 1A 30 18 06 03 55 04 03 0C 11 67 6F 70 72 6F 78 79 2E 67 69 74 68 75 62 2E 69 6
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileService\References\S-1-5-21-4226853953-3309226944-3078887307-1000\RefCount	\x05\x00\x00\x00
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Notifications\Data\418A073AA3BC4C75	\x05\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x01\x01\x01\x00\x59\x0f\x1c\x01\x04\x00\x83\x00\x02\x00\x07\x80\x0b\x01\x24\x00\x66\x00\x66\x00\x73\x96\x00\x00\x00\x00\x38\x01\x24\x00\x66\x00\xf9\xf9\x09\x00\x76\x00\x00\x00\x59\x00\x00\x00\x73\x68\x65\x6c\x6c\x5c\x72\x6f\x61\x6d\x69\x6e\x67\x5c\x73\x65\x74\x74\x69\x6e\x67\x73\x79\x6e\x63…

Services Started (Top 15)

Service
BITS
WSearch
VaultSvc

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report