03793bbb2dff60bad27938ed4efa73b8c853aba8


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-26 07:51:46 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
03793bbb2dff60bad27938ed4efa73b8c853aba8
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
03793bbb2dff60bad27938ed4efa73b8c853aba8
MD5
ca0246cadc64dde0500a25627f3d7d84
First Seen
2025-09-05 07:14:33.509229
Last Analysis
2025-09-05 10:02:30.697907
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-04 14:21:01 UTC First VirusTotal submission
2025-09-09 07:34:06 UTC Latest analysis snapshot 4 days, 17 hours, 13 minutes
2025-09-26 07:51:46 UTC Report generation time 21 days, 17 hours, 30 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.

Detected Vendors

  • Xcitium
  • +55 additional vendors (names not provided)

List includes Xcitium plus an additional 55 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • ClamAV
  • CMC
  • Cynet
  • huorong
  • Jiangmin
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • VBA32
  • Webroot
  • Yandex
  • Zillya
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (49.25% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 174361 49.25%
Synchronization 173812 49.10%
System 2455 0.69%
Registry 2438 0.69%
Process 395 0.11%
Com 324 0.09%
Misc 86 0.02%
Threading 55 0.02%
Network 45 0.01%
Device 22 0.01%
Crypto 11 0.00%
Hooking 2 0.00%
Services 2 0.00%
Windows 1 0.00%

MITRE ATT&CK Mapping

  • T1140 – decode data using Base64 in .NET
  • T1620 – load .NET assembly
  • T1620 – invoke .NET assembly method
  • T1560.002 – compress data using GZip in .NET
  • T1033 – Collects and encrypts information about the computer likely to send to C2 server
  • T1082 – Checks available memory
  • T1070.006 – Binary compilation timestomping detected
  • T1070 – Binary compilation timestomping detected
  • T1027 – The binary likely contains encrypted or compressed data
  • T1027.002 – The binary likely contains encrypted or compressed data
  • T1071 – Attempts to connect to a dead IP:Port
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1005 – Attempts to access Bitcoin/ALTCoin wallets
  • T1560 – Collects and encrypts information about the computer likely to send to C2 server
  • T1005 – Searches for sensitive browser data
  • T1012 – Query OS Information
  • T1012 – Possibly does reconnaissance
  • T1027.002 – Resolves API functions dynamically
  • T1047 – Tries to detect the presence of antivirus software
  • T1047 – Collects hardware properties
  • T1047 – Queries OS version via WMI
  • T1056 – Combination of other detections shows multiple input capture behaviors
  • T1082 – Query OS Information
  • T1082 – Collects hardware properties
  • T1082 – Queries OS version via WMI
  • T1083 – Searches for sensitive browser data
  • T1095 – Connects to remote host
  • T1113 – Takes screenshot
  • T1119 – Searches for sensitive browser data
  • T1119 – Combination of other detections shows multiple input capture behaviors
  • T1134 – Enables process privileges
  • T1518.001 – Tries to detect the presence of antivirus software
  • T1552.001 – Searches for sensitive browser data
  • T1571 – Tries to connect using an uncommon port
  • T1129 – The process attempted to dynamically load a malicious function
  • T1057 – The process has tried to detect the debugger probing the use of page guards.
  • T1129 – The process tried to load dynamically one or more functions.
  • T1057 – The process attempted to detect a running debugger using common APIs
  • T1083 – The process attempted to access known Bitcoin/ALTCoin wallets

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
151.242.170.5 Iran, Islamic Republic of Not known

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
151.242.170.5 Iran, Islamic Republic of Not known

Port Distribution

Port Count Protocols
137 1 udp
5355 4 udp
53 28 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 3.08742618560791 udp
192.168.56.14 224.0.0.252 51209 5355 3.0146000385284424 udp
192.168.56.14 224.0.0.252 53401 5355 4.09688401222229 udp
192.168.56.14 224.0.0.252 55094 5355 5.57989501953125 udp
192.168.56.14 224.0.0.252 55848 5355 3.026738166809082 udp
192.168.56.14 8.8.4.4 49916 53 98.5469491481781 udp
192.168.56.14 8.8.4.4 50180 53 145.51585006713867 udp
192.168.56.14 8.8.4.4 50710 53 65.93769717216492 udp
192.168.56.14 8.8.4.4 52815 53 6.669108152389526 udp
192.168.56.14 8.8.4.4 54579 53 51.57800221443176 udp
192.168.56.14 8.8.4.4 54683 53 192.48391103744507 udp
192.168.56.14 8.8.4.4 55914 53 127.26594305038452 udp
192.168.56.14 8.8.4.4 56399 53 174.23434114456177 udp
192.168.56.14 8.8.4.4 60117 53 80.29721713066101 udp
192.168.56.14 8.8.4.4 62022 53 159.87454915046692 udp
192.168.56.14 8.8.4.4 62112 53 36.40604209899902 udp
192.168.56.14 8.8.4.4 63205 53 206.84387302398682 udp
192.168.56.14 8.8.4.4 64753 53 112.90649509429932 udp
192.168.56.14 8.8.4.4 65148 53 22.01557207107544 udp
192.168.56.14 8.8.8.8 49916 53 97.54987907409668 udp
192.168.56.14 8.8.8.8 50180 53 144.51923298835754 udp
192.168.56.14 8.8.8.8 50710 53 64.93851208686829 udp
192.168.56.14 8.8.8.8 52815 53 7.655761003494263 udp
192.168.56.14 8.8.8.8 54579 53 50.59049701690674 udp
192.168.56.14 8.8.8.8 54683 53 191.48588299751282 udp
192.168.56.14 8.8.8.8 55914 53 126.26638603210449 udp
192.168.56.14 8.8.8.8 56399 53 173.23480415344238 udp
192.168.56.14 8.8.8.8 60117 53 79.29707217216492 udp
192.168.56.14 8.8.8.8 62022 53 158.87553119659424 udp
192.168.56.14 8.8.8.8 62112 53 35.41895508766174 udp
192.168.56.14 8.8.8.8 63205 53 205.8438401222229 udp
192.168.56.14 8.8.8.8 64753 53 111.90630102157593 udp
192.168.56.14 8.8.8.8 65148 53 21.01635503768921 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

222

Registry Set

7

Services Started

2

Services Opened

2

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\3v8hcwW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3v8hcwW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\PassiveMode
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableLocalAdminMerge
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\InstallLocation
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|<USER>|Desktop|3v8hcwW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\LocalSettingOverrideDisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\BetaPlatform
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\AlwaysReadHKCRForCLSIDs
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
Show all (222 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\MpEngine
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\ManagedDefenderProductType
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\Software\Microsoft\Microsoft Antimalware\MpEngine
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Features
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager\EnableRemoteManagedDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\C:|Users|<USER>|Desktop|3v8hcwW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_CURRENT_USER\Software\BAC8B577D8C78F2A0778639E5ECEDC6F
HKEY_CURRENT_USER\Software\Dash\Dash-Qt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_CURRENT_USER\Software\D1C461CE05613D1442CAEC64549DCDFC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt
HKEY_CURRENT_USER\Software\Litecoin\Litecoin-Qt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display
HKEY_CURRENT_USER\Software\D1C461CE05613D1442CAEC64549DCDFC\D1C461CE05613D1442CAEC64549DCDFC
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextListCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.JScript__b03f5f7f11d50a3a
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|azure|Downloads|3v8hcwW.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CLASSES_ROOT\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
Software\B7EDC55D2E8F37B2557ED721F62E3314\B7EDC55D2E8F37B2557ED721F62E3314
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|azure|Downloads|3v8hcwW.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\IdentifierLimit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\B7EDC55D2E8F37B2557ED721F62E3314
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:|Users|azure|Downloads|3v8hcwW.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextLockCount
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Tokyo Standard Time
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\EnablePrivateObjectHeap
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ProcessID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_CLASSES_ROOT\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration.Install__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ContextLimit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\0x0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ObjectLimit

Registry Set (Top 25)

Key Value
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\System32\fveui.dll,-843 BitLocker 驱动器加密
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\System32\fveui.dll,-844 BitLocker 数据恢复代理
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\system32\dnsapi.dll,-103 域名系统(DNS)服务器信任
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\system32\p2pcollab.dll,-8042 对等信任
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\@%SystemRoot%\system32\qagentrt.dll,-10 系统健康身份验证
HKEY_CURRENT_USER_CLASSES\Local Settings\MuiCache\37\AAF68885\LanguageList zh-CN
HKEY_CURRENT_USER\Software\D1C461CE05613D1442CAEC64549DCDFC

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top