AnonBit MSIL Ransomware Builder Shows Chaos-Family Traits and Embedded BlackMatter Metadata


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-20 08:29:18 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
AnonBit Builder.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
67f64121cab3ae9fc505d3ca7a7d94274eaccab1
MD5
89a89731ea03000ab339d9b305587692
First Seen
2025-11-14 19:25:10.679327
Last Analysis
2025-11-15 20:48:16.497764
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC) Event Elapsed
2025-07-28 01:12:21 UTC First VirusTotal submission
2025-11-19 12:45:19 UTC Latest analysis snapshot 114 days, 11 hours, 32 minutes
2025-11-20 08:29:18 UTC Report generation time 115 days, 7 hours, 16 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 55. Missed: 18. Coverage: 75.3%.

Detected Vendors

  • Xcitium
  • +54 additional vendors (names not provided)

List includes Xcitium plus an additional 54 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • Cynet
  • google_safebrowsing
  • Gridinsoft
  • Jiangmin
  • NANO-Antivirus
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VBA32
  • Webroot
  • Yandex
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (42.91% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 1794 42.91%
Misc 992 23.73%
Registry 608 14.54%
File System 332 7.94%
Process 236 5.64%
Windows 151 3.61%
Threading 43 1.03%
Synchronization 15 0.36%
Crypto 5 0.12%
Device 4 0.10%
Hooking 1 0.02%

MITRE ATT&CK Mapping

  • T1083 – check if file exists
  • T1083 – get common file path
  • T1140 – decrypt data using RSA via WinAPI
  • T1027 – encode data using Base64
  • T1497.001 – reference anti-VM strings targeting Qemu
  • T1027.004 – compile .NET assembly
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1027 – encrypt data using RSA via WinAPI
  • T1027.004 – compile CSharp in .NET
  • T1012 – query or enumerate registry key
  • T1140 – decode data using Base64 in .NET
  • T1033 – get session user name
  • T1087 – get session user name
  • T1082 – Checks available memory
  • T1071 – Binary file triggered YARA rule
  • T1071 – Anomalous binary characteristics
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1070.006 – Binary compilation timestomping detected
  • T1070 – Binary compilation timestomping detected
  • T1542.003 – May use bcdedit to modify the Windows boot settings
  • T1497 – Uses Windows timers to delay execution
  • T1497 – Allocates memory with a write watch (potentially for evading sandboxes)
  • T1562.001 – Creates guard pages, often used to prevent reverse engineering and debugging
  • T1027 – .NET source code contains long base64-encoded strings
  • T1070.006 – Binary contains a suspicious time stamp
  • T1070.004 – May delete shadow drive data (may be related to ransomware)
  • T1082 – Queries the cryptographic machine GUID
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1090 – Found Tor onion address

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.27 United States Akamai Technologies, Inc.
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 5 udp
53 28 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 4.384732007980347 udp
192.168.56.13 192.168.56.255 138 138 10.3836989402771 udp
192.168.56.13 224.0.0.252 49311 5355 6.875759840011597 udp
192.168.56.13 224.0.0.252 55150 5355 4.316910982131958 udp
192.168.56.13 224.0.0.252 60010 5355 6.3473498821258545 udp
192.168.56.13 224.0.0.252 62406 5355 4.320124864578247 udp
192.168.56.13 224.0.0.252 63527 5355 5.334792852401733 udp
192.168.56.13 239.255.255.250 52252 3702 4.3289220333099365 udp
192.168.56.13 8.8.4.4 50554 53 146.13352394104004 udp
192.168.56.13 8.8.4.4 54879 53 8.900007963180542 udp
192.168.56.13 8.8.4.4 54881 53 7.900097846984863 udp
192.168.56.13 8.8.4.4 55551 53 174.85213589668274 udp
192.168.56.13 8.8.4.4 56197 53 160.49284887313843 udp
192.168.56.13 8.8.4.4 57310 53 66.55545282363892 udp
192.168.56.13 8.8.4.4 57415 53 80.91479182243347 udp
192.168.56.13 8.8.4.4 58697 53 23.25836491584778 udp
192.168.56.13 8.8.4.4 58920 53 99.16477990150452 udp
192.168.56.13 8.8.4.4 60910 53 113.52403998374939 udp
192.168.56.13 8.8.4.4 61004 53 193.10260891914368 udp
192.168.56.13 8.8.4.4 62493 53 52.196189880371094 udp
192.168.56.13 8.8.4.4 62849 53 37.61784291267395 udp
192.168.56.13 8.8.4.4 64801 53 127.8833429813385 udp
192.168.56.13 8.8.8.8 50554 53 145.1343858242035 udp
192.168.56.13 8.8.8.8 54879 53 9.899574041366577 udp
192.168.56.13 8.8.8.8 54881 53 8.899350881576538 udp
192.168.56.13 8.8.8.8 55551 53 173.8530249595642 udp
192.168.56.13 8.8.8.8 56197 53 159.4932668209076 udp
192.168.56.13 8.8.8.8 57310 53 65.55610084533691 udp
192.168.56.13 8.8.8.8 57415 53 79.91518592834473 udp
192.168.56.13 8.8.8.8 58697 53 22.258965015411377 udp
192.168.56.13 8.8.8.8 58920 53 98.16533899307251 udp
192.168.56.13 8.8.8.8 60910 53 112.52451395988464 udp
192.168.56.13 8.8.8.8 61004 53 192.1035120487213 udp
192.168.56.13 8.8.8.8 62493 53 51.19649696350098 udp
192.168.56.13 8.8.8.8 62849 53 36.61874794960022 udp
192.168.56.13 8.8.8.8 64801 53 126.88444590568542 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

337

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\AnonBit Ransomware Builder.exe
HKEY_CLASSES_ROOT\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_CLASSES_ROOT\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\FeatureSIMD
HKEY_CLASSES_ROOT\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\MaxResyncAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseDefaultAuthnLevel
HKEY_CLASSES_ROOT\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectWrite
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CLASSES_ROOT\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|<USER>|Desktop|AnonBit Ransomware Builder.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_CLASSES_ROOT\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}
HKEY_CLASSES_ROOT\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_CLASSES_ROOT\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_CLASSES_ROOT\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CLASSES_ROOT\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Input\ResyncResetTime
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\NdrOleExtDLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_CLASSES_ROOT\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CLASSES_ROOT\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\DefaultAccessPermission
HKEY_CLASSES_ROOT\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
Show all (337 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE\LaunchUserOOBE
HKEY_LOCAL_MACHINE\Software\Microsoft\Input
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_CLASSES_ROOT\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
Policy\Standards
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\RaiseActivationAuthenticationLevel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_CLASSES_ROOT\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE
HKEY_CLASSES_ROOT\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx\AllowDevelopmentWithoutDevLicense
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\IsVailContainer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CLASSES_ROOT\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_CURRENT_USER\EUDC\1252
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_LOCAL_MACHINE\Software\Microsoft\Avalon.Graphics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\C:|Users|<USER>|Desktop|AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseRyuJIT
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:|Users|azure|Downloads|AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Segoe UI
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|azure|Downloads|AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|azure|Downloads|AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{15C23079-E719-4E7C-BD9C-F20983A9480F}
HKEY_CURRENT_USER_Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD032184-B0DE-4962-BBAC-146621F0770E}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\v4.0
HKEY_CURRENT_USER_Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_CURRENT_USER_Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D}
HKEY_CURRENT_USER_Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler32
HKEY_CURRENT_USER_Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler32
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:|Users|user|Desktop|AnonBit Ransomware Builder.exe
HKEY_CURRENT_USER_Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_CURRENT_USER_Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8956DE3F-472B-4FBC-AF5F-748F61CBC386}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD0F0FC-7043-4A81-BBFA-9F68ADC97122}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_CURRENT_USER_Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device security
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\policy\standards\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityHealthService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Enterprise Customization
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Family options
HKEY_CURRENT_USER_Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B}
HKEY_CURRENT_USER_Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Systray
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D71BECE8-17B8-4636-832C-D010D4F847F7}
HKEY_CURRENT_USER_Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_CURRENT_USER_Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDD8A353-2577-40A0-BB02-22A99A86B34F}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
HKEY_CURRENT_USER_Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler
HKEY_CURRENT_USER_Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Firewall and network protection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\App and Browser protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
HKEY_CURRENT_USER_Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3C03EBDD-BE8F-4E39-8B9C-EA0B1EA8395C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
HKEY_CURRENT_USER\Software\Microsoft\Fusion
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{37529A8C-668C-4D7B-8EC0-FFB545A337FC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CleanPC
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FEEED48-1AE6-4C15-9D6E-27DD3DF6CAC8}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device performance and health
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_CURRENT_USER_Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{136FECC8-05C4-4DEA-AC27-4C0666C20320}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_CURRENT_USER_Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\Elevation
HKEY_CURRENT_USER_Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Users|user|Desktop|AnonBit Ransomware Builder.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F}

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top