AsyncRAT Payload Leveraging Scheduled Tasks And Registry Persistence


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-16 07:05:40 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
hi4qse4dy.exe
Type
Generic CIL Executable (.NET, Mono, etc.)
SHA‑1
42d408efdb2bedc3bab8421c46cddf184574f2c5
MD5
abb81fc578898b5ffb5dafb7d9a81dae
First Seen
2025-12-10 17:58:13.503217
Last Analysis
2025-12-10 20:05:08.295541
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-10-23 19:30:37 UTC First VirusTotal submission
2025-12-14 19:48:06 UTC Latest analysis snapshot 52 days, 0 hours, 17 minutes
2025-12-16 07:05:40 UTC Report generation time 53 days, 11 hours, 35 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 61. Missed: 11. Coverage: 84.7%.

Detected Vendors

  • Xcitium
  • +60 additional vendors (names not provided)

List includes Xcitium plus an additional 60 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • CMC
  • Cynet
  • Gridinsoft
  • TACHYON
  • tehtris
  • Trapmine
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Heavy cryptographic operations (99.81% of behavior) indicate potential ransomware, data encryption for exfiltration, or secure C2 communications. The malware is actively encrypting or decrypting sensitive data.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
Crypto 1750055 99.81%
System 2271 0.13%
File System 402 0.02%
Registry 281 0.02%
Process 157 0.01%
Network 100 0.01%
Misc 53 0.00%
Threading 12 0.00%
Synchronization 10 0.00%
Device 2 0.00%
Hooking 1 0.00%

MITRE ATT&CK Mapping

  • T1620 – invoke .NET assembly method
  • T1082 – get OS version in .NET
  • T1082 – get number of processors
  • T1033 – get session integrity level
  • T1027 – encode data using Base64
  • T1560.002 – compress data using GZip in .NET
  • T1082 – query environment variable
  • T1112 – delete registry value
  • T1115 – clear clipboard data
  • T1083 – enumerate files in .NET
  • T1115 – read clipboard data
  • T1053.005 – schedule task via schtasks
  • T1033 – get session user name
  • T1087 – get session user name
  • T1620 – load .NET assembly
  • T1056.001 – log keystrokes
  • T1057 – find process by PID
  • T1497.001 – reference anti-VM strings targeting VMWare
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1082 – get hostname
  • T1083 – check if directory exists
  • T1614.001 – get keyboard layout
  • T1070.004 – self delete
  • T1140 – decode data using Base64 in .NET
  • T1082 – get disk size
  • T1112 – delete registry key
  • T1047 – access WMI data in .NET
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1012 – query or enumerate registry value
  • T1083 – check if file exists
  • T1012 – query or enumerate registry key
  • T1083 – get common file path
  • T1056.001 – log keystrokes via polling
  • T1082 – Checks available memory
  • T1071 – Yara detections observed in process dumps, payloads or dropped files
  • T1071 – Binary file triggered multiple YARA rules
  • T1071 – Attempts to connect to a dead IP:Port
  • T1219 – Creates known AsyncRat mutex
  • T1568 – Connects to a Dynamic DNS Domain
  • T1106 – Guard pages use detected – possible anti-debugging.
  • T1129 – The process attempted to dynamically load a malicious function
  • T1057 – The process has tried to detect the debugger probing the use of page guards.
  • T1129 – The process tried to load dynamically one or more functions.
  • T1082 – get OS version in .NET
  • T1140 – decode data using Base64 in .NET
  • T1082 – query environment variable
  • T1053.005 – schedule task via schtasks
  • T1012 – query or enumerate registry key
  • T1083 – check if file exists
  • T1083 – get common file path
  • T1082 – get disk size
  • T1047 – access WMI data in .NET
  • T1082 – get hostname
  • T1082 – get number of processors
  • T1083 – check if directory exists
  • T1083 – enumerate files on Windows
  • T1056.001 – log keystrokes via polling
  • T1056.001 – log keystrokes
  • T1614.001 – get keyboard layout
  • T1057 – find process by PID
  • T1033 – get session integrity level
  • T1012 – query or enumerate registry value
  • T1112 – delete registry value
  • T1112 – delete registry key
  • T1620 – load .NET assembly
  • T1620 – invoke .NET assembly method
  • T1115 – clear clipboard data
  • T1115 – read clipboard data
  • T1027 – encode data using Base64
  • T1560.002 – compress data using GZip in .NET
  • T1057 – The process attempted to detect a running debugger using common APIs
  • T1071 – The process behaves as a known keylogger (iSpy)
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1033 – get session user name
  • T1087 – get session user name
  • T1497.001 – reference anti-VM strings targeting VirtualBox
  • T1497.001 – reference anti-VM strings targeting VMWare

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
Nightmare15.strangled.net 13.218.220.192 United States Amazon Technologies Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.
www.msftncsi.com 23.200.3.82 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A
www.aieov.com A
Nightmare15.strangled.net A
lastofdr51.mywire.org A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 88 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.2447659969329834 udp
192.168.56.11 224.0.0.252 49563 5355 3.173468828201294 udp
192.168.56.11 224.0.0.252 54650 5355 3.1770288944244385 udp
192.168.56.11 224.0.0.252 55601 5355 3.4673988819122314 udp
192.168.56.11 224.0.0.252 60205 5355 3.1889429092407227 udp
192.168.56.11 224.0.0.252 62798 5355 5.734469890594482 udp
192.168.56.11 239.255.255.250 62184 3702 3.19209885597229 udp
192.168.56.11 8.8.4.4 49299 53 267.1667289733887 udp
192.168.56.11 8.8.4.4 50586 53 205.47890090942383 udp
192.168.56.11 8.8.4.4 51266 53 307.47854804992676 udp
192.168.56.11 8.8.4.4 51569 53 239.47874784469604 udp
192.168.56.11 8.8.4.4 51628 53 79.27565288543701 udp
192.168.56.11 8.8.4.4 51663 53 111.8845329284668 udp
192.168.56.11 8.8.4.4 51690 53 6.035708904266357 udp
192.168.56.11 8.8.4.4 51880 53 126.24446988105774 udp
192.168.56.11 8.8.4.4 51899 53 5.744818925857544 udp
192.168.56.11 8.8.4.4 52464 53 188.47824501991272 udp
192.168.56.11 8.8.4.4 53480 53 144.50956892967224 udp
192.168.56.11 8.8.4.4 53608 53 358.47845482826233 udp
192.168.56.11 8.8.4.4 53766 53 290.47851395606995 udp
192.168.56.11 8.8.4.4 54684 53 171.4783070087433 udp
192.168.56.11 8.8.4.4 54823 53 222.4785840511322 udp
192.168.56.11 8.8.4.4 55183 53 205.83816599845886 udp
192.168.56.11 8.8.4.4 56007 53 238.44760990142822 udp
192.168.56.11 8.8.4.4 56213 53 35.853781938552856 udp
192.168.56.11 8.8.4.4 56473 53 69.47843289375305 udp
192.168.56.11 8.8.4.4 56666 53 137.47892999649048 udp
192.168.56.11 8.8.4.4 57278 53 299.77559185028076 udp
192.168.56.11 8.8.4.4 57921 53 341.47882604599 udp
192.168.56.11 8.8.4.4 58090 53 158.869647026062 udp
192.168.56.11 8.8.4.4 58269 53 342.77579283714294 udp
192.168.56.11 8.8.4.4 58800 53 191.4788098335266 udp
192.168.56.11 8.8.4.4 58917 53 64.91579699516296 udp
192.168.56.11 8.8.4.4 59505 53 324.4789559841156 udp
192.168.56.11 8.8.4.4 59770 53 50.556954860687256 udp
192.168.56.11 8.8.4.4 59945 53 252.80737686157227 udp
192.168.56.11 8.8.4.4 60054 53 154.4783718585968 udp
192.168.56.11 8.8.4.4 60141 53 256.47854590415955 udp
192.168.56.11 8.8.4.4 60334 53 86.47861194610596 udp
192.168.56.11 8.8.4.4 60615 53 314.13542795181274 udp
192.168.56.11 8.8.4.4 61332 53 273.4790449142456 udp
192.168.56.11 8.8.4.4 61392 53 357.13520789146423 udp
192.168.56.11 8.8.4.4 61467 53 220.19757604599 udp
192.168.56.11 8.8.4.4 61507 53 97.52529788017273 udp
192.168.56.11 8.8.4.4 62120 53 103.47875595092773 udp
192.168.56.11 8.8.4.4 62329 53 52.47881197929382 udp
192.168.56.11 8.8.4.4 63385 53 328.38493490219116 udp
192.168.56.11 8.8.4.4 63439 53 20.44780993461609 udp
192.168.56.11 8.8.4.4 63550 53 120.47864294052124 udp
192.168.56.11 8.8.4.4 64563 53 173.22864985466003 udp
192.168.56.11 8.8.4.4 65511 53 285.4163680076599 udp
192.168.56.11 8.8.8.8 49299 53 266.17049503326416 udp
192.168.56.11 8.8.8.8 50586 53 204.47941994667053 udp
192.168.56.11 8.8.8.8 51266 53 306.47958493232727 udp
192.168.56.11 8.8.8.8 51569 53 238.47972798347473 udp
192.168.56.11 8.8.8.8 51628 53 78.27588105201721 udp
192.168.56.11 8.8.8.8 51663 53 110.88547682762146 udp
192.168.56.11 8.8.8.8 51690 53 7.025382995605469 udp
192.168.56.11 8.8.8.8 51880 53 125.2448959350586 udp
192.168.56.11 8.8.8.8 51899 53 6.744001865386963 udp
192.168.56.11 8.8.8.8 52464 53 187.4795789718628 udp
192.168.56.11 8.8.8.8 53480 53 143.52326798439026 udp
192.168.56.11 8.8.8.8 53608 53 357.4805009365082 udp
192.168.56.11 8.8.8.8 53766 53 289.4794180393219 udp
192.168.56.11 8.8.8.8 54684 53 170.47896695137024 udp
192.168.56.11 8.8.8.8 54823 53 221.47969484329224 udp
192.168.56.11 8.8.8.8 55183 53 204.8392219543457 udp
192.168.56.11 8.8.8.8 56007 53 237.44927096366882 udp
192.168.56.11 8.8.8.8 56213 53 34.85407090187073 udp
192.168.56.11 8.8.8.8 56473 53 68.47878098487854 udp
192.168.56.11 8.8.8.8 56666 53 136.47857284545898 udp
192.168.56.11 8.8.8.8 57278 53 298.7767598628998 udp
192.168.56.11 8.8.8.8 57921 53 340.47902488708496 udp
192.168.56.11 8.8.8.8 58090 53 157.86964297294617 udp
192.168.56.11 8.8.8.8 58269 53 341.7814438343048 udp
192.168.56.11 8.8.8.8 58800 53 190.48448586463928 udp
192.168.56.11 8.8.8.8 58917 53 63.916827917099 udp
192.168.56.11 8.8.8.8 59505 53 323.479877948761 udp
192.168.56.11 8.8.8.8 59770 53 49.55741882324219 udp
192.168.56.11 8.8.8.8 59945 53 251.81661701202393 udp
192.168.56.11 8.8.8.8 60054 53 153.47897386550903 udp
192.168.56.11 8.8.8.8 60141 53 255.47971105575562 udp
192.168.56.11 8.8.8.8 60334 53 85.47848892211914 udp
192.168.56.11 8.8.8.8 60615 53 313.1362979412079 udp
192.168.56.11 8.8.8.8 61332 53 272.4794738292694 udp
192.168.56.11 8.8.8.8 61392 53 356.13602805137634 udp
192.168.56.11 8.8.8.8 61467 53 219.1990098953247 udp
192.168.56.11 8.8.8.8 61507 53 96.52571702003479 udp
192.168.56.11 8.8.8.8 62120 53 102.4786958694458 udp
192.168.56.11 8.8.8.8 62329 53 51.48997902870178 udp
192.168.56.11 8.8.8.8 63385 53 327.38591599464417 udp
192.168.56.11 8.8.8.8 63439 53 21.447213888168335 udp
192.168.56.11 8.8.8.8 63550 53 119.47925305366516 udp
192.168.56.11 8.8.8.8 64563 53 172.22881984710693 udp
192.168.56.11 8.8.8.8 65511 53 284.4174268245697 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

155

Registry Set

0

Services Started

1

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableCANameConstraints
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableMandatoryBasicConstraints
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7a\52C64B7E
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\DisableUnsupportedCriticalExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7\Name
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCertCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxIssuerDepth
Policy\Standards
Show all (155 total)
Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxVerifySignatureCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalByteCount
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Display
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlCountInCert
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Std
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\crypt32\DiagMatchAnyMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\MaxAIAUrlRetrievalCountPerChain
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AltJit
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
SOFTWARE\Microsoft\Cryptography\AutoEnrollment\Debug
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog

Registry Set (Top 25)

Services Started (Top 15)

Service
WSearch

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top