cde71a5dac0fc08eddad405120c4b09b61c9ec07


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-09-11 12:30:46 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
po2.exe
Type
Win32 EXE
SHA‑1
cde71a5dac0fc08eddad405120c4b09b61c9ec07
MD5
aa2b09357c07930f1966e7d763f92c38
First Seen
2025-09-05 07:17:48.508523
Last Analysis
2025-09-05 10:02:36.063317
Dwell Time
0 days, 2 hours, 44 minutes

Extended Dwell Time Impact

For 2+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-09-04 18:03:01 UTC First VirusTotal submission
2025-09-09 07:41:01 UTC Latest analysis snapshot 4 days, 13 hours, 38 minutes
2025-09-11 12:30:46 UTC Report generation time 6 days, 18 hours, 27 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 58. Missed: 15. Coverage: 79.5%.

Detected Vendors

  • Xcitium
  • +57 additional vendors (names not provided)

List includes Xcitium plus an additional 57 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Baidu
  • ClamAV
  • CMC
  • Jiangmin
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • TrendMicro-HouseCall
  • Webroot
  • Yandex
  • Zillya
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (52.86% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 231 52.86%
File System 151 34.55%
Registry 22 5.03%
Process 17 3.89%
Windows 5 1.14%
Misc 3 0.69%
Synchronization 3 0.69%
Threading 2 0.46%
Device 2 0.46%
Hooking 1 0.23%

MITRE ATT&CK Mapping

  • T1082 – get system information on Windows
  • T1057 – enumerate processes
  • T1518 – enumerate processes
  • T1010 – find graphical window
  • T1010 – enumerate gui resources
  • T1082 – query environment variable
  • T1083 – get common file path
  • T1082 – get COMSPEC environment variable
  • T1614.001 – get keyboard layout
  • T1082 – get disk size
  • T1056.001 – log keystrokes
  • T1016 – get socket status
  • T1134 – modify access privileges
  • T1082 – get hostname
  • T1134.001 – impersonate user
  • T1105 – download and write a file
  • T1033 – get session user name
  • T1087 – get session user name
  • T1082 – get memory capacity
  • T1083 – check if file exists
  • T1115 – read clipboard data
  • T1529 – shutdown system
  • T1115 – list drag and drop files
  • T1112 – delete registry value
  • T1027 – encode data using Base64
  • T1056.001 – log keystrokes via polling
  • T1012 – query or enumerate registry value
  • T1547.009 – create shortcut via IShellLink
  • T1222 – set file attributes
  • T1129 – link function at runtime on Windows
  • T1012 – query or enumerate registry key
  • T1027 – encode data using XOR
  • T1083 – enumerate files on Windows
  • T1083 – get file size
  • T1083 – get file version info
  • T1564.003 – hide graphical window
  • T1083 – enumerate files recursively
  • T1033 – get token membership
  • T1082 – get disk information
  • T1059 – compiled with AutoIt
  • T1134 – acquire debug privileges
  • T1497.002 – check for unmoving mouse cursor
  • T1115 – open clipboard
  • T1113 – capture screenshot
  • T1129 – parse PE header
  • T1112 – delete registry key
  • T1005 – Searches for sensitive browser data
  • T1005 – Reads sensitive browser data
  • T1012 – Query OS Information
  • T1012 – Possibly does reconnaissance
  • T1027.002 – Creates a page with write and execute permissions
  • T1055 – Writes into the memory of another process
  • T1055 – Modifies control flow of another process
  • T1057 – Enumerates running processes
  • T1071.001 – Downloads file
  • T1071.004 – Performs DNS request
  • T1082 – Enumerates running processes
  • T1082 – Query OS Information
  • T1083 – Searches for sensitive browser data
  • T1083 – Possibly does reconnaissance
  • T1095 – Connects to remote host
  • T1105 – Downloads file
  • T1106 – Tries to detect kernel debugger
  • T1106 – Makes direct system call to possibly evade hooking based monitoring
  • T1115 – Captures clipboard data
  • T1119 – Searches for sensitive browser data
  • T1119 – Reads sensitive browser data
  • T1129 – Loads a dropped DLL
  • T1497.003 – Delays execution
  • T1552.001 – Searches for sensitive browser data
  • T1555.003 – Reads sensitive browser data
  • T1564.003 – Creates process with hidden window
  • T1622 – Tries to detect debugger
  • T1622 – Tries to detect kernel debugger

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.18 United States Akamai Technologies, Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.msftncsi.com A
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 5 udp
53 8 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.11 192.168.56.255 137 137 3.24446702003479 udp
192.168.56.11 192.168.56.255 138 138 9.464002132415771 udp
192.168.56.11 224.0.0.252 49563 5355 3.1735901832580566 udp
192.168.56.11 224.0.0.252 54650 5355 3.175823211669922 udp
192.168.56.11 224.0.0.252 55601 5355 4.144642114639282 udp
192.168.56.11 224.0.0.252 60205 5355 3.183892011642456 udp
192.168.56.11 224.0.0.252 62798 5355 5.7362380027771 udp
192.168.56.11 239.255.255.250 62184 3702 3.1818041801452637 udp
192.168.56.11 8.8.4.4 51690 53 7.416584014892578 udp
192.168.56.11 8.8.4.4 51899 53 5.745395183563232 udp
192.168.56.11 8.8.4.4 56213 53 37.27528119087219 udp
192.168.56.11 8.8.4.4 63439 53 22.82290816307068 udp
192.168.56.11 8.8.8.8 51690 53 8.415830135345459 udp
192.168.56.11 8.8.8.8 51899 53 6.74397611618042 udp
192.168.56.11 8.8.8.8 56213 53 36.27587819099426 udp
192.168.56.11 8.8.8.8 63439 53 21.825659036636353 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

29

Registry Set

25

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\Control Panel\Mouse
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\22165c4f0be62c48b2e3e9aef6ce3db3
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\94ba7772fb349a48ba2cc741623a1549
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ae0727370bd4364ea1d3e75390877e70
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\a44d88fba08a5547a1aaad50659b22d8
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_CURRENT_USER\Control Panel\Mouse\SwapMouseButtons
HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\81fb1dc666658c4bb96e792ef5ce3051
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\4b31ac339b3c6047a5607d10314f5a05
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\c1b3326b5fa84f45970fa09da288db37
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook
Show all (29 total)

Registry Set (Top 25)

Key Value
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\22165c4f0be62c48b2e3e9aef6ce3db3
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\4b31ac339b3c6047a5607d10314f5a05
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\81fb1dc666658c4bb96e792ef5ce3051
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\94ba7772fb349a48ba2cc741623a1549
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\a44d88fba08a5547a1aaad50659b22d8
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ae0727370bd4364ea1d3e75390877e70
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\c1b3326b5fa84f45970fa09da288db37
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook_2016
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\\HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\\HKEY_USERS\S-1-5-21-4219442223-4223814209-3835049652-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top