Covert Python Runtime Execution Powers PluggyApe Backdoor Control


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-01-20 14:57:51 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
knelxy.exe
Type
PE32+ executable (GUI) x86-64, for MS Windows
SHA‑1
be63c69b8bcd0d26451b83bf29f4dbfb356b8b16
MD5
8fcd5b53c4223f7520cc5c3f02990f9e
First Seen
2026-01-20 11:53:44.008736
Last Analysis
2026-01-20 12:50:04.438848
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 56+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.

Timeline

Time (UTC) Event Elapsed
2026-01-09 10:47:45 UTC First VirusTotal submission
2026-01-20 14:28:59 UTC Latest analysis snapshot 11 days, 3 hours, 41 minutes
2026-01-20 14:57:51 UTC Report generation time 11 days, 4 hours, 10 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 45. Missed: 27. Coverage: 62.5%.

Detected Vendors

  • Xcitium
  • +44 additional vendors (names not provided)

List includes Xcitium plus an additional 44 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Antiy-AVL
  • Baidu
  • ClamAV
  • CMC
  • google_safebrowsing
  • Gridinsoft
  • huorong
  • Jiangmin
  • Kingsoft
  • Malwarebytes
  • Panda
  • Rising
  • Sangfor
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Trapmine
  • VBA32
  • VirIT
  • ViRobot
  • Webroot
  • Xcitium
  • Yandex
  • Zillya
  • ZoneAlarm
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (68.87% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
File System 1283 68.87%
System 370 19.86%
Registry 107 5.74%
Process 69 3.70%
Misc 17 0.91%
Synchronization 8 0.43%
Windows 3 0.16%
Hooking 2 0.11%
Threading 2 0.11%
Device 2 0.11%

MITRE ATT&CK Mapping

  • T1027 – encode data using XOR
  • T1129 – link many functions at runtime
  • T1082 – query environment variable
  • T1083 – enumerate files recursively
  • T1129 – link function at runtime on Windows
  • T1497.001 – reference anti-VM strings targeting Xen
  • T1083 – get file size
  • T1083 – get common file path
  • T1059 – accept command line arguments
  • T1129 – parse PE header
  • T1057 – enumerate process modules
  • T1082 – get disk information
  • T1083 – enumerate files on Windows
  • T1129 – Drops a binary and executes it
  • T1564 – A process created a hidden window
  • T1202 – Uses Windows utilities for basic functionality
  • T1202 – Uses suspicious command line tools or Windows utilities
  • T1562 – Attempts to modify Microsoft Office security settings
  • T1055 – Creates a process in a suspended state, likely for injection
  • T1112 – Installs itself for autorun at Windows startup
  • T1112 – Attempts to modify Microsoft Office security settings
  • T1562.001 – Attempts to modify Microsoft Office security settings
  • T1027 – The binary contains an unknown PE section name indicative of packing
  • T1564.003 – A process created a hidden window
  • T1221 – A document file initiated network communications indicative of a potential exploit or payload download
  • T1027.002 – The binary contains an unknown PE section name indicative of packing
  • T1539 – Touches a file containing cookies, possibly for information gathering
  • T1547 – Installs itself for autorun at Windows startup
  • T1547.001 – Installs itself for autorun at Windows startup
  • T1082 – Collects information to fingerprint the system
  • T1082 – Checks available memory
  • T1012 – Collects information to fingerprint the system
  • T1071 – Reads data out of its own binary image
  • T1071 – Attempts to connect to a dead IP:Port
  • T1071 – Accesses the UserInfo registry key, potentially used for discovery
  • T1071 – A document file initiated network communications indicative of a potential exploit or payload download
  • T1071 – A potential decoy document was displayed to the user
  • T1071 – The PE file contains an overlay
  • T1573 – Establishes an encrypted HTTPS connection
  • T1486 – Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
  • T1485 – Anomalous file deletion behavior detected (10+)
  • T1547.001 – Creates an autostart registry key
  • T1070.006 – Binary contains a suspicious time stamp
  • T1083 – Reads ini files
  • T1082 – Queries the volume information (name, serial number etc) of a device
  • T1573 – Uses HTTPS
  • T1571 – Detected TCP or UDP traffic on non-standard ports
  • T1071 – Uses HTTPS

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 4 udp
53 4 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.14 192.168.56.255 137 137 3.0783159732818604 udp
192.168.56.14 192.168.56.255 138 138 9.078428030014038 udp
192.168.56.14 224.0.0.252 51209 5355 3.008920907974243 udp
192.168.56.14 224.0.0.252 53401 5355 5.579184055328369 udp
192.168.56.14 224.0.0.252 55094 5355 5.670659065246582 udp
192.168.56.14 224.0.0.252 55848 5355 3.01003098487854 udp
192.168.56.14 8.8.4.4 52815 53 8.320700883865356 udp
192.168.56.14 8.8.4.4 65148 53 23.78119993209839 udp
192.168.56.14 8.8.8.8 52815 53 9.312613010406494 udp
192.168.56.14 8.8.8.8 65148 53 22.78173804283142 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

311

Registry Set

10

Services Started

2

Services Opened

2

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\Content Type
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\DocObject\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\file.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice\ProgId
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\MonitorRegistry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\ShellEx\IconHandler
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Classes\.docx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_LOCAL_MACHINE\Software\Classes\.docx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\
HKEY_CLASSES_ROOT\SystemFileAssociations\document
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.docx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CLASSES_ROOT\SystemFileAssociations\.docx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\CurVer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
Show all (311 total)
Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice\Hash
HKEY_CLASSES_ROOT\Word.Document.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CLASSES_ROOT\.docx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\CLSID\(Default)
HKEY_CLASSES_ROOT\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer\UseFindFirstFileEnumeration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowStatusBar
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_CURRENT_USER\Software\Classes\Word.Document.12\CurVer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\Control Panel\International\User Profile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\Unknown\CurVer
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx
HKEY_CURRENT_USER_Classes\Word.Document.12\shell
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService
HKEY_CURRENT_USER_Classes\LibreOffice.Docx\shell
HKEY_CURRENT_USER_Classes\LibreOffice.Docx\shell\open
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions
HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OpenWith.exe
HKEY_CURRENT_USER_Classes\LibreOffice.Docx
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance
HKEY_CURRENT_USER_Classes\Interface\{7F9185B0-CB92-43C5-80A9-92277A4F7B54}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_CURRENT_USER_Classes\Unknown\BrowseInPlace
HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LibreOffice.Docx\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_CURRENT_USER_Classes\Unknown
HKEY_CURRENT_USER_Classes\SystemFileAssociations\document\DocObject
HKEY_CURRENT_USER_Classes\.docx\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocServer32
HKEY_CURRENT_USER_Classes\.docx\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.System.Internal.Launch.LauncherQueryInfo
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER_Classes\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject
HKEY_CURRENT_USER_Classes\CLSID\{E44E9428-BDBC-4987-A099-40DC8FD255E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell\Open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocServer32
HKEY_CURRENT_USER_Classes\Folder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\DocObject
HKEY_CURRENT_USER_Classes\Word.Document.12\shell\Open
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\document\DocObject
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe
HKEY_CURRENT_USER_Classes\Directory\Clsid
HKEY_CURRENT_USER_Classes\AllFilesystemObjects
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\DocObject
HKEY_CURRENT_USER_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler
HKEY_CURRENT_USER_Classes\.docx\OpenWithProgids
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7F9185B0-CB92-43C5-80A9-92277A4F7B54}\ProxyStubClsid32
HKEY_CURRENT_USER_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\document\BrowseInPlace
HKEY_CURRENT_USER_Classes\Interface\{7F9185B0-CB92-43C5-80A9-92277A4F7B54}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\Elevation
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_CURRENT_USER_Classes\Word.Document.12
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_CURRENT_USER_Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NULL
HKEY_CURRENT_USER_Classes\.docx\OpenWithProgIDs
HKEY_CURRENT_USER_Classes\SystemFileAssociations\document
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001\fdeploy
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL
HKEY_CURRENT_USER_Classes\.docx
HKEY_CURRENT_USER_Classes\AppID\OpenWith.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_CURRENT_USER_Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer
HKEY_CURRENT_USER\Software\Classes\Local Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer32
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\IconHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER_Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler32
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\Clsid
HKEY_CURRENT_USER_Classes\Unknown\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_CURRENT_USER_Classes\docxfile
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_CURRENT_USER_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_CURRENT_USER_Classes\Directory
HKEY_CURRENT_USER_Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_CURRENT_USER_Classes\SystemFileAssociations\document\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler
HKEY_CURRENT_USER_Classes\.docx\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_CURRENT_USER_Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\NULL
HKEY_CURRENT_USER\Control Panel\International\User Profile\en-US
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_CURRENT_USER\Software\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.System.Internal.Launch.LauncherQueryInfo\CustomAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LibreOffice.Docx\shell\open
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKEY_CURRENT_USER_Classes
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_CURRENT_USER_Classes\.docx\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\program.exe
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86\xtajit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage\WORDFiles 1546190907
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage\ProductFiles 1546191054
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage\SpellingAndGrammarFiles_1036 1546190952
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage\SpellingAndGrammarFiles_1033 1546191045
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage\SpellingAndGrammarFiles_3082 1546190948
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RealtekDevice “C:\Users\Bruno\AppData\Local\Temp\Python312\python.exe” “C:\Users\Bruno\AppData\Local\Temp\o.d.f.a.d.g.j.k.l.f.s.f.d.d.a.py”
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile Binary Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF 01 00 00 00 00 00 00 00 98 FD 50 EB 55 81 DC 01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF 01 00 00 00 00 00 00 00 E0 2E 06 EC 55 81 DC 01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RealtekDevice “C:\Users\user\AppData\Local\Temp\Python312\python.exe” “C:\Users\user\AppData\Local\Temp\o.d.f.a.d.

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top