LockBit Build Surfaces With UPX Packing, Registry Autorun Abuse, and Stealth Execution Traits

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

mkb0d2is.exe

Type

Win32 Executable (generic)

SHA‑1

a7e008ebd5230b489f0a0961877502d9ae7c6a84

MD5

6b3cb862f15dcedb98dd3519f79d0452

First Seen

2025-11-14 19:53:13.702939

Last Analysis

2025-11-15 20:48:18.835937

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC)	Event	Elapsed
2025-10-27 04:44:22 UTC	First VirusTotal submission	—
2025-11-19 12:47:54 UTC	Latest analysis snapshot	23 days, 8 hours, 3 minutes
2025-11-20 08:36:47 UTC	Report generation time	24 days, 3 hours, 52 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 62. Missed: 10. Coverage: 86.1%.

Detected Vendors

Xcitium
+61 additional vendors (names not provided)

List includes Xcitium plus an additional 61 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
CMC
google_safebrowsing
SUPERAntiSpyware
VirIT
Webroot
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (44.59% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
File System	29839	44.59%
Synchronization	20095	30.03%
System	7526	11.25%
Registry	4947	7.39%
Network	2532	3.78%
Process	899	1.34%
Threading	576	0.86%
Com	228	0.34%
Device	189	0.28%
Services	53	0.08%
Misc	32	0.05%
Windows	5	0.01%
Hooking	4	0.01%
Crypto	1	0.00%

MITRE ATT&CK Mapping

T1027.002 – packed with UPX
T1027.002 – packed with generic packer
T1543 – Attempts to stop active services
T1547 – Installs itself for autorun at Windows startup
T1543.003 – Attempts to stop active services
T1547.001 – Installs itself for autorun at Windows startup
T1055 – Writes to the memory another process
T1202 – Uses suspicious command line tools or Windows utilities
T1202 – Uses Windows utilities for basic functionality
T1562 – Attempts to stop active services
T1112 – Installs itself for autorun at Windows startup
T1070 – Clears Windows events or logs
T1562.001 – Attempts to stop active services
T1027 – The binary likely contains encrypted or compressed data
T1027 – The binary contains an unknown PE section name indicative of packing
T1027.002 – The binary likely contains encrypted or compressed data
T1027.002 – The binary contains an unknown PE section name indicative of packing
T1489 – Attempts to stop active services
T1486 – Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
T1486 – Creates a known LockBit ransomware decryption instruction / key file.
T1486 – Appends a known LockBit ransomware file extension to files that have been encrypted
T1485 – Clears Windows events or logs
T1490 – Modifies boot configuration settings
T1082 – Checks available memory
T1057 – Expresses interest in specific running processes
T1057 – Enumerates running processes
T1071 – Yara detections observed in process dumps, payloads or dropped files
T1071 – Dynamic (imported) function loading detected
T1059 – Modifies boot configuration settings
T1074 – Manipulates data from or to the Recycle Bin

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
101.56.168.192.in-addr.arpa	PTR
12.56.168.192.in-addr.arpa	PTR
11.56.168.192.in-addr.arpa	PTR
13.56.168.192.in-addr.arpa	PTR
7.56.168.192.in-addr.arpa	PTR
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	21	udp
53	18	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	7.2017340660095215	udp
192.168.56.14	224.0.0.252	50180	5355	37.13588213920593	udp
192.168.56.14	224.0.0.252	50870	5355	45.48448920249939	udp
192.168.56.14	224.0.0.252	50914	5355	42.76183199882507	udp
192.168.56.14	224.0.0.252	51209	5355	7.1463611125946045	udp
192.168.56.14	224.0.0.252	51262	5355	45.48425602912903	udp
192.168.56.14	224.0.0.252	52556	5355	48.60812520980835	udp
192.168.56.14	224.0.0.252	53401	5355	8.37708306312561	udp
192.168.56.14	224.0.0.252	53449	5355	45.651825189590454	udp
192.168.56.14	224.0.0.252	54683	5355	38.32277512550354	udp
192.168.56.14	224.0.0.252	55094	5355	9.715487003326416	udp
192.168.56.14	224.0.0.252	55827	5355	42.91664099693298	udp
192.168.56.14	224.0.0.252	55848	5355	7.1501100063323975	udp
192.168.56.14	224.0.0.252	55914	5355	36.97989010810852	udp
192.168.56.14	224.0.0.252	56399	5355	37.479347229003906	udp
192.168.56.14	224.0.0.252	57742	5355	45.793742179870605	udp
192.168.56.14	224.0.0.252	59068	5355	45.635560035705566	udp
192.168.56.14	224.0.0.252	60713	5355	42.916707038879395	udp
192.168.56.14	224.0.0.252	62022	5355	37.292041063308716	udp
192.168.56.14	224.0.0.252	62548	5355	42.5109281539917	udp
192.168.56.14	224.0.0.252	62800	5355	43.08861804008484	udp
192.168.56.14	224.0.0.252	64753	5355	36.80785417556763	udp
192.168.56.14	8.8.4.4	49916	53	28.197623014450073	udp
192.168.56.14	8.8.4.4	50710	53	26.29161310195923	udp
192.168.56.14	8.8.4.4	51614	53	57.66640305519104	udp
192.168.56.14	8.8.4.4	52815	53	12.309995174407959	udp
192.168.56.14	8.8.4.4	54579	53	26.135066032409668	udp
192.168.56.14	8.8.4.4	60117	53	26.479335069656372	udp
192.168.56.14	8.8.4.4	62112	53	25.9796462059021	udp
192.168.56.14	8.8.4.4	63205	53	42.63526701927185	udp
192.168.56.14	8.8.4.4	65148	53	25.807653188705444	udp
192.168.56.14	8.8.8.8	49916	53	27.199169158935547	udp
192.168.56.14	8.8.8.8	50710	53	25.292450189590454	udp
192.168.56.14	8.8.8.8	51614	53	56.666853189468384	udp
192.168.56.14	8.8.8.8	52815	53	13.307819128036499	udp
192.168.56.14	8.8.8.8	54579	53	25.135732173919678	udp
192.168.56.14	8.8.8.8	60117	53	25.479212999343872	udp
192.168.56.14	8.8.8.8	62112	53	24.979642152786255	udp
192.168.56.14	8.8.8.8	63205	53	41.635924100875854	udp
192.168.56.14	8.8.8.8	65148	53	24.81755018234253	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

145

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters\RpcCacheTimeout
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_CURRENT_USER\Software\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DelegateFolders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegateSuppressionPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{208D2C60-3AEA-1069-A2D7-08002B30309D}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder

Show all (145 total)

Key
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\Desktop\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\Software\Classes\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{26EE0668-A00A-44D7-9371-BEB064C98683}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\executable.exe
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\Software\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\Software\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{645FF040-5081-101B-9F08-00AA002F954E}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\ShellFolder\CallForAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders\StorageDelegate
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{26EE0668-A00A-44D7-9371-BEB064C98683}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\FirstRunComplete
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\SOFTWARE\LockBit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1

Registry Set (Top 25)

Key	Value
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Circular Kernel Context Logger\Status	0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Enter)	48 00 00 00 00 00 00 00 A0 AC 5A 1C 6E F7 D9 01 00 00 00 00 00 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}ComputeIgnorableProduct (Leave)	48 00 00 00 00 00 00 00 60 7A 72 1C 6E F7 D9 01 00 00 00 00 00 00 00 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Enter)	48 00 00 00 00 00 00 00 C0 E6 87 1C 6E F7 D9 01 00 00 00 00 00 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\VolSnap\Volume{853201e6-2d75-11ea-a138-806e6f6e6963}DeleteProcess (Leave)	48 00 00 00 00 00 00 00 C0 E6 87 1C 6E F7 D9 01 00 00 00 00 00 00 00 00 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\Public	BA 97 B7 79 DD 2E DB D1 25 B0 8E CC 1E 59 39 0F B7 ED 75 CF 8B 6C 75 86 55 CD FC 78 A1 21 75 9C 9D F5 0B 03 21 35 12 4D C0 65 E5 C2 99 10 9F E6 1B C8 3A 02 1A 14 AC BF CC D1 ED 8B D0 02 24 74 65 59 E0 E1 72 4F 95 3B DF 4C 25 C9 37 41 0A 87 14 B6 33 BF EF A8 D8 A9 E2 19 22 3A A2 E0 CC 8E 83 E5 C5 3D 91 9C 35 1C AC DE 02 6C B8 D1 EC 4E 18 9D C5 A4 F7 4C F7 07 E3 DA 14 76 05 88 CB 7B 0F 8D 38 E0 90 3D 68 CF B6 48 41 E7 62 48 4E 8E BD 2E 7B FA EE 2A D2 AB B9 03 14 7D 5D 4E 02 4D 32 F9 31 77 3B 49 79 6C A3 7D B5 CB 81 BA 4A 53 56 40 0C 99 36 F5 09 1B C3 BF 65 FC 2E C5 76 16 A8 D8 D4 B5 B7 2D 2F 96 EA C3 A5 76 A6 01 4E 73 F8 08 4D 6D D1 3B C4 E3 3C 13 CB 5C 89 D4 16 AC C9 41 0E 5B 68 83 DF AB 89 F7 3F 20 FB 26 BF 25 AA 2E 7C 09 F9 46 B7 1F 34 6D 7A 5C D5 70 B3 59 01 00 01
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\LockBit\full	49 63 23 91 5F 2C B1 46 90 58 6E 9B BD 79 6F 55 66 88 CC 65 B2 F9 B3 A8 D2 DC 80 46 06 7F F0 21 95 30 6C BD 75 E3 F5 D0 98 2F 82 6B 33 C0 49 7D C5 0D 0E DD B7 8A EA 22 FD 8C 53 62 13 CF 59 87 2E 9C E6 6A 82 0C 27 94 39 55 87 55 A4 E0 57 9E E3 CB 65 FE D5 E0 79 37 26 6C E4 E9 CD 58 AA EB FC 6A 51 A0 9C 5D 07 F7 30 82 90 B7 D0 BC A4 A0 59 36 D7 FA C6 AC 2F FA F0 86 DB D1 F2 24 D4 7D 47 A9 E5 BE 91 B5 64 1D D3 03 8E 38 88 93 7B EE BB 39 C9 C9 DE 7D F3 D9 67 D5 D5 14 1A 15 2D AC 1A 00 C4 3F 1F 48 81 A6 09 C9 C9 72 70 17 1C B9 72 1D 56 F7 88 36 4A 91 A5 61 3B 51 8D B2 00 54 E4 35 0E F3 F5 19 6C EE AA 14 FC 6F A7 BB E0 25 52 32 EE 55 DC 2E 2F E0 52 02 EC D1 EA 4D 24 E4 BB 52 52 7B 6A 34 B0 39 2B BF A9 94 5C 6D 04 E9 83 20 E5 D8 00 1B 9F D8 F7 1D 28 31 E5 AE 9D 85 3A 93 79 68 F2 37 44 12 33 EE 54 32 99 AB 28 D2 E4 41 31 11 E2 3F F2 EA 1E 55 4B 21 16 F6 9A 24 8B CD B8 D3 A1 C8 41 AC 84 06 51 34 AC DF 81 32 28 A7 7E 13 9E EE B1 04 7D 8C 6B 72 6B 8D A8 A5 1B BE 29 7A E2 B8 C8 CE AC 93 D1 0F CF 69 E5 83 39 26 83 6F F6 5
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count	226
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time	E7 07 0A 00 04 00 05 00 09 00 1C 00 2C 00 0E 01
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type	3
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“c”
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked	1
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\16000009\Element	—
\\Registry\Machine\BCD00000000\Objects\{73f6dfe1-2d75-11ea-8605-9a0fd88c3b92}\Elements\250000e0\Element	—
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“C”
HKEY_CURRENT_USER\SOFTWARE\LockBit\full	\x1f~X6H\xb8\xa27\x17\xfb\xf3\xdf\x16:qy\x1c5\xd0\x983\xd4\x01i?\xf5\x99\xcf\x01@3\x9e\xa3\xcf>\xcb\x16\x84^\xca\x94\x07\x8b\xc9\xceU\x18X>O`\x00\xbfk\x16\xebBAJ\x97\xe1\x82\x04\x18\xc4\x7f\xce#46\x1f1O$\x0c-\x06\xaf\x1cO\xf9\x12s\xf4\x10\xeb\xf0\x18C\x9e\x81\xd2#\x97\x10\xa4Q\x89\xfb\x9b\x8e\x9f \x0e\xa6Q\xea\xdf\xc6bL\x98^b\xbb\xccw\x15\x12=5I\\xea\x87aR_]\xd3 \x9dW\xec\xa7f+\xa0\xc8\xd3\x1a}\x15_F\xd8\xe94\x08\x1ck\xccb 1j\x99h\x8c\xe1\xd5\x9eC\x9a\x885″\xdf1<\x85\x80 \xa2\xf5\xcb(\x11F=\x19\x1f\xf1\x93S\xc1\x03\xa1\xb8\xad}L\x14\x97\xa2\xda3P_\xa62\xcf’j\x16\xfd\x88\xa4:\xc7g\xa8[\xe7\xdc\xf0{s\xfc\x8d6\xd7\xf1\xd0\xce\xfcF}\x12\xcd\x16\xd5 \x11\xe7[b4\xb9u~\xc9!3x\xfd\xe4\x96,\xab\xe3}\xac[\x04\xa7\x9e\xa6\xbc\xff\xe0\xea\x88\xef\x04\xfa\xe1\xe4W (\x15\xf2z\xef1\xc6e\x96i\xc5\x16\x87\xb0\xb4>\xbbQU\x170\xc1\xe1\x16\x1c\x81j\xbc\xf1\x83\x9a\x8c\xd5\xc9 \xd5D\x8f\x9dHA\x92\xba\xbe\xe7\xc8\x83\x98\xf72\xef\x07\xf8i’\x88\x02\xab\xf1\xd7S\x15\x1f%\xb9\xa7\x1e\x8d\xf6U\xec\xd3:QB=\xb0\x88\xe0\xc5\xe5\x9ax}\
HKEY_CURRENT_USER\SOFTWARE\LockBit\Public	\xba\x1a-\x08] \x16\xacm\xcec\x98\x84\|\x01\xfa%)1u4\x18\xa6\x15s\xf3\x95\xac C\x7f\xb0E\xe7\xa8\xaa\x0f\xf0\xad\x07\xed\x8a\xa9Z\xad\x04\x1a\x8f\x1c\xb6v\x08\xa8\xc1\xb83\x9a\xf7\x0b\x19\x14\x0c\x07\x1f\xd8E]\xe8\xa5\x152v\xe5\x0fAD\xe3\xc0E#\x0e\x1a\xa4\xb0_(l\x935\xa6#)\x11\|\x04f\x98\xb1\xec\x1a\x03~@3h\xe5\x16#@\xf9\xf5,\x1e^\xb9\x10\xf9\xef\xb8C\xf4{dp\xceO\xaa~!y\xe1$\xd6R\xaaT[\xd5\xabe%\xf3~\x84\x81\x85{@3g(\x83\xfd\xd0}\x9d\xc5\xccT\x1d\xc5\xb2/\xafX\x05\x06\xd2\x89;\xddD\xff\x08\xe4\xda\xbeQ/’tX\xc5\xe2\xec\x15\xccY \x8a\xbcG\xe1\xc6\xc0:\x00v\xf4=?\x8c\xe6iQ\xf3A\xdf\xbeP\xd6v.\xa3\xf7d\x1a\xfc\x03\xe4!a\x18?\xb1ap\xd5\x8fd\xed\xc0\xa7\xca\xc3\xd4\x06\x9f\xff\x0b#y\xc8q\xfb\x02>\xa4/\x9a\xba\xba\x11\xb1\x89\xf9\x01\x00\x01
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\system32\kernelbase.dll[MofResourceName]	LowDateTime:-1544746814,HighDateTime:30915198***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]	LowDateTime:-783199058,HighDateTime:30915198***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]	LowDateTime:-2096185540,HighDateTime:30915198***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]	LowDateTime:-32042354,HighDateTime:30780584***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\system32\drivers\ndis.sys[MofResourceName]	LowDateTime:-1546934502,HighDateTime:30915198***Binary mof failed, see WMIPROV.LOG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\system32\drivers\en-US\ndis.sys.mui[MofResourceName]	LowDateTime:-6885910,HighDateTime:30780584***Binary mof failed, see WMIPROV.LOG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\mssmbios.sys[MofResource]	LowDateTime:590886656,HighDateTime:30780579***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]	LowDateTime:-25003186,HighDateTime:30780584***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\HDAudBus.sys[HDAudioMofName]	LowDateTime:-2102904110,HighDateTime:30915198***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\processr.sys[PROCESSORWMI]	LowDateTime:-2096028689,HighDateTime:30915198***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\en-US\processr.sys.mui[PROCESSORWMI]	LowDateTime:-32042354,HighDateTime:30780584***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\Drivers\portcls.SYS[PortclsMof]	LowDateTime:-2101967110,HighDateTime:30915198***Binary mof compiled successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\WDM\C:\Windows\System32\drivers\monitor.sys[MonitorWMI]	LowDateTime:-2096966092,HighDateTime:30915198***Binary mof failed, see WMIPROV.LOG
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XO1XADpO01	“C”
SOFTWARE\LockBit\full	&ú3í¶X\|Mò—k¶%?Ò§ÚžûÂ µD»Þ‚äÔ¨÷Û”¶·3€•/\Ýá×É§ÖÜœ@]\|38´š¤Zâ¿N?Â„I„g ˜MÔøèbÕÒjˆ ×ARV±ôFHw]ëX_à;Ï~°I±`v!x9I~ÜçœÞ@]Ê-©n’íZ« ç’ñËB-W}„¹‹´ýÇÜš>(Äçò¬[m ^ÅFj’J$¼àÔglNRu/HÔ¸2ÞS˜²âz[¿X÷BÍ(Àþ9Á„MÆ%mæ\%î‡º:b~ öÔmÙ2ýïˆÿç
SOFTWARE\LockBit\Public	êÛ5õ!‡7ûÊG—qÂÎlë€šœwø~˜ÈëDÉùŸâº©Š•`¤¬VÁ©†+ÝVJÓ„iMí…·C /LPª›JÜ

Services Started (Top 15)

Service
VSS
swprv
wbengine
vds
WSearch

Services Opened (Top 15)

Service
wrapper
DefWatch
ccEvtMgr
ccSetMgr
SavRoam
Sqlservr
sqlagent
sqladhlp
Culserver
RTVscan
sqlbrowser
SQLADHLP
QBIDPService
Intuit.QuickBooks.FCS
QBCFMonitorService
sqlwriter
msmdsrv
tomcat6
dbeng8
MSSQL$MICROSOFT##WID

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report