Malicious Python-Based Loader Powers Stealthy PluggyApe Infections

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

dgd7g.exe

Type

PE32+ executable (GUI) x86-64, for MS Windows

SHA‑1

28f925db7de3dbda6be38bc4efde22af8f28e7e0

MD5

dc4bb17f6cf57d81a0b90af957c0beaf

First Seen

2026-01-20 11:53:13.431072

Last Analysis

2026-01-20 12:50:04.155800

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 56+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.

Timeline

Time (UTC)	Event	Elapsed
2025-12-30 23:13:01 UTC	First VirusTotal submission	—
2026-01-20 14:26:59 UTC	Latest analysis snapshot	20 days, 15 hours, 13 minutes
2026-01-20 14:56:59 UTC	Report generation time	20 days, 15 hours, 43 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 45. Missed: 27. Coverage: 62.5%.

Detected Vendors

Xcitium
+44 additional vendors (names not provided)

List includes Xcitium plus an additional 44 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
Baidu
CAT-QuickHeal
ClamAV
CMC
google_safebrowsing
Gridinsoft
huorong
Jiangmin
Kingsoft
Malwarebytes
Panda
Rising
Sangfor
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
VBA32
VirIT
Webroot
Xcitium
Yandex
Zillya
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Intensive file system activity (70.47% of behavior) indicates data harvesting, file encryption, or dropper behavior. The threat is actively searching for and manipulating files across the system.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
File System	1286	70.47%
System	337	18.47%
Registry	103	5.64%
Process	69	3.78%
Misc	17	0.93%
Synchronization	4	0.22%
Windows	3	0.16%
Hooking	2	0.11%
Threading	2	0.11%
Device	2	0.11%

MITRE ATT&CK Mapping

T1129 – parse PE header
T1082 – get disk information
T1083 – enumerate files on Windows
T1057 – enumerate process modules
T1083 – enumerate files recursively
T1129 – link many functions at runtime
T1497.001 – reference anti-VM strings targeting Xen
T1082 – query environment variable
T1083 – get file size
T1059 – accept command line arguments
T1083 – get common file path
T1027 – encode data using XOR
T1129 – link function at runtime on Windows
T1129 – Drops a binary and executes it
T1202 – Uses Windows utilities for basic functionality
T1202 – Uses suspicious command line tools or Windows utilities
T1562 – Attempts to modify Microsoft Office security settings
T1055 – Creates a process in a suspended state, likely for injection
T1112 – Attempts to modify Microsoft Office security settings
T1112 – Installs itself for autorun at Windows startup
T1562.001 – Attempts to modify Microsoft Office security settings
T1027 – The binary contains an unknown PE section name indicative of packing
T1221 – A document file initiated network communications indicative of a potential exploit or payload download
T1027.002 – The binary contains an unknown PE section name indicative of packing
T1539 – Touches a file containing cookies, possibly for information gathering
T1547 – Installs itself for autorun at Windows startup
T1547.001 – Installs itself for autorun at Windows startup
T1082 – Checks available memory
T1071 – Reads data out of its own binary image
T1071 – Accesses the UserInfo registry key, potentially used for discovery
T1071 – A document file initiated network communications indicative of a potential exploit or payload download
T1071 – A potential decoy document was displayed to the user
T1071 – Attempts to connect to a dead IP:Port
T1071 – The PE file contains an overlay
T1573 – Establishes an encrypted HTTPS connection
T1486 – Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
T1485 – Anomalous file deletion behavior detected (10+)
T1070.006 – Binary contains a suspicious time stamp
T1083 – Reads ini files
T1082 – Queries the volume information (name, serial number etc) of a device
T1573 – Uses HTTPS
T1071 – Uses HTTPS

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.msftncsi.com	23.44.129.37	United States	Akamai Technologies, Inc.
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.msftncsi.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	6	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.13	192.168.56.255	137	137	3.2444281578063965	udp
192.168.56.13	224.0.0.252	49311	5355	5.729628086090088	udp
192.168.56.13	224.0.0.252	55150	5355	3.172927141189575	udp
192.168.56.13	224.0.0.252	60010	5355	5.183691024780273	udp
192.168.56.13	224.0.0.252	62406	5355	3.177854061126709	udp
192.168.56.13	224.0.0.252	63527	5355	4.8118860721588135	udp
192.168.56.13	239.255.255.250	52252	3702	3.1810481548309326	udp
192.168.56.13	8.8.4.4	54879	53	7.77041220664978	udp
192.168.56.13	8.8.4.4	54881	53	7.3862950801849365	udp
192.168.56.13	8.8.4.4	58697	53	22.853103160858154	udp
192.168.56.13	8.8.8.8	54879	53	8.759713172912598	udp
192.168.56.13	8.8.8.8	54881	53	8.384709119796753	udp
192.168.56.13	8.8.8.8	58697	53	21.854870080947876	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

292

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\Content Type
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\FolderValueFlags
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableUmpdBufferSizeCheck
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\CurVer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowTypeOverlay
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\DocObject
HKEY_CLASSES_ROOT\.docx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\ShellEx\IconHandler
HKEY_CLASSES_ROOT\CLSID\{F4754C9B-64F5-4B40-8AF4-679732AC0607}\Implemented Categories\{00021490-0000-0000-C000-000000000046}
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice\Hash
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\ValidateRegItems
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\MonitorRegistry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\ValidateRegItems
HKEY_CURRENT_USER\Software\Classes\.docx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\MonitorRegistry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice\ProgId

Show all (292 total)

Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\DocObject\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer\UseFindFirstFileEnumeration
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\CLSID\(Default)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap\.docx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\PerceivedType
HKEY_CLASSES_ROOT\Word.Document.12
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
HKEY_CURRENT_USER\Software\Classes\Word.Document.12\CurVer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\Clsid
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\Software\Classes\.docx
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
HKEY_CLASSES_ROOT\SystemFileAssociations\document
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowStatusBar
HKEY_CLASSES_ROOT\SystemFileAssociations\.docx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\(Default)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AutoCheckSelect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\file.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\IconsOnly
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\document\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OpenWith.exe
HKEY_CURRENT_USER_Classes\.docx
HKEY_CURRENT_USER_Classes\.docx\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\Metadata
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\BrowseInPlace
HKEY_CURRENT_USER_Classes\Directory
HKEY_CURRENT_USER_Classes\Folder\Clsid
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\FileTypeAssociation\Index\FileType
HKEY_CURRENT_USER\Software\Classes\Local Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\BrowseInPlace
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.System.Internal.Launch.LauncherQueryInfo\CustomAttributes
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4DF0C730-DF9D-4AE3-9153-AA6B82E9795A}
HKEY_CURRENT_USER_Classes\Unknown\BrowseInPlace
HKEY_CURRENT_USER_Classes\Unknown
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_CURRENT_USER_Classes\LibreOffice.Docx
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache\FileTypeAssociation\Index\FileType\.docx
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
HKEY_CURRENT_USER_Classes\Folder\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\Word.Document.12\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\NULL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\UserChoice
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_CURRENT_USER\Software\Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance
HKEY_CURRENT_USER\Control Panel\International\User Profile
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler32
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server\StateRepository
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER_Classes\AppID\OpenWith.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler
HKEY_CURRENT_USER_Classes\AllFilesystemObjects
HKEY_CURRENT_USER_Classes\SystemFileAssociations\document
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{E44E9428-BDBC-4987-A099-40DC8FD255E7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\LocalServer32
HKEY_CURRENT_USER_Classes\.docx\Clsid
HKEY_CURRENT_USER_Classes\CLSID\{59031a47-3f72-44a7-89c5-5595fe6b30ee}\ShellFolder
HKEY_CURRENT_USER_Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_CURRENT_USER_Classes\SystemFileAssociations\document\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\BrowseInPlace
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_CURRENT_USER_Classes\docxfile
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AllowedEnumeration
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\DocObject
HKEY_CURRENT_USER_Classes\Unknown\CurVer
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\BrowseInPlace
HKEY_CURRENT_USER_Classes\Folder
HKEY_CURRENT_USER_Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\Server
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765B11-3F95-4AF2-AC9D-EA55D8994F1A}
HKEY_CURRENT_USER_Classes\Unknown\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\Word.Document.12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\TreatAs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler
HKEY_CURRENT_USER_Classes\.docx\BrowseInPlace
HKEY_CURRENT_USER_Classes\Folder\BrowseInPlace
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocHandler32
HKEY_CURRENT_USER\Control Panel\International\User Profile\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler32
HKEY_CURRENT_USER_Classes\.docx\OpenWithProgids
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Word.Document.12\shell\Open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\TreatAs
HKEY_CURRENT_USER\Software\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InProcServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\CurVer
HKEY_CURRENT_USER_Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\NULL
HKEY_CURRENT_USER_Classes\Interface\{7F9185B0-CB92-43C5-80A9-92277A4F7B54}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LibreOffice.Docx\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\Clsid
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}
HKEY_CURRENT_USER_Classes\Directory\Clsid
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocServer32
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\.docx\Clsid
HKEY_CURRENT_USER_Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\TreatAs
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\executable.exe
HKEY_CURRENT_USER_Classes\Directory\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\InprocHandler32
HKEY_CURRENT_USER\Software\Classes
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e44e9428-bdbc-4987-a099-40dc8fd255e7}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1070296143-2877979003-364783958-1001\fdeploy
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\LocalServer32
HKEY_CURRENT_USER_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance\InitPropertyBag
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\Clsid
HKEY_CURRENT_USER_Classes\Interface\{7F9185B0-CB92-43C5-80A9-92277A4F7B54}
HKEY_LOCAL_MACHINE\OSDATA\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.docx\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7F9185B0-CB92-43C5-80A9-92277A4F7B54}\ProxyStubClsid32
HKEY_CURRENT_USER_Classes\LibreOffice.Docx\shell
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModel\StateRepository\Cache
HKEY_CURRENT_USER_Classes\AllFilesystemObjects\ShellEx\IconHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
HKEY_CURRENT_USER_Classes
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{59031A47-3F72-44A7-89C5-5595FE6B30EE}\ShellFolder
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\NULL
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
HKEY_CURRENT_USER_Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Foundation.PropertyValue
HKEY_CURRENT_USER_Classes\Directory\ShellEx\IconHandler
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\NULL
HKEY_CURRENT_USER_Classes\.docx\OpenWithProgIDs
HKEY_CURRENT_USER_Classes\LibreOffice.Docx\shell\open
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithProgids
HKEY_CURRENT_USER_Classes\SystemFileAssociations\.docx\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\Diagnosis
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.Security.SmartScreen.AppReputationService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.System.Internal.Launch.LauncherQueryInfo
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\TreatAs
HKEY_CURRENT_USER_Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SystemFileAssociations\document\BrowseInPlace
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\InprocHandler
HKEY_CURRENT_USER_Classes\.docx\DocObject
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\python.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsRuntime\ActivatableClassId\Windows.Internal.StateRepository.FileTypeAssociation
HKEY_CURRENT_USER_Classes\Unknown\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Unknown\ShellEx\IconHandler
HKEY_CURRENT_USER_Classes\Word.Document.12\shell\Open
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4df0c730-df9d-4ae3-9153-aa6b82e9795a}\Elevation
HKEY_CURRENT_USER_Classes\Directory\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AllFilesystemObjects\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0E5AAE11-A475-4c5b-AB00-C66DE400274E}\Elevation
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\LocalServer
HKEY_CURRENT_USER_Classes\SystemFileAssociations\document\DocObject
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InprocServer32
HKEY_CURRENT_USER_Classes\CLSID\{DFFACDC5-679F-4156-8947-C5C76BC0B67F}\Instance
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docx\OpenWithList

Registry Set (Top 25)

Key	Value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage\WORDFiles	1537081403
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage\ProductFiles	1537081550
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage\SpellingAndGrammarFiles_1036	1537081448
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage\SpellingAndGrammarFiles_1033	1537081541
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage\SpellingAndGrammarFiles_3082	1537081444
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RealtekDevice	“C:\Users\Bruno\AppData\Local\Temp\Python312\python.exe” “C:\Users\Bruno\AppData\Local\Temp\o.d.f.a.d.g.j.k.l.f.s.f.d.d.a.py”
HKEY_USERS\S-1-5-21-4270068108-2931534202-3907561125-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile	Binary Data
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF	01 00 00 00 00 00 00 00 05 C7 E5 5A E2 79 DC 01
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF	01 00 00 00 00 00 00 00 4D E7 15 5B E2 79 DC 01

Services Started (Top 15)

Service
BITS
WSearch

Services Opened (Top 15)

Service
VaultSvc
clipsvc

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report