Packed MSIL Trojan Phones Home to Telegram and SMTP

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

uduir.exe

Type

PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows

SHA‑1

7a8bcbd20c53ecf5c1c600a31ca8a5a9247e35bf

MD5

a1fb79ebc64549d59b319f91c9dec5fd

First Seen

2025-09-14 05:23:31.915467

Last Analysis

2025-09-15 07:15:21.113564

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.

Timeline

Time (UTC)	Event	Elapsed
2025-08-20 01:33:36 UTC	First VirusTotal submission	—
2025-09-19 06:44:23 UTC	Latest analysis snapshot	30 days, 5 hours, 10 minutes
2025-10-27 10:20:46 UTC	Report generation time	68 days, 8 hours, 47 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 55. Missed: 18. Coverage: 75.3%.

Detected Vendors

Xcitium
+54 additional vendors (names not provided)

List includes Xcitium plus an additional 54 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
APEX
Baidu
ClamAV
CMC
Cynet
Gridinsoft
huorong
Jiangmin
NANO-Antivirus
SentinelOne
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
Yandex
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (45.57% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
Registry	6166	45.57%
System	3874	28.63%
File System	2223	16.43%
Process	695	5.14%
Misc	234	1.73%
Device	106	0.78%
Crypto	97	0.72%
Threading	39	0.29%
Synchronization	35	0.26%
Network	27	0.20%
Com	19	0.14%
Hooking	6	0.04%
Windows	6	0.04%
Services	4	0.03%

MITRE ATT&CK Mapping

T1083 – check if file exists
T1083 – get common file path
T1620 – invoke .NET assembly method
T1083 – check if directory exists
T1082 – Checks available memory
T1071 – The PE file contains a PDB path
T1106 – Guard pages use detected – possible anti-debugging.
T1027 – The binary likely contains encrypted or compressed data
T1027.002 – The binary likely contains encrypted or compressed data
T1005 – Searches for sensitive mail data
T1005 – Reads sensitive mail data
T1005 – Searches for sensitive browser data
T1012 – Query OS Information
T1012 – Searches for sensitive mail data
T1012 – Reads sensitive mail data
T1016 – Checks external IP address
T1027.002 – Creates a page with write and execute permissions
T1055 – Modifies control flow of a process started from a created or modified executable
T1055.012 – Process Hollowing
T1057 – Enumerates running processes
T1071.004 – Performs DNS request
T1082 – Enumerates running processes
T1082 – Query OS Information
T1083 – Searches for sensitive mail data
T1083 – Searches for sensitive browser data
T1083 – Possibly does reconnaissance
T1095 – Connects to remote host
T1119 – Searches for sensitive mail data
T1119 – Reads sensitive mail data
T1119 – Searches for sensitive browser data
T1134 – Enables process privileges
T1552.001 – Searches for sensitive mail data
T1552.001 – Searches for sensitive browser data
T1552.002 – Searches for sensitive mail data
T1552.002 – Reads sensitive mail data
T1562.001 – Modifies Windows Defender configuration
T1564.003 – Creates process with hidden window
T1568 – Performs DNS request for known DDNS domain
T1129 – The process attempted to dynamically load a malicious function
T1059 – Detected command line output monitoring
T1057 – The process has tried to detect the debugger probing the use of page guards.
T1129 – Detected the execution of a powershell command with one or more suspicious parameter
T1027 – Detected the execution of a powershell command with one or more suspicious parameter
T1086 – Detected the execution of a powershell command with one or more suspicious parameter
T1564.003 – Detected the creation of a hidden window (common execution hiding technique)
T1129 – The process tried to load dynamically one or more functions.
T1083 – get common file path
T1083 – check if file exists
T1083 – check if directory exists
T1057 – The process attempted to detect a running debugger using common APIs
T1082 – Queries for the computername
T1086 – Detected some PowerShell commands executions
T1027.009 – Drops interesting files and uses them

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
checkip.dyndns.org	132.226.8.169	United States	Oracle Corporation
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
5isohu.com	A
www.aieov.com	A
checkip.dyndns.org	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
5355	5	udp
53	10	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.14	192.168.56.255	137	137	3.0827510356903076	udp
192.168.56.14	224.0.0.252	51209	5355	3.0297911167144775	udp
192.168.56.14	224.0.0.252	53401	5355	4.670155048370361	udp
192.168.56.14	224.0.0.252	55094	5355	5.579407215118408	udp
192.168.56.14	224.0.0.252	55848	5355	3.0300581455230713	udp
192.168.56.14	224.0.0.252	62112	5355	24.7188880443573	udp
192.168.56.14	8.8.4.4	50710	53	36.953004121780396	udp
192.168.56.14	8.8.4.4	52815	53	7.230765104293823	udp
192.168.56.14	8.8.4.4	54579	53	28.53149914741516	udp
192.168.56.14	8.8.4.4	60117	53	51.672508001327515	udp
192.168.56.14	8.8.4.4	65148	53	22.578389167785645	udp
192.168.56.14	8.8.8.8	50710	53	35.95346117019653	udp
192.168.56.14	8.8.8.8	52815	53	8.21843409538269	udp
192.168.56.14	8.8.8.8	54579	53	27.531615018844604	udp
192.168.56.14	8.8.8.8	60117	53	50.67228603363037	udp
192.168.56.14	8.8.8.8	65148	53	21.578904151916504	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

281

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_CURRENT_USER\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_LOCAL_MACHINE\Software\Microsoft\DirectWrite
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:\|Users\|<USER>\|Desktop\|file.exe
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C17CABB2-D4A3-47D7-A557-339B2EFBD4F1}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonW6432Dir
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\FontCache\Parameters\ClientCacheSize
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_CURRENT_USER\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\FeatureBits
HKEY_CURRENT_USER\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_CURRENT_USER\Software\Classes\CLSID\{1765E14E-1BD4-462E-B6B1-590BF1262AC6}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_CURRENT_USER\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_CURRENT_USER\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_CURRENT_USER\Software\Classes\CLSID\{076C2A6C-F78F-4C46-A723-3583E70876EA}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\MDMEnabled
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_CURRENT_USER\EUDC\1252
HKEY_CURRENT_USER\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_CURRENT_USER\Software\Classes\CLSID\{0DBECEC1-9EB3-4860-9C6F-DDBE86634575}
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramW6432Dir
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\InstallRoot
HKEY_CURRENT_USER\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{01B90D9A-8209-47F7-9C52-E1244BF50CED}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ED822C8C-D6BE-4301-A631-0E1416BAD28F}

Show all (281 total)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\NET Framework Setup\NDP\v4\Full\Release
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{AC4CE3CB-E1C1-44CD-8215-5A1665509EC2}
HKEY_CURRENT_USER\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_LOCAL_MACHINE\Software\Microsoft\StrongName
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\UserenvDebugLevel
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize\AppsUseLightTheme
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_CURRENT_USER\Software\Classes\CLSID\{7F12E753-FC71-43D7-A51D-92F35977ABB5}
HKEY_CURRENT_USER\Software\Classes\CLSID\{22C21F93-7DDB-411C-9B17-C5B7BD064ABC}
HKEY_CURRENT_USER\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI\Providers
HKEY_CURRENT_USER\Software\Classes\CLSID\{AA94DCC2-B8B0-4898-B835-000AABD74393}
HKEY_CURRENT_USER\Software\Classes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\file.exe
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{9CB5172B-D600-46BA-AB77-77BB7E3A00D9}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\STE
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7693E886-51C9-4070-8419-9F70738EC8FA}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{6D68D1DE-D432-4B0F-923A-091183A9BDA7}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemovalTools\MRT\GUID
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\OnlyUseLatestCLR
Policy\Standards
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\ResourcePolicies
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System\GpSvcDebugLevel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 024
HKEY_CURRENT_USER\Software\Classes\CLSID\{E7E79A30-4F2C-4FAB-8D00-394F2D6BBEBE}
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{A26CEC36-234C-4950-AE16-E34AACE71D0D}
HKEY_CURRENT_USER\Software\Classes\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4005801669-2598574594-602355426-1001\Installer\Assemblies\C:\|Users\|<USER>\|Desktop\|file.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\System\Setup
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{72B624DF-AE11-4948-A65C-351EB0829419}
HKEY_LOCAL_MACHINE\Software\Microsoft\AMSI
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER\Software\Classes\CLSID\{E9A4A80A-44FE-4DE4-8971-7150B10A5199}
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictRfcInterimResponseHandling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseSafeSynchronousClose
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseSafeSynchronousClose
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Foxmail.url.mailto\Shell\open\command
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.UseStrictIPv6AddressParsing
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SecurityProtocol
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowDangerousUnicodeDecompositions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Uri.AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\UseHttpPipeliningAndBufferPooling
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord
HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\AllowAllUriEncodingExpansion
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogResourceBinds
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DevOverrideEnable
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\LegacyPolicyTimeStamp
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\FeatureSIMD
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseMillisecondsBetweenRetries
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\index9
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\Standards\v4.0.30319
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\Latest
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Core__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\.NETFramework\Policy\Standards
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Deployment__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_CURRENT_USER\Software
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dttcodexgigas.7a8bcbd20c53ecf5c1c600a31ca8a5a9247e35bf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LoggingLevel
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319\SKUs\default
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DownloadCacheQuotaInKB
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.10.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\DisableMSIPeek
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\OnlyUseLatestCLR
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Security__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Installer\Assemblies\C:\|Users\|azure\|Downloads\|dttcodexgigas.7a8bcbd20c53ecf5c1c600a31ca8a5a9247e35bf.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\FileInUseRetryAttempts
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\EnableLog
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\ForceLog
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\NGen\Policy\v4.0\OptimizeUsedBinaries
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DisableConfigCache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Servicing
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\AltJit
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SpecialFoldersCacheSize
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-4270068108-2931534202-3907561125-1001\Installer\Assemblies\C:\|Users\|azure\|Downloads\|dttcodexgigas.7a8bcbd20c53ecf5c1c600a31ca8a5a9247e35bf.exe
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\EUPP Protected – It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\FirstRunComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Windows.Forms__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\CacheLocation
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Configuration__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\v4.0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Management__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Xml__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Data.SqlXml__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\CLRLoadLogDir
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Core__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Users\|azure\|Downloads\|dttcodexgigas.7a8bcbd20c53ecf5c1c600a31ca8a5a9247e35bf.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\UseLegacyIdentityFormat
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\LogFailures
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Numerics__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\v4.0_policy.4.0.System.Runtime.Remoting__b77a5c561934e089
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.Accessibility__b03f5f7f11d50a3a
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Xml.Linq__b77a5c561934e089
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Drawing__b03f5f7f11d50a3a
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\InstallRoot
HKEY_LOCAL_MACHINE\Software\Microsoft\Fusion\PublisherPolicy\Default\policy.4.0.System.Management__b03f5f7f11d50a3a

Registry Set (Top 25)

Key	Value
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASAPI32\FileDirectory	%windir%\tracing
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASAPI32\MaxFileSize	1048576
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASAPI32\ConsoleTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASAPI32\FileTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASAPI32\EnableConsoleTracing	0
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASAPI32\EnableFileTracing	0
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\SystemCertificates\Root\Certificates\0174E68C97DDF1E0EEEA415EA336A163D2B61AFD\Blob	5C 00 00 00 01 00 00 00 04 00 00 00 00 10 00 00 04 00 00 00 01 00 00 00 10 00 00 00 0D BE 92 DE FF 7D 36 BB 48 C4 A6 B1 15 24 95 38 0F 00 00 00 01 00 00 00 20 00 00 00 53 FE B9 19 2E D4 80 F2 09 12 4A 2C 57 D7 E8 97 7A 2E 9F 39 46 1D BF 21 4D F1 12 CB 16 02 4F A2 14 00 00 00 01 00 00 00 14 00 00 00 78 B8 30 FD 63 AC 7B 89 4A 07 3B ED F6 8A 83 9C C3 52 02 65 19 00 00 00 01 00 00 00 10 00 00 00 B5 74 AF 30 C5 C1 BA 3A 69 A7 10 02 00 82 4D D0 03 00 00 00 01 00 00 00 14 00 00 00 01 74 E6 8C 97 DD F1 E0 EE EA 41 5E A3 36 A1 63 D2 B6 1A FD 20 00 00 00 01 00 00 00 F8 05 00 00 30 82 05 F4 30 82 03 DC A0 03 02 01 02 02 09 00 E0 EA 61 4C 28 56 32 64 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00 30 81 8E 31 0B 30 09 06 03 55 04 06 13 02 49 4C 31 0F 30 0D 06 03 55 04 08 0C 06 43 65 6E 74 65 72 31 0C 30 0A 06 03 55 04 07 0C 03 4C 6F 64 31 10 30 0E 06 03 55 04 0A 0C 07 47 6F 50 72 6F 78 79 31 10 30 0E 06 03 55 04 0B 0C 07 47 6F 50 72 6F 78 79 31 1A 30 18 06 03 55 04 03 0C 11 67 6F 70 72 6F 78 79 2E 67 69 74 68 75 62 2E 69 6
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASMANCS\FileDirectory	%windir%\tracing
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASMANCS\MaxFileSize	1048576
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASMANCS\ConsoleTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASMANCS\FileTracingMask	4294901760
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASMANCS\EnableConsoleTracing	0
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Tracing\S7NG59ACFDOVTR6X_RASMANCS\EnableFileTracing	0

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report