drop registry export · detect registry values with abnormally high entropy indicating encoded or encrypted content · identify shellcode or payloads stored in registry values · surface obfuscated persistence payloads · runs locally
registry export
drop .reg, registry csv, or hive (multi-file)
or click
shannon entropy on REG_SZ / REG_BINARY · thresholds 6.0+ suspicious · 7.5+ critical · hive · base64 · shellcode heuristics
drop registry .reg export, csv, or binary hive