 So you might have heard about this malware called Baulix, that uses the registry not only to persist but also to write this malicious code so it's not stored on the disk but inside the registry. And it does this by leveraging RunDLL32 with JavaScript. So it was interesting to find tools that could automate the scan of the registry for something like that with Java but I found no such tools. So I wrote a quick application, a demo application that does this. So this is my simple Java rule. I look for RunDLL32.exe and JavaScript, those two strings. And this is my registry scanner that takes this rule and scans through the registry. Okay, so the YARA rule here Baulix RunDLL32.exe JavaScript triggered on the key in the current user hive for key test with test value. You can see here RunDLL32 JavaScript and Baulix like code. Now another thing here in registry. You can see that I have this key here. Another thing that I added is the following. If I create a new key and I use a non ASCII character like here E with an accent then my scanner will also pick this up. Okay, so here you see a valid character. That's because this key here contains a non ASCII or not printable key.