What are the registry and environment variable artifacts to check for CLR-based backdoor detection?

Detection should check environment variables `COR_ENABLE_PROFILING` and `COR_PROFILER`, and the registry key `HKEY_CURRENT_USER\Software\Classes\CLSID\` for any CLSID subkey with an `InProcServer32` value pointing to an unexpected DLL. These are the same persistence mechanisms used by the attack, as described in the article's detection section.