Zero‑Dwell Threat Intelligence Report
A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-11-20 08:41:06 UTC
Executive Overview — What We’re Dealing With
This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.
File
caef2db273f466df3e2fa8c61bca6f9d58c99057
Type
Microsoft Visual C++ compiled executable (generic)
SHA‑1
caef2db273f466df3e2fa8c61bca6f9d58c99057
MD5
058a1dbfa03cac6cc67d34a4dcc69445
First Seen
2025-11-14 19:58:16.742631
Last Analysis
2025-11-15 20:48:21.217400
Dwell Time
0 days, 7 hours, 33 minutes
Extended Dwell Time Impact
For 1+ days, this malware remained undetected — a brief but concerning window that permitted the adversary to establish initial foothold, perform basic system enumeration, and potentially access immediate system resources.
Comparative Context
Industry studies report a median dwell time closer to 21–24 days. This case is significantly below that median, suggesting relatively quick detection.
Timeline
| Time (UTC) | Event | Elapsed |
|---|---|---|
| 2025-07-17 16:03:07 UTC | First VirusTotal submission | — |
| 2025-11-19 12:19:48 UTC | Latest analysis snapshot | 124 days, 20 hours, 16 minutes |
| 2025-11-20 08:41:06 UTC | Report generation time | 125 days, 16 hours, 37 minutes |
Why It Matters
Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.
Global Detection Posture — Who Caught It, Who Missed It
VirusTotal engines: 73. Detected as malicious: 56. Missed: 17. Coverage: 76.7%.
Detected Vendors
- Xcitium
- +55 additional vendors (names not provided)
List includes Xcitium plus an additional 55 vendors per the provided summary.
Missed Vendors
- Acronis
- Antiy-AVL
- APEX
- Baidu
- ClamAV
- CMC
- google_safebrowsing
- Gridinsoft
- Jiangmin
- NANO-Antivirus
- SUPERAntiSpyware
- TACHYON
- tehtris
- VBA32
- Webroot
- Yandex
- Zoner
Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.
MITRE ATT&CK Mapping
- T1083 – get common file path
- T1136 – add user account
- T1082 – query environment variable
- T1083 – check if file exists
- T1134 – acquire debug privileges
- T1490 – disable automatic Windows recovery features
- T1027 – encode data using XOR
- T1082 – get hostname
- T1497.001 – reference anti-VM strings
- T1531 – delete user account
- T1113 – capture screenshot
- T1082 – get disk information
- T1134 – modify access privileges
- T1497.001 – reference anti-VM strings targeting Parallels
- T1129 – parse PE header
- T1082 – get disk size
- T1012 – query or enumerate registry value
- T1129 – link function at runtime on Windows
- T1490 – delete volume shadow copies
- T1070.004 – delete volume shadow copies
- T1497.001 – reference anti-VM strings targeting VirtualBox
- T1082 – enumerate disk volumes
- T1497.001 – reference anti-VM strings targeting VMWare
- T1083 – get file size
- T1497.001 – reference anti-VM strings targeting Qemu
- T1047 – connect to WMI namespace via WbemLocator
- T1053.005 – schedule task via schtasks
- T1055.012 – use process replacement
- T1620 – use process replacement
- T1070.004 – self delete
- T1057 – enumerate processes
- T1518 – enumerate processes
- T1098 – add user account to group
- T1071 – Anomalous binary characteristics
- T1071 – Binary file triggered multiple YARA rules
- T1055 – Contains .tls (Thread Local Storage) section
- T1027 – The binary contains an unknown PE section name indicative of packing
- T1027.002 – The binary contains an unknown PE section name indicative of packing
- T1045 – Manalize Local SandBox Packer Harvesting
- T1059 – Apparent Internal Usage of CMD.EXE
- T1063 – It Tries to detect injection methods
- T1542.003 – May use bcdedit to modify the Windows boot settings
- T1070.004 – May delete shadow drive data (may be related to ransomware)
Following the Trail — Network & DNS Activity
Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.
Contacted Domains
| Domain | IP | Country | ASN/Org |
|---|---|---|---|
| www.msftncsi.com | 23.200.3.71 | United States | Akamai Technologies, Inc. |
Observed IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
DNS Queries
| Request | Type |
|---|---|
| 5isohu.com | A |
| www.msftncsi.com | A |
Contacted IPs
| IP | Country | ASN/Org |
|---|---|---|
| 224.0.0.252 | — | — |
| 239.255.255.250 | — | — |
| 8.8.4.4 | United States | Google LLC |
| 8.8.8.8 | United States | Google LLC |
Port Distribution
| Port | Count | Protocols |
|---|---|---|
| 137 | 1 | udp |
| 5355 | 5 | udp |
| 53 | 4 | udp |
| 3702 | 1 | udp |
UDP Packets
| Source IP | Dest IP | Sport | Dport | Time | Proto |
|---|---|---|---|---|---|
| 192.168.56.13 | 192.168.56.255 | 137 | 137 | 3.250594139099121 | udp |
| 192.168.56.13 | 224.0.0.252 | 49311 | 5355 | 5.744945049285889 | udp |
| 192.168.56.13 | 224.0.0.252 | 55150 | 5355 | 3.1742849349975586 | udp |
| 192.168.56.13 | 224.0.0.252 | 60010 | 5355 | 5.184711933135986 | udp |
| 192.168.56.13 | 224.0.0.252 | 62406 | 5355 | 3.18910813331604 | udp |
| 192.168.56.13 | 224.0.0.252 | 63527 | 5355 | 4.432197093963623 | udp |
| 192.168.56.13 | 239.255.255.250 | 52252 | 3702 | 3.194214105606079 | udp |
| 192.168.56.13 | 8.8.4.4 | 54879 | 53 | 7.74506402015686 | udp |
| 192.168.56.13 | 8.8.4.4 | 54881 | 53 | 7.011030912399292 | udp |
| 192.168.56.13 | 8.8.8.8 | 54879 | 53 | 8.744038105010986 | udp |
| 192.168.56.13 | 8.8.8.8 | 54881 | 53 | 8.010081052780151 | udp |
Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.
Persistence & Policy — Registry and Services
Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.
Registry Opened
200
Registry Set
0
Services Started
0
Services Opened
0
Registry Opened (Top 25)
| Key |
|---|
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc |
| HKEY_LOCAL_MACHINE\ZoneMap\Ranges\ |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6976CF5-68A8-436C-975A-40BE53616D59} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine |
| HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\default\AppHVSI\AllowAppHVSI |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\Elevation |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Systray |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Policy Manager |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\TreatAs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
| HKEY_USERS.DEFAULT\Control Panel\Desktop\LanguageConfiguration |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A} |
| HKEY_LOCAL_MACHINE\Software |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Time Service |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Device Driver |
| HKEY_LOCAL_MACHINE\software\policies\Microsoft\AppHVSI |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A2A6D7C6-ECBD-439E-9244-9E784608439F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Account protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityHealthService.exe |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State\Dynamic |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CleanPC |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Update Monitor |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Display |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{434AEC1C-8583-45EC-B88F-750D6F380BC3} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{470B9B9B-0E95-4963-B265-5D58E5808C3D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9} |
| HKEY_LOCAL_MACHINE\Software\Classes\Unmarshalers\System\{00000339-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3C03EBDD-BE8F-4E39-8B9C-EA0B1EA8395C} |
Show all (200 total)
| Key |
|---|
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\TreatAs |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\InprocHandler |
| HKEY_LOCAL_MACHINE\Software\Microsoft\HVSI |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{816A45F9-7406-42BB-B4FA-A655D96F2A8A} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\RemovalTools\MRT |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Reliability |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\App and Browser protection |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\TreatAs |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions |
| HKEY_LOCAL_MACHINE\Software\Policies |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1B48339C-D15E-45F3-AD55-A851CB66BE6B} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
| HKEY_LOCAL_MACHINE\Software\Classes |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\LocalServer |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\Elevation |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8956DE3F-472B-4FBC-AF5F-748F61CBC386} |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService\Security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Firewall and network protection |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration |
| HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\State |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DBDB628F-AEEE-4630-9FEC-4256620CDB8D} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A} |
| HKEY_USERS.DEFAULT\Control Panel\International |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Security Health\Platform |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Storage Health Metrics |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager |
| HKEY_LOCAL_MACHINE\System\Setup |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47782907-6A6D-44BC-8872-4E45E994E6F9} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2557A77E-882D-4633-960E-0C718670C1C7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{37529A8C-668C-4D7B-8EC0-FFB545A337FC} |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Device performance and health |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E3C9166D-1D39-4D4E-A45D-BC7BE9B00578} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{136FECC8-05C4-4DEA-AC27-4C0666C20320} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Signature |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Security |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7AD0F0FC-7043-4A81-BBFA-9F68ADC97122} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\OLE |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2D15188C-D298-4E10-83B2-64666CCBEBBD} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E041C90B-68BA-42C9-991E-477B73A75C90} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4 |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BD8A8E7D-E42F-434A-8215-C7ECB6C32786}\TreatAs |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\SecurityHealthService.exe |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC66E708-C687-42EA-806E-83D41C9D1A5F}\TreatAs |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Storage Health |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl |
| HKEY_USERS.DEFAULT\Control Panel\Desktop\MuiCached |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SecurityHealthService |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{5FEEED48-1AE6-4C15-9D6E-27DD3DF6CAC8} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D6B0D1EB-456E-48FF-A3E3-F393C74B85DB} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide |
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\VAILSettings\ |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F99A566C-42AE-4DE2-AD4D-D297A04C5433} |
| HKEY_USERS.DEFAULT\Control Panel\Desktop\MuiCached\MachineLanguageConfiguration |
| HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{74FA5D1F-BBD3-4F3E-8776-41EDEFC608D9}\InprocHandler |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915 |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\LocalServer32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08728914-3F57-4D52-9E31-49DAECA5A80A}\InprocServer32 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Ole |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Status Codes |
| HKEY_LOCAL_MACHINE\Software\WOW6432Node |
| HKEY_LOCAL_MACHINE\Software\Microsoft\PolicyManager\current\Device\AppHVSI |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Security Health\Health Advisor\Battery |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{82345212-6ACA-4B38-8CD7-BF9DE8ED07BD}\InprocHandler32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{FF986EAD-F547-477F-8F40-2DCCAD2D76C0} |
| HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C39622C7-DDA7-4385-BD69-B6CC374C2E2F} |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EDAE4045-CAE6-4706-8973-FA69715B8C10} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD032184-B0DE-4962-BBAC-146621F0770E} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5CF41123-E9E6-4AC0-85A7-C4001F513C6A}\InprocHandler |
| HKEY_LOCAL_MACHINE\Software\Classes\Unmarshalers\System\{00000338-0000-0000-C000-000000000046} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Enterprise Customization |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{63436228-BAFC-4ACD-A2AE-75E4F5108AB1} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C9C0DB7-2CBA-40F1-AFE0-C55740DD91A0} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D71BECE8-17B8-4636-832C-D010D4F847F7} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{DFD80D65-D501-43B2-A8FF-86617BD81EA7}\ProxyStubClsid32 |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{15C23079-E719-4E7C-BD9C-F20983A9480F} |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Family options |
| HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MUI\Settings |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{36383E77-35C2-4B45-8277-329E4BEDF47F}\InprocHandler |
| HKEY_USERS.DEFAULT\Control Panel\Desktop |
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BDD8A353-2577-40A0-BB02-22A99A86B34F} |
Registry Set (Top 25)
Services Started (Top 15)
Services Opened (Top 15)
What To Do Now — Practical Defense Playbook
- Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
- EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
- Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
- Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
- Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.
Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.