9d891d39821b0bd8949c7a7f52b70c1e9c368499 - threatlabsnews.xcitium.com

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

9d891d39821b0bd8949c7a7f52b70c1e9c368499

Type

Win64 Executable (generic)

SHA‑1

9d891d39821b0bd8949c7a7f52b70c1e9c368499

MD5

3dd31417d184e53333bf50ab493e93f5

First Seen

2025-09-05 07:17:41.217568

Last Analysis

2025-09-05 10:20:39.168134

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 3+ hours, this malware remained undetected — a limited but sufficient window for the adversary to complete initial execution and establish basic system access.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-09-04 09:10:24 UTC	First VirusTotal submission	—
2025-09-09 07:40:07 UTC	Latest analysis snapshot	4 days, 22 hours, 29 minutes
2025-09-16 10:37:21 UTC	Report generation time	12 days, 1 hours, 26 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 46. Missed: 27. Coverage: 63.0%.

Detected Vendors

Xcitium
+45 additional vendors (names not provided)

List includes Xcitium plus an additional 45 vendors per the provided summary.

Missed Vendors

Acronis
Antiy-AVL
APEX
Baidu
ClamAV
CMC
Gridinsoft
huorong
Jiangmin
Kingsoft
Malwarebytes
MaxSecure
NANO-Antivirus
SentinelOne
Skyhigh
SUPERAntiSpyware
TACHYON
tehtris
Trapmine
VBA32
VirIT
ViRobot
Webroot
Yandex
Zillya
ZoneAlarm
Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (58.75% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
System	755	58.75%
Registry	252	19.61%
Network	111	8.64%
Process	54	4.20%
Device	43	3.35%
File System	40	3.11%
Threading	12	0.93%
Com	9	0.70%
Misc	3	0.23%
Synchronization	2	0.16%
Services	2	0.16%
Hooking	1	0.08%
Windows	1	0.08%

MITRE ATT&CK Mapping

T1129 – get kernel32 base address
T1129 – access PEB ldr_data
T1129 – parse PE header
T1082 – check OS version
T1027 – encrypt data using AES via x86 extensions
T1027 – encrypt data using RC4 PRGA
T1027 – encode data using Base64
T1564 – A process created a hidden window
T1027 – The binary contains an unknown PE section name indicative of packing
T1564.003 – A process created a hidden window
T1027.002 – The binary contains an unknown PE section name indicative of packing
T1071 – The PE file contains an overlay
T1071 – Attempts to connect to a dead IP:Port
T1036 – Creates files inside the user directory
T1571 – Detected TCP or UDP traffic on non-standard ports

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.
www.msftncsi.com	23.200.3.20	United States	Akamai Technologies, Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC
77.73.131.224	Kazakhstan	Not known

DNS Queries

Request	Type
5isohu.com	A
www.msftncsi.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC
77.73.131.224	Kazakhstan	Not known

Port Distribution

Port	Count	Protocols
137	1	udp
5355	6	udp
53	29	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.13	192.168.56.255	137	137	3.2426071166992188	udp
192.168.56.13	224.0.0.252	49311	5355	5.392282009124756	udp
192.168.56.13	224.0.0.252	54881	5355	5.7337729930877686	udp
192.168.56.13	224.0.0.252	55150	5355	3.171555995941162	udp
192.168.56.13	224.0.0.252	60010	5355	5.181626081466675	udp
192.168.56.13	224.0.0.252	62406	5355	3.17409610748291	udp
192.168.56.13	224.0.0.252	63527	5355	4.67781400680542	udp
192.168.56.13	239.255.255.250	52252	3702	3.181226968765259	udp
192.168.56.13	8.8.4.4	50554	53	127.22676610946655	udp
192.168.56.13	8.8.4.4	54879	53	7.243932008743286	udp
192.168.56.13	8.8.4.4	55551	53	159.83627915382385	udp
192.168.56.13	8.8.4.4	56197	53	145.47696900367737	udp
192.168.56.13	8.8.4.4	57310	53	51.53961396217346	udp
192.168.56.13	8.8.4.4	57415	53	65.89912104606628	udp
192.168.56.13	8.8.4.4	58697	53	7.728960990905762	udp
192.168.56.13	8.8.4.4	58920	53	80.25796413421631	udp
192.168.56.13	8.8.4.4	60910	53	98.50795197486877	udp
192.168.56.13	8.8.4.4	61004	53	174.19535398483276	udp
192.168.56.13	8.8.4.4	62493	53	36.96116018295288	udp
192.168.56.13	8.8.4.4	62849	53	22.602092027664185	udp
192.168.56.13	8.8.4.4	64533	53	192.44600701332092	udp
192.168.56.13	8.8.4.4	64801	53	112.86729097366333	udp
192.168.56.13	8.8.8.8	50554	53	126.22781300544739	udp
192.168.56.13	8.8.8.8	54879	53	8.242402076721191	udp
192.168.56.13	8.8.8.8	55551	53	158.85016202926636	udp
192.168.56.13	8.8.8.8	56197	53	144.48786306381226	udp
192.168.56.13	8.8.8.8	57310	53	50.53986310958862	udp
192.168.56.13	8.8.8.8	57415	53	64.89883708953857	udp
192.168.56.13	8.8.8.8	58697	53	8.727267026901245	udp
192.168.56.13	8.8.8.8	58920	53	79.25852704048157	udp
192.168.56.13	8.8.8.8	60543	53	205.80701112747192	udp
192.168.56.13	8.8.8.8	60910	53	97.50892901420593	udp
192.168.56.13	8.8.8.8	61004	53	173.19610714912415	udp
192.168.56.13	8.8.8.8	62493	53	35.96366310119629	udp
192.168.56.13	8.8.8.8	62849	53	21.60225510597229	udp
192.168.56.13	8.8.8.8	64533	53	191.44608998298645	udp
192.168.56.13	8.8.8.8	64801	53	111.86842799186707	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

266

Registry Set

Services Started

Services Opened

Registry Opened (Top 25)

Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityCRL\LoginUrl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityCRL
HKEY_LOCAL_MACHINE\Software\Microsoft\IdentityStore\LoadParameters\{B16898C6-A148-4967-9171-64D755DA8520}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\LoadParameters\{B16898C6-A148-4967-9171-64D755DA8520}\LoginUri
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\AAD\Package
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
52-54-00-61-45-5b\WpadDhcp
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PROXY_CACHE_REFRESH_KB2983228
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
52-54-00-61-45-5b\WpadDetectedUrl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_HSTS
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays

Show all (266 total)

Key
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_WEAK_ENCRYPTION
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
52-54-00-61-45-5b\WpadDecisionTime
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\System\Setup\SystemSetupInProgress
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{459A626F-4513-420B-8CD7-821B3E865517}\52-54-00-61-45-5b
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CLIENTAUTHCERTFILTER
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
52-54-00-61-45-5b\WpadDecisionReason
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{459A626F-4513-420B-8CD7-821B3E865517}
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
HKEY_LOCAL_MACHINE\System\Setup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
52-54-00-61-45-5b\WpadDecision
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Parental Controls\users\S-1-5-21-4270068108-2931534202-3907561125-1001
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
52-54-00-61-45-5b\WpadDns
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-61-45-5b
HKEY_LOCAL_MACHINE\Software\Policies
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_WEAK_ENCRYPTION
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\Software\Microsoft\LanguageOverlay\OverlayPackages\en-US
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
HKEY_CURRENT_USER_Classes
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_EXCLUDE_INVALID_CLIENT_CERT_KB929477
HKEY_LOCAL_MACHINE\Security\Internet Explorer\User Agent
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Tablet PC\
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BYPASS_CACHE_FOR_CREDPOLICY_KB936611
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_PASSPORT_SESSION_STORE_KB948608
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\AppCompat
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RETURN_FAILED_CONNECT_CONTENT_KB942615
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\user
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Winsock\Setup Migration\Providers\Tcpip6
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BUFFERBREAKING_818408
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}\PropertyBag
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{a168aadc-1674-49da-ad4f-4f27df8760d0}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{F1B32785-6FBA-4FCF-9D55-7B8E7F157091}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_ENABLE_HTTP2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_CNAME_FOR_SPN_KB911149
HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler\*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\software.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions\TenantRestrictionsPlugin.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_TOKEN_BINDING
HKEY_CURRENT_USER_Classes\PROTOCOLS\Name-Space Handler\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\dnscache
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DIGEST_NO_EXTRAS_IN_URI
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Containers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download
HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InprocHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload
HKEY_CURRENT_USER_Classes\PROTOCOLS\Name-Space Handler\*\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URI_DISABLECACHE
HKEY_CURRENT_USER\ZoneMap\Ranges\
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Security
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\LocalServer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppModel\Lookaside\machine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\GRE_Initialize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_UTF8_FOR_BASIC_AUTH_KB967545
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{A168AADC-1674-49DA-AD4F-4F27DF8760D0}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\Elevation
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_COMPAT_USE_CONNECTION_BASED_NEGOTIATE_AUTH_KB2151543
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole\FeatureDevelopmentProperties
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PRESERVE_SPACES_IN_FILENAMES_KB952730
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_TOKEN_BINDING
HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_MAPPINGS_FOR_CREDPOLICY
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISALLOW_NULL_IN_RESPONSE_HEADERS
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALWAYS_USE_DNS_FOR_SPN_KB3022771
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\Microsoft\Cryptography\Configuration
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NOTIFY_UNVERIFIED_SPN_KB2385266
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_ENABLE_HTTP2
HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Name-Space Handler\http
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\software.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SKIP_POST_RETRY_ON_INTERNETWRITEFILE_KB895954
HKEY_CURRENT_USER_Classes\PROTOCOLS\Name-Space Handler\http\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PERMIT_CACHE_FOR_AUTHENTICATED_FTP_KB910274
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\RETRY_HEADERONLYPOST_ONCONNECTIONRESET
HKEY_CURRENT_USER\Software\Policies
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\TreatAs
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\PolicyExtensions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCH_SEND_AUX_RECORD_KB_2618444
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FIX_CHUNKED_PROXY_SCRIPT_DOWNLOAD_KB843289
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions\{352481E8-33BE-4251-BA85-6007CAEDCF9D}\PropertyBag
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\

Registry Set (Top 25)

Key	Value
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings	46 00 00 00 04 01 00 00 03 00 00 00 14 00 00 00 65 78 74 72 61 63 74 6F 72 2E 70 72 6F 78 79 3A 38 30 38 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D0 5C 01 4D C1 D5 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer	%HTTP_PROXY%:8080
HKEY_USERS\S-1-5-21-575823232-3065301323-1442773979-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1
Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	0
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings	F
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix	Cookie:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix	Visited:
{459A626F-4513-420B-8CD7-821B3E865517}\WpadDecisionReason	1
{459A626F-4513-420B-8CD7-821B3E865517}\WpadDecisionTime	毵᫑ǜ넰3
{459A626F-4513-420B-8CD7-821B3E865517}\WpadDecision	0
{459A626F-4513-420B-8CD7-821B3E865517}\WpadNetworkName	Network 2
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager	—

Services Started (Top 15)

Services Opened (Top 15)

Service
dnsCache

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report