Xcitium Logo

Win32/MuddyWater Implementation Employs DISPLAY drives Handeler Mimicry for Payload Delivery

  • May 8, 2026
Share with your community:


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2026-05-08 14:17:56 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
inrerfzrp.exe
Type
Win32 Dynamic Link Library (generic)
SHA‑1
c16099c29ccdb34764e4d15b1dab2d141d159950
MD5
439c0a0a46627bd166e08436f383ad56
First Seen
2026-05-08 13:11:52.046512
Last Analysis
2026-05-08 13:20:54.149177
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 9+ minutes, this malware was rapidly detected — demonstrating excellent security controls that intercepted the threat during initial execution phases, severely limiting adversary capabilities.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents extremely rapid detection within minutes.

Timeline

Time (UTC) Event Elapsed
2026-02-18 18:50:37 UTC First VirusTotal submission
2026-05-08 13:27:28 UTC Latest analysis snapshot 78 days, 18 hours, 36 minutes
2026-05-08 14:17:56 UTC Report generation time 78 days, 19 hours, 27 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 45. Missed: 27. Coverage: 62.5%.

Detected Vendors

  • Xcitium
  • +44 additional vendors (names not provided)

List includes Xcitium plus an additional 44 vendors per the provided summary.

Missed Vendors

  • Acronis
  • Alibaba
  • Antiy-AVL
  • APEX
  • Avira
  • CAT-QuickHeal
  • ClamAV
  • CMC
  • Cylance
  • Cynet
  • Elastic
  • google_safebrowsing
  • Gridinsoft
  • Jiangmin
  • Kingsoft
  • MaxSecure
  • NANO-Antivirus
  • Sangfor
  • SentinelOne
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • Tencent
  • Trapmine
  • Xcitium
  • Yandex
  • Zoner

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Dominant system-level operations (88.71% of behavior) suggest this malware performs deep system reconnaissance, privilege escalation, or core OS manipulation. It’s actively probing system defenses and attempting to gain administrative control.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
System 872 88.71%
Network 67 6.82%
File System 12 1.22%
Process 9 0.92%
Threading 9 0.92%
Misc 7 0.71%
Registry 6 0.61%
Hooking 1 0.10%

MITRE ATT&CK Mapping

  • T1083 – get common file path
  • T1033 – get session user name
  • T1087 – get session user name
  • T1082 – get hostname
  • T1070.004 – self delete
  • T1071 – The PE file contains a suspicious PDB path
  • T1071 – The PE file contains an overlay
  • T1071 – Attempts to connect to a dead IP:Port
  • T1573 – Establishes an encrypted HTTPS connection

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
moonzonet.com 104.21.93.242 United States Cloudflare, Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.
www.msftncsi.com 23.219.36.108 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A
moonzonet.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 5 udp
53 84 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.2608909606933594 udp
192.168.56.13 224.0.0.252 49311 5355 5.744799852371216 udp
192.168.56.13 224.0.0.252 55150 5355 3.1890859603881836 udp
192.168.56.13 224.0.0.252 60010 5355 5.199682950973511 udp
192.168.56.13 224.0.0.252 62406 5355 3.1912519931793213 udp
192.168.56.13 224.0.0.252 63527 5355 4.095674991607666 udp
192.168.56.13 239.255.255.250 52252 3702 3.197281837463379 udp
192.168.56.13 8.8.4.4 50554 53 88.79107594490051 udp
192.168.56.13 8.8.4.4 52284 53 320.541387796402 udp
192.168.56.13 8.8.4.4 52955 53 357.49436378479004 udp
192.168.56.13 8.8.4.4 53518 53 144.9009509086609 udp
192.168.56.13 8.8.4.4 53616 53 343.13519191741943 udp
192.168.56.13 8.8.4.4 53825 53 277.041140794754 udp
192.168.56.13 8.8.4.4 53985 53 219.29177379608154 udp
192.168.56.13 8.8.4.4 54879 53 7.760696887969971 udp
192.168.56.13 8.8.4.4 54881 53 6.6684348583221436 udp
192.168.56.13 8.8.4.4 55551 53 103.04205083847046 udp
192.168.56.13 8.8.4.4 55743 53 206.22911190986633 udp
192.168.56.13 8.8.4.4 56086 53 190.04145789146423 udp
192.168.56.13 8.8.4.4 56197 53 97.9323148727417 udp
192.168.56.13 8.8.4.4 56202 53 262.7916557788849 udp
192.168.56.13 8.8.4.4 56770 53 306.29185581207275 udp
192.168.56.13 8.8.4.4 56908 53 220.58833384513855 udp
192.168.56.13 8.8.4.4 57065 53 146.54227495193481 udp
192.168.56.13 8.8.4.4 57310 53 45.29121494293213 udp
192.168.56.13 8.8.4.4 57415 53 50.96348690986633 udp
192.168.56.13 8.8.4.4 57885 53 364.0416347980499 udp
192.168.56.13 8.8.4.4 58070 53 233.5410189628601 udp
192.168.56.13 8.8.4.4 58554 53 349.79164385795593 udp
192.168.56.13 8.8.4.4 58697 53 22.025778770446777 udp
192.168.56.13 8.8.4.4 58920 53 59.54272484779358 udp
192.168.56.13 8.8.4.4 59610 53 173.61932277679443 udp
192.168.56.13 8.8.4.4 60389 53 300.16744899749756 udp
192.168.56.13 8.8.4.4 60543 53 132.29171776771545 udp
192.168.56.13 8.8.4.4 60780 53 175.79127287864685 udp
192.168.56.13 8.8.4.4 60910 53 65.32284998893738 udp
192.168.56.13 8.8.4.4 61004 53 112.2916648387909 udp
192.168.56.13 8.8.4.4 61800 53 191.86952090263367 udp
192.168.56.13 8.8.4.4 61897 53 253.19756984710693 udp
192.168.56.13 8.8.4.4 62422 53 238.8381359577179 udp
192.168.56.13 8.8.4.4 62491 53 314.5260899066925 udp
192.168.56.13 8.8.4.4 62493 53 36.38513898849487 udp
192.168.56.13 8.8.4.4 62849 53 31.042378902435303 udp
192.168.56.13 8.8.4.4 62980 53 267.55682587623596 udp
192.168.56.13 8.8.4.4 64533 53 126.65118098258972 udp
192.168.56.13 8.8.4.4 64642 53 328.7758939266205 udp
192.168.56.13 8.8.4.4 64700 53 285.8068709373474 udp
192.168.56.13 8.8.4.4 64801 53 79.68201398849487 udp
192.168.56.13 8.8.4.4 64886 53 159.2601490020752 udp
192.168.56.13 8.8.8.8 50554 53 87.79164576530457 udp
192.168.56.13 8.8.8.8 52284 53 319.54303193092346 udp
192.168.56.13 8.8.8.8 52955 53 356.5041139125824 udp
192.168.56.13 8.8.8.8 53518 53 143.90128993988037 udp
192.168.56.13 8.8.8.8 53616 53 342.13547587394714 udp
192.168.56.13 8.8.8.8 53825 53 276.0417068004608 udp
192.168.56.13 8.8.8.8 53985 53 218.29201793670654 udp
192.168.56.13 8.8.8.8 54879 53 8.759846925735474 udp
192.168.56.13 8.8.8.8 54881 53 7.666273832321167 udp
192.168.56.13 8.8.8.8 55551 53 102.04292392730713 udp
192.168.56.13 8.8.8.8 55743 53 205.22965478897095 udp
192.168.56.13 8.8.8.8 56086 53 189.04190683364868 udp
192.168.56.13 8.8.8.8 56197 53 96.93220496177673 udp
192.168.56.13 8.8.8.8 56202 53 261.7916147708893 udp
192.168.56.13 8.8.8.8 56770 53 305.2928318977356 udp
192.168.56.13 8.8.8.8 56908 53 219.58866477012634 udp
192.168.56.13 8.8.8.8 57065 53 145.54264187812805 udp
192.168.56.13 8.8.8.8 57310 53 44.29157590866089 udp
192.168.56.13 8.8.8.8 57415 53 49.96374177932739 udp
192.168.56.13 8.8.8.8 57885 53 363.0419638156891 udp
192.168.56.13 8.8.8.8 58070 53 232.5420367717743 udp
192.168.56.13 8.8.8.8 58554 53 348.79135179519653 udp
192.168.56.13 8.8.8.8 58697 53 21.026631832122803 udp
192.168.56.13 8.8.8.8 58920 53 58.542648792266846 udp
192.168.56.13 8.8.8.8 59610 53 172.62289381027222 udp
192.168.56.13 8.8.8.8 60389 53 299.1777517795563 udp
192.168.56.13 8.8.8.8 60543 53 131.29139399528503 udp
192.168.56.13 8.8.8.8 60780 53 174.79189491271973 udp
192.168.56.13 8.8.8.8 60910 53 64.32293486595154 udp
192.168.56.13 8.8.8.8 61004 53 111.29197597503662 udp
192.168.56.13 8.8.8.8 61800 53 190.87042689323425 udp
192.168.56.13 8.8.8.8 61897 53 252.1979398727417 udp
192.168.56.13 8.8.8.8 62422 53 237.83858394622803 udp
192.168.56.13 8.8.8.8 62491 53 313.52861499786377 udp
192.168.56.13 8.8.8.8 62493 53 35.385122776031494 udp
192.168.56.13 8.8.8.8 62849 53 30.052304983139038 udp
192.168.56.13 8.8.8.8 62980 53 266.55703592300415 udp
192.168.56.13 8.8.8.8 64533 53 125.65110683441162 udp
192.168.56.13 8.8.8.8 64642 53 327.78162693977356 udp
192.168.56.13 8.8.8.8 64700 53 284.8078439235687 udp
192.168.56.13 8.8.8.8 64801 53 78.6828498840332 udp
192.168.56.13 8.8.8.8 64886 53 158.26019978523254 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

117

Registry Set

0

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableDAForAllNetworks
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7\Name
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutHistoryLength
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextLockCount
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PreferLocalOverLowerBindingDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMulticast
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\NewDhcpSrvRegistration
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartNameResolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableCoalescing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableIdnEncoding
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMDNS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShareTcpConnections
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableServerUnreachability
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DomainNameDevolutionLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ForceQueriesOverTcp
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableParallelAandAAAA
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\UserContextListCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
Show all (117 total)
Key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenDefaultServers
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7a\52C64B7E
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationOverwrite
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableSmartProtocolReordering
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterVPNTrigger
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UdpRecvBufferSize
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableIdnMapping
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastResponderFlags
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\TestMode_AdaptiveTimeoutRecalculationInterval
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo
HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\7a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseNewRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSenderMaxTimeout
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryNetBTFQDN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistrationOnly
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ResolverRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\StringCacheSettings\StringCacheGeneration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ShortnameProxyDefault
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsSecureNameQueryFallback
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DynamicServerQueryOrder
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\EnableMultiHomedRouteConflicts
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DisableNRPTForAdapterRegistration
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\CacheAllCompartments
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\WinSock_Registry_Version
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DirectAccessPreferLocal
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AddrConfigControl
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\Schannel
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\AuthRoot
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\Root
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\EnterpriseCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\CA
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Policies\Microsoft\SystemCertificates\Root
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\SystemCertificates\SmartCardRoot
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextLockCount
System\CurrentControlSet\Control\SecurityProviders\Schannel\UserContextListCount
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Segment Heap
HKEY_LOCAL_MACHINE\Software\Microsoft\Wow64\x86

Registry Set (Top 25)

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Like what you see? Share with a friend.