During a malware investigation, a forensic analyst observes that a suspicious process creates a mutex named 'Global\MyMutex' and writes to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. What behavioral indicator does this represent?
The Run registry key is a standard persistence location; malware adds itself to launch automatically at system startup.
Why this answer
Writing to the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run is a classic persistence mechanism. This key is processed by the Windows Session Manager (smss.exe) and the Winlogon process at every user logon, causing the specified executable to launch automatically. Combined with the creation of a named mutex (Global\MyMutex) to prevent multiple instances, this behavior indicates the malware is ensuring it survives a system reboot and maintains a single running copy.
Exam trap
EC-Council often tests the distinction between persistence mechanisms and other malware behaviors, so candidates mistakenly associate any registry write with C2 or evasion, when the specific Run key is explicitly designed for automatic startup after reboot.
How to eliminate wrong answers
Option B is wrong because writing to the Run registry key does not involve any cryptographic operations; encryption of sensitive data would typically involve API calls like CryptEncrypt or BCryptEncrypt, not registry modifications. Option C is wrong because establishing a C2 channel requires network communication (e.g., HTTP/S, DNS, or raw socket connections), not the creation of a local mutex or a registry run key. Option D is wrong because evading sandbox detection often involves techniques like checking for debuggers, virtual machine artifacts, or delaying execution, not simply creating a mutex and writing to a well-known persistence location.