Analysis
-
max time kernel
151s -
platform
windows7_x64 -
resource
win7v200217 -
submitted
19-03-2020 03:26
Static task
static1
Behavioral task
behavioral1
Sample
å† çŠ¶ç—…æ¯’.exe.bin.exe
Resource
win7v200217
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
å† çŠ¶ç—…æ¯’.exe.bin.exe
Resource
win10v200217
windows10_x64
0 signatures
0 seconds
General
-
Target
å† çŠ¶ç—…æ¯’.exe.bin.exe
-
Size
16KB
-
MD5
674805b536e872a7b6412711699ee44f
-
SHA1
8926009b3d9c76ec9f30a42ac149621b5a722a2a
-
SHA256
adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9
-
SHA512
f35c0c365c12a4cd1a7a4c78f0b85dee278f256322f1be87d998db24b9f985ca7cba44ef4c4c2846c0fac0cba293b39d62996ea2e088c770d3ce70dabd18f40b
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
å† çŠ¶ç—…æ¯’.exe.bin.exepid process 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe -
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Scan reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet reg.exe -
Drops file in Program Files directory 2344 IoCs
Processes:
cmd.exedescription ioc process File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Resource\TYPESU~1\Unicode\Mappings\win\CP1250.TXT cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\144DPI\(144DPI)notConnectedStateIcon.png cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\28.png cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\29.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\en-US\calendar.html cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\CURREN~1.GAD\images\base-undocked-3.png cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\STOP_C~1.GIF cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-waxing-crescent.png cmd.exe File opened for modification \??\c:\PROGRA~2\INTERN~1\networkinspection.dll cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\CALEND~1.GAD\images\bg-desk.png cmd.exe File opened for modification \??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\ipsfin.xml cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\en-US\css\flyout.css cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Resource\LINGUI~1\LANGUA~1\DISPLA~1.TXT cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\settings_box_top.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\TravelIntroToMainMask.wmv cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\41.png cmd.exe File opened for modification \??\c:\PROGRA~2\WINDOW~1\WinMail.exe cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\NavigationLeft_SelectionSubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~2\COMMON~1\MICROS~1\ink\pipanel.dll cmd.exe File opened for modification \??\c:\PROGRA~2\COMMON~1\System\msadc\msadcfr.dll cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Travel\btn-next-static.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI54FB~1\NETWOR~1\wmpnss_color48.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\trad_dot.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\logo.png cmd.exe File opened for modification \??\c:\PROGRA~1\COMMON~1\MICROS~1\ink\hwrusalm.dat cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Full\pushplaysubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Push\NavigationLeft_SelectionSubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyGirl\content-foreground.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\RESIZI~1\Panel_Mask_PAL.wmv cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\HueCycle\NavigationRight_SelectionSubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Push\NavigationRight_SelectionSubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\CLOCK~1.GAD\images\trad_s.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\en-US\settings.html cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Reader\plug_ins\ANNOTA~1\Stamps\ENU\STANDA~1.PDF cmd.exe File opened for modification \??\c:\PROGRA~2\REFERE~1\MICROS~1\FRAMEW~1\v3.5\Microsoft.Build.Utilities.v3.5.dll cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\SPECIA~1\specialmainsubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Vignette\softedges.png cmd.exe File opened for modification \??\c:\PROGRA~1\INTERN~1\perfcore.dll cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\CLOCK~1.GAD\images\modern_m.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\RSSFEE~1.GAD\icon.png cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Reader\CRYPTO~1.SIG cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\EMAIL_~1.GIF cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\PERFOR~1\title_trans_notes.wmv cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\Sports\SportsScenesBackground_PAL.wmv cmd.exe File opened for modification \??\c:\PROGRA~1\REFERE~1\MICROS~1\FRAMEW~1\v3.0\System.Runtime.Serialization.dll cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\rtstreamsource.ax cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Resource\LINGUI~1\PROVID~1\PROXIM~1\11.00\usa37.hyp cmd.exe File opened for modification \??\c:\PROGRA~1\COMMON~1\System\msadc\msdfmap.dll cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_black_moon-new.png cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Reader\AMT\AUMPRO~1.CER cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\PICTUR~1.GAD\Images\6.png cmd.exe File opened for modification \??\c:\PROGRA~1\INTERN~1\jsprofilerui.dll cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\PICTUR~1.GAD\Images\settings_box_right.png cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\WEATHE~1.GAD\images\undocked_gray_thunderstorm.png cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\FlipPage\NavigationUp_SelectionSubpicture.png cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\SLIDES~1.GAD\images\ON_DES~1\slideshow_glass_frame.png cmd.exe File opened for modification \??\c:\PROGRA~3\MICROS~1\DEVICE~1\Task\{E35BE~1\print_queue.ico cmd.exe File opened for modification \??\c:\PROGRA~3\MICROS~1\USERAC~1\DEFAUL~1\usertile44.bmp cmd.exe File opened for modification \??\c:\PROGRA~1\DVDMAK~1\Shared\DVDSTY~1\BabyBoy\BabyBoyNotesBackground_PAL.wmv cmd.exe File opened for modification \??\c:\PROGRA~1\WI4223~1\Gadgets\CALEND~1.GAD\images\calendar_single_orange.png cmd.exe File opened for modification \??\c:\PROGRA~2\Adobe\READER~1.0\Reader\Tracker\FORMS_~1.GIF cmd.exe File opened for modification \??\c:\PROGRA~2\WINDOW~2\ACCESS~1\en-US\wordpad.exe.mui cmd.exe File opened for modification \??\c:\PROGRA~2\WI4223~1\Gadgets\WEATHE~1.GAD\images\120DPI\(120DPI)greenStateIcon.png cmd.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Drops file in Windows directory 21615 IoCs
Processes:
cmd.exedescription ioc process File opened for modification \??\c:\Windows\winsxs\AMF1AA~1.175\migwiz.exe cmd.exe File opened for modification \??\c:\Windows\winsxs\AM7B0E~1.164\PSMODU~1.DLL cmd.exe File opened for modification \??\c:\Windows\winsxs\AM2274~1.163\Amd64\RIA810D6.GPD cmd.exe File opened for modification \??\c:\Windows\winsxs\AMCE78~1.163\QL2300~1.INF cmd.exe File opened for modification \??\c:\Windows\Boot\EFI\zh-HK\bootmgfw.efi.mui cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC90B~1.175\PINTLGIX.IMD cmd.exe File opened for modification \??\c:\Windows\SERVIC~1\Packages\WI12FA~1.CAT cmd.exe File opened for modification \??\c:\Windows\SERVIC~1\Packages\WIA48C~1.CAT cmd.exe File opened for modification \??\c:\Windows\winsxs\AMB92E~1.163\SYSTEM~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AMEBFF~1.163\Amd64\CNBBR333.DLL cmd.exe File opened for modification \??\c:\Windows\Cursors\pen_r.cur cmd.exe File opened for modification \??\c:\Windows\SERVIC~1\Packages\MI29AB~1.CAT cmd.exe File opened for modification \??\c:\Windows\winsxs\AMD64_~1.231\AP7902~1.DLL cmd.exe File opened for modification \??\c:\Windows\winsxs\AM1940~1.163\sfc.exe cmd.exe File opened for modification \??\c:\Windows\winsxs\AM1529~1.163\Amd64\SHH52N06.GPD cmd.exe File opened for modification \??\c:\Windows\winsxs\AM939D~1.163\pegibbfc.rs cmd.exe File opened for modification \??\c:\Windows\winsxs\AMB428~1.163\WINDOW~4.WAV cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC3E5~1.175\IPMIDrv.sys cmd.exe File opened for modification \??\c:\Windows\winsxs\AM1997~1.164\wextract.exe cmd.exe File opened for modification \??\c:\Windows\winsxs\AM740C~1.163\usbui.dll cmd.exe File opened for modification \??\c:\Windows\DIAGNO~1\system\AERO\TS_Transparency.ps1 cmd.exe File opened for modification \??\c:\Windows\Fonts\nyala.ttf cmd.exe File opened for modification \??\c:\Windows\winsxs\AMD64_~1.175\wbemcomn.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AMFBFA~1.163\wmpnssci.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AMFF60~1.163\MSADP3~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AM93B4~1.163\HHCTRL~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AMD64_~1.189\APC7B0~1.DLL cmd.exe File opened for modification \??\c:\Windows\winsxs\AM9C03~1.175\framedyn.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AM578E~1.163\Amd64\CNBJOP7T.DLL cmd.exe File opened for modification \??\c:\Windows\Fonts\vga737.fon cmd.exe File opened for modification \??\c:\Windows\SERVIC~1\Packages\MIF00D~1.MUM cmd.exe File opened for modification \??\c:\Windows\winsxs\AMBC52~1.163\faxcn002.inf cmd.exe File opened for modification \??\c:\Windows\winsxs\AME206~1.163\beep.sys cmd.exe File opened for modification \??\c:\Windows\winsxs\AME19A~1.163\WI5CB3~1.WAV cmd.exe File opened for modification \??\c:\Windows\ehome\en-US\ehjpnime.dll.mui cmd.exe File opened for modification \??\c:\Windows\MICROS~1.NET\FRAMEW~1\V20~1.507\System.Data.OracleClient.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AM518A~1.175\USBPOR~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AM4AAB~1.175\wsnmp32.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AMEE4F~1.163\BRCI08~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AMABD2~1.175\srv2.sys cmd.exe File opened for modification \??\c:\Windows\winsxs\AMBEF1~2.163\Amd64\EP0LVRAH.DLL cmd.exe File opened for modification \??\c:\Windows\SERVIC~1\Packages\WI1C29~1.CAT cmd.exe File opened for modification \??\c:\Windows\winsxs\AMB534~1.175\CL_LOC~1.PSD cmd.exe File opened for modification \??\c:\Windows\winsxs\AM5242~1.163\Passport.wmv cmd.exe File opened for modification \??\c:\Windows\winsxs\AM784F~1.163\ktmw32.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AMF0BB~2.163\Amd64\EP0NGW8M.GPD cmd.exe File opened for modification \??\c:\Windows\INSTAL~1\$PATCH~1\Managed\E8EBCC~1\4770C6~1.306\UI3EAD~1.DLL cmd.exe File opened for modification \??\c:\Windows\winsxs\AM7638~1.163\NEXT_R~1.PNG cmd.exe File opened for modification \??\c:\Windows\winsxs\AM1DCA~1.175\oleaut32.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AMDA7A~1.164\WMPHOT~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC168~1.163\IPNATH~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AMCE17~1.163\US28F1~1.BMP cmd.exe File opened for modification \??\c:\Windows\winsxs\AMCD1F~1.175\MICROS~1.DLL cmd.exe File opened for modification \??\c:\Windows\winsxs\AM306B~1.163\WE5915~1.MAS cmd.exe File opened for modification \??\c:\Windows\winsxs\AMDEE0~1.163\BRMFCM~1.INF cmd.exe File opened for modification \??\c:\Windows\winsxs\AM0EDC~1.164\IE4UIN~1.MUI cmd.exe File opened for modification \??\c:\Windows\winsxs\AMDC7E~1.163\Amd64\BRH2170W.GPD cmd.exe File opened for modification \??\c:\Windows\winsxs\AM6B9B~1.163\sppcc.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AM639A~1.175\atapi.sys cmd.exe File opened for modification \??\c:\Windows\winsxs\AM6629~1.163\Amd64\CNBJ2800.TBL cmd.exe File opened for modification \??\c:\Windows\winsxs\AMF0BB~2.163\Amd64\EP0NGE9C.GPD cmd.exe File opened for modification \??\c:\Windows\POLICY~1\EventViewer.admx cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC0BF~1.163\prflbmsg.dll cmd.exe File opened for modification \??\c:\Windows\winsxs\AM5C1E~1.163\imkrhjd.lex cmd.exe -
Modifies Installed Components in the registry 2 TTPs 23 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} reg.exe -
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad reg.exe -
Modifies registry class 24273 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\EhStorShell.EnhancedStorageFolder\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell\Open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{305106E9-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8876FE03-8B8B-3026-86A1-B529DE8280B2}\14.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E0B61DE8-7593-364F-9D03-E2DC0A5C0B18}\2.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.oc_ reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.snippet\OpenWithProgids reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F787BC79-EAAB-4BEA-9DFE-3587A1BFC1F3}\1.0\0\win32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EA4C00D-7156-4F8E-B990-FB4271147617}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B0645AA-08EF-4CB9-ADB9-0395D6EDAD35}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.8\protocol\StdFileEditing\Verb reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A9611665-9D8F-3D2D-A32B-6F6F4D6DA307} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\New\ddeexec reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\IA3DServer.A3DMemoryManager\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectSoundEchoDMO\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.CFileConverter.1 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.gvi\shell\PlayWithVLC\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.faq reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42C9F529-AC7B-45D3-A320-C2F23F250B94}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.wtv\shell\Open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\bootstrap.vsto reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\shell\Printto\ddeexec\topic reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B722BCCA-4E68-101B-A2BC-00AA00404770} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DC2601D7-059E-42FC-A09D-2AFD21B6D5F7}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneIndex.ShellFolder.1\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3918E32A-FD7F-461C-B2E0-F5605207C30B}\14.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.7\shell\Printto\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A78B1EF8-6C64-4B40-8E14-1BB317A3B95C}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.NoteAnchorCollection reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{62112AA2-EBE4-11CF-A5FB-0020AFE7292D}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96643D32-2624-479A-9F1A-25D02030DD3B}\NumMethods reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{305106DA-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EA00553-9439-4D5A-B1E6-DC15A54DA8B2}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{45EABAB4-7A6C-4E6E-86DE-D5417980F112}\1.0\FLAGS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FA77FE59-EE80-4C05-B180-256B7421E05F}\1.0\FLAGS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c73f6f30-97a0-4ad1-a08f-540d4e9bc7b9}\Instance\PropertySetStorage\{F29F85E0-4FF9-1068-AB91-08002B27B3D9}\5 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.PARTIAL reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C81A1D4E-8CF7-4683-80E0-BCAE88D677B6} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{41180B45-4022-3C80-81FE-E8CFAA0292C3}\1.0.3300.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m2ts\shell\Open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ppsm\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\FStock.Factoid\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.tif reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 Author reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Printto reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C033B-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5AF314CF-8849-4A79-A3FC-8DE6625D9E72}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{757A7D9F-919A-4118-99D7-DBB208C8CC66} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.Notebook.1\shell\OpenAsReadOnly\Command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template.8 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Report.1\shell\Open\ddeexec reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{99D651D7-5F7C-470E-8A3B-774D5D9536AC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.HTM\shell\printto reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A530E6D3-0EA0-4B6D-AF89-FBA0944D1A10}\NumMethods reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.ShowMacroEnabled.12\shell\Open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00000206-0000-0010-8000-00AA006D2EA4}\2.6\FLAGS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\UmOutlookAddin.RoomsCTP\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\DataFormats\GetSet reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.Xbap\shell\open reg.exe -
Drops desktop.ini file(s) 51 IoCs
Processes:
cmd.exedescription ioc process File opened for modification \??\c:\Windows\winsxs\AMEEEB~1.163\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM3A5B~1.175\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM1B18~1.163\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMB428~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC04C~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMF946~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM0353~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM5043~1.164\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMFA6B~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM6927~1.175\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM425B~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM5C97~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM15B7~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM50D0~1.175\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM0FD6~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\assembly\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMFF91~1.164\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM2473~1.163\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM281C~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMB8AA~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM912A~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AME19A~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM082E~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM989B~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC0AD~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM9AF0~1.163\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMC003~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM1464~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMB6BD~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM71C7~1.163\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMFD52~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM5CD3~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM0112~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMD694~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMEE05~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM3E43~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM814E~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM28D3~1.163\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMCCDB~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMCF3A~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMFB84~1.175\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMA45F~1.175\desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM131F~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM7B95~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMDF32~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM9934~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM2971~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AME009~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMAB03~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AMCA4A~1.163\Desktop.ini cmd.exe File opened for modification \??\c:\Windows\winsxs\AM076B~1.163\Desktop.ini cmd.exe -
Sets file execution options in registry 2 TTPs 8 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe reg.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
å† çŠ¶ç—…æ¯’.exe.bin.execmd.exedescription pid process target process PID 1868 wrote to memory of 1884 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1884 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1884 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1884 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1892 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1892 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1892 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1892 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1912 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1912 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1912 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1912 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1936 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1936 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1936 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1868 wrote to memory of 1936 1868 å† çŠ¶ç—…æ¯’.exe.bin.exe cmd.exe PID 1892 wrote to memory of 1992 1892 cmd.exe reg.exe PID 1892 wrote to memory of 1992 1892 cmd.exe reg.exe PID 1892 wrote to memory of 1992 1892 cmd.exe reg.exe PID 1892 wrote to memory of 1992 1892 cmd.exe reg.exe -
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\DA5AFC10F5D3DBFDCB9E2A2506323260051D77CF reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00D46195-B634-4C41-B53B-5093527FB791} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E22710E-F799-11CF-9227-00AA00A1EB95} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\URL Compatibility\~/CWIZINTR.HTM reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B9240A2E-EE1A-4E1F-AD76-6536F9D3B176} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CEBC955E-58AF-11D2-A30A-00A0C903492B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E4C97925-C194-4551-8831-EABBD0280885} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3A04E10E-0171-40AA-BC41-69014E5DA261} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5s.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7l.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A73BAEFA-EE65-494D-BEDB-DD3E5A34FA98} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AF868304-AB0B-11D0-876A-00C04FC29D46} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\UTF8URLQUERY_ALWAYS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{16E349E0-702C-11CF-A3A9-00A0C9034920} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCF-9B79-11D3-B654-00C04F79498E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\USESWRENDER reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\AutocompleteFormData reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\ErrorThresholds reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CECCEB1-8359-11D0-A34E-00AA00BDCDFD} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BD6-3C52-11D0-9200-848C1D000000} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DA56F851-D3C5-11D3-844C-00C04F7A06E5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SECURE reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6e.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\TabProcessGrowth reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{58DA8D8F-9D6A-101B-AFC0-4210102A8DA7} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{692898BE-C7CC-4CB3-A45C-66508B7E2C33} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C531D9FD-9685-4028-8B68-6E1232079F1E} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28AB0005-E845-4FFA-AA9B-F4665236141C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{000209FF-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{01002B17-5D93-4551-81E4-831FEF780A53} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8B217752-717D-11CE-AB5B-D41203C10000} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6n.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7i.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9088E688-063A-4806-A3DB-6522712FC061} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{977315A5-C0DB-4EFD-89C2-10AA86CA39A5} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FC28B75F-F9F6-4C92-AF91-14A3A51C49FB} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{24DC3975-09BF-4231-8655-3EE71F43837D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Document Caching reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{BD18A03F-31CC-4CC0-B52D-9E199122923D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7b.dll reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F7-45CA-11D2-831F-00A0244D2298} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7584c670-2274-4efb-b00b-d6aaba6d3850} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CF6866F9-B67C-4B24-9957-F91E91E788DC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA8932FF-E064-4378-901C-69CB94E3A20A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{86C2B477-5382-4A09-8CA3-E63B1158A377} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F6A56D95-A3A3-11D2-AC26-400000058481} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\MIMEAssociations reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1138506a-b949-46a7-b6c0-ee26499fdeaf} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0DDF3B5C-E692-11D1-AB06-00AA00BDD685} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5740A302-EF0B-45CE-BF3B-4470A14A8980} reg.exe -
Adds Run entry to start application 2 TTPs 6 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents reg.exe -
Drops file in Drivers directory 9 IoCs
Processes:
cmd.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\gm.dls cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\gmreadme.txt cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\wimmount.sys cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui cmd.exe -
Drops file in System32 directory 4550 IoCs
Processes:
cmd.exedescription ioc process File opened for modification \??\c:\Windows\SysWOW64\en-US\dimsroam.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\PSModuleDiscoveryProvider.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\DLMANI~1\WirelessNetworking-DL.man cmd.exe File opened for modification \??\c:\Windows\SysWOW64\NlsLexicons0001.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\ntdll.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\bg-BG\comctl32.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\azroles.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\NlsData003e.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\prvdmofcomp.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\aecache.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\INSTAL~1\setupdir\0416\_setup.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\lmhsvc.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\KBDGRLND.DLL cmd.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\DLMANI~1\AccessibilityCpl-DL.man cmd.exe File opened for modification \??\c:\Windows\SysWOW64\dwmapi.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\RpcNs4.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\subst.exe.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\NlsData0416.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\dimsroam.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\dtsh.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\kmddsp.tsp cmd.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\DLMANI~1\DNS-Server-Service-DL.man cmd.exe File opened for modification \??\c:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\autofmt.exe cmd.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\REPLAC~1\TabletPC-UIHub-Replacement.man cmd.exe File opened for modification \??\c:\Windows\SysWOW64\WINDOW~1\v1.0\Schemas\PSMaml\command.xsd cmd.exe File opened for modification \??\c:\Windows\SysWOW64\umdmxfrm.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\browcli.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\dmscript.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\iologmsg.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\Licenses\_Default\ENTERP~2\license.rtf cmd.exe File opened for modification \??\c:\Windows\SysWOW64\qedit.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\wbem\dimsjob.mof cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\FirewallControlPanel.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\INSTAL~1\setupdir\0010\_setup.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\t2embed.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\wship6.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\dsprop.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\iasrad.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\msorcl32.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\msvcrt40.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\psisdecd.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\tsgqec.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\mscorier.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\hcproviders.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\ksproxy.ax.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\migwiz\DLMANI~1\DirectoryServices-Domain-DL.man cmd.exe File opened for modification \??\c:\Windows\SysWOW64\winmm.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\secproc_ssp_isv.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\dui70.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\netiougc.exe.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\ntdll.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\INSTAL~1\setupdir\001f\_setup.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\pt-BR\WMPhoto.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\onexui.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\quick.ime cmd.exe File opened for modification \??\c:\Windows\SysWOW64\WINDOW~1\v1.0\Schemas\PSMaml\ITPro.xsd cmd.exe File opened for modification \??\c:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l1-1-0.dll cmd.exe File opened for modification \??\c:\Windows\SysWOW64\AtBroker.exe cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\ndptsp.tsp.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\wevtapi.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\getmac.exe cmd.exe File opened for modification \??\c:\Windows\SysWOW64\de-DE\UIAnimation.dll.mui cmd.exe File opened for modification \??\c:\Windows\SysWOW64\en-US\ICacls.exe.mui cmd.exe -
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4F65566336DB6598581D584A596C87934D5F2AB4 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\97817950D81C9670CC34D809CF794431367EF474 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7D7F4414CCEF168ADF6BF40753B5BECD78375931 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices reg.exe -
Modifies system executable filetype association 2 TTPs 45 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} reg.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI reg.exe -
Modifies Winlogon 2 TTPs 10 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\å† çŠ¶ç—…æ¯’.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\å† çŠ¶ç—…æ¯’.exe.bin.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c rd/s /q c:\2⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Drops desktop.ini file(s)
- Drops file in Drivers directory
- Drops file in System32 directory
-
C:\Windows\SysWOW64\cmd.execmd /c REG DELETE HKLM\Software\ /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG DELETE HKLM\Software\ /f3⤵
- Windows security modification
- Modifies registry key
- Modifies Installed Components in the registry
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Sets file execution options in registry
- Modifies Internet Explorer settings
- Adds Run entry to start application
- Modifies system certificate store
- Modifies system executable filetype association
- System policy modification
- Modifies Winlogon
-
C:\Windows\SysWOW64\cmd.execmd /c rd/s /q d:\2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c rd/s /q d:\2⤵