dmalocker | d6ce2ac21b152bdace29cd88f53a8b7c5c0e78e4f49905d0ffe61e44e22966dc

Analysis

max time kernel
25s
max time network
45s
platform
windows7_x64
resource
win7-20220331-en
submitted
11-04-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22CE389E63E27EB9AF106D70BEF9AF17.exe
Size

1.5MB
MD5

22ce389e63e27eb9af106d70bef9af17
SHA1

6f9187f33e079255d838b8dc31c09e58c6529727
SHA256

d6ce2ac21b152bdace29cd88f53a8b7c5c0e78e4f49905d0ffe61e44e22966dc
SHA512

80e1b6f4b1cef5d1054897cf6940f76fe1aecb105c31fa43500390c168408f01a5a33d11750bd5e2fa02fa4962a5b43254c5adf19b87744ed08ca8e62520130b

Score

10^/10

dmalocker hawkeye locky locky_osiris wannacry discovery keylogger persistence ransomware spyware stealer trojan worm

Malware Config

Signatures

DMA Locker
Ransomware family with some advanced features, like encryption of unmapped network shares.
ransomware dmalocker
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky (Osiris variant)
Variant of the Locky ransomware seen in the wild since early 2017.
ransomware locky_osiris

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\drivers\str.sys	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\ISPUPDRV.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\RVDPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\config.json	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\Inf\SOCFG.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\AUTORUN.BAK	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\config.json	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver2.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver2.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\AUTORUN.BAK	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\str.sys	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\DETPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\ISPUPDRV.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\RVDPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\ver.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\drivers\ver.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\drivers\etc\Hosts	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Drivers\Inf\SOCFG.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Drivers\DETPORT.SYS	22CE389E63E27EB9AF106D70BEF9AF17.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops startup file 64 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbftyuj.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\live.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nfgh.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xckycixgych.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\(Vacmo).lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ksea.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rasphone.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.Uev.SyncController.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AdobeARMHelper.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pFkMx6mGt2FTyWmB.exe.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IMEPADSV.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wusa.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\systm.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system32helper.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OaKZR9x9.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tsig.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hadikhiya.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crlklhiexkrsgqd.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pdf.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\antomarvis.exe.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\otgwsf.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ftUPeSPdpA.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hjdfasd.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PkKqJI.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nexcsf.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Decryption instructions.jpg	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempadexpac.exe.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Temp.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tenakat.js	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RGZLTE.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Zentom System Guard.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pwcreator.Lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.Microsoft.com.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\crome.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EhStorAuthn.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdfcve.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Boligkonsulenter.vbe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\{003D9085-BB95-4A55-AF4B-7A397AB8827C}.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.exe.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\chromee.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rootvimkvddoarv.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wsea.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtjhdhjj.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cnhnfvjhfchfbc.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BfWTjSzBAA.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufyd.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DnvvneZyNN.js	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vbc.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jesd.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\READ_DECRYPT DATA INSTRUCTIONS.jpg	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\srvknhyssouajgg.eu.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jghcve.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outlook.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mscuivedeoire.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\funfnndfnkes.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4EJ1wzIo.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cbvredgs.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVintbRD.url	22CE389E63E27EB9AF106D70BEF9AF17.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Prueba = "Ok"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	22CE389E63E27EB9AF106D70BEF9AF17.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\SysWOW64\saieau.dat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\EAPI.FNE	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\zcengineOff.ini	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\MODEL.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\drbux.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\MNU Net libraries	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\WwANsvc	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\NORUNS.REG	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Direct Tools Update	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SOCFG.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\CAPTURE.BMP	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\DPI Service	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Microsoft Window Center	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\MODEL.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\System\SystemUpdate	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\CompFit Application	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Ms system cache service	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\MsSocketVision	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\AUTORUN.IN	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\PowerControl HR	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Time Trigger Task	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\{4EA29966-F266-4038-80A9-1DEC42740035}	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\hbilop.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Windows Direct core tools	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\POPLIST.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\VMDX.LKI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\zdengine.ini	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Flash	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\WindowsInput.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\hnbux.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\w.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\fonts	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\svchost	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SQL_2QINGD.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\TimeEr	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\VMDX.LKI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\UpdateWuaucltHelper	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\wusa	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Ms libraries	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\m.ico	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Debitumenize	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\SQL_3.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Clean Master	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\ChromeDataStorage	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\hromex	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\POPLIST.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\autorun.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\bios_setup1192.txt	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Opera scheduled Autoupdate 3131963549	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\OT.ICO	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\HX1.BAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\msbbau.dat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\TT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\SVDHALP.EXE.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\NlsLexicons00ssx.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\Command cache application	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\Tasks\System cache service	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\REGEX.FNR	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\DPI Service Task	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\Ms Cloud Network	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32\Tasks\MsLogMonitor	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\zserv.inf	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\SB.HTM	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SysWOW64\SX.HTM	22CE389E63E27EB9AF106D70BEF9AF17.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\installESP.log	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Adobe\pdf.exex	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Adobe\pdf.ex_	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Messenger\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Movie Maker\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\ONLO0R.OBK	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\X.BMP	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Mozilla Firefox\searchplugins\fcmdSrch.xml	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Messenger Plus! Live\Scripts\hola\hola.js	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Adobe\pdf.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Outlook Express\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\NetMeeting\KLOG.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Assembly\System.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\DMLCONF.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Common Files\Systems\PINKS.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Lycos\Sidesearch\OFFLINE.HTM	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\JustClicking\home.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\WebRebates4\Websrebates\Webtrebates\toprC0.htm	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Common Files\System\Uninstall\Uninstall A360.lnk	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\Windows Update.exe.config	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\JS.MUI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\VERSION.TXT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\Program Files\Internet Explorer\ACPI.VXD	22CE389E63E27EB9AF106D70BEF9AF17.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\infosapi.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\System\SYSTEM.BAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\System\MOUSE.DLL	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\hackshen.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\NetvalTask.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\MEMTEST.TXT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Drivers\WINL.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Debitumenize.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Media\UPSET1.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\PWISYS.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\syskey2i.drv	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Msntcs.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\inf\BIO.INF	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\javaupdate\update.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Media\pthreadGC2.dll	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SVCHOST .EXE	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Flash.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\LogOfficeDat.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\mstoble.cop	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms Cloud Network.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\TaskForms1.0.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\BOOT.BAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\AmiUpdXp.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Eburin.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Lycos - make LOVE not SPAM.dat	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\autorun.inf	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ions2.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\directx.sys	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\salm.log	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\PCSEARCH.REG	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Command cache application.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\MsLogMonitor.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Microsoft System Protect.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\explorre.url	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\tasksche.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Msnetc.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows directory manager.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Carla.txt.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SYSTEM32	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Fonts\MSOFFICE.HTA	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\MNU Net libraries.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms dll libraries.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Debug\config.json	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\MSTECF.DAT	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\OK.INI	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\WindowsUpdate2.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\O2.REG	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\msbb.log	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Inf\farmmext.inf	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Gpu Tools.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms speed internet library.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\NetSys.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\System Health Application.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows OneDrive Shell Extensions.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\SoftwareDistribution\grim.ime	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Direct Tools Update.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\RdpSaUacHelper.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\logo_home.gif	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Update2.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\CleanMemoryWinTask.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Ms cpu monitor.job	22CE389E63E27EB9AF106D70BEF9AF17.exe
File opened for modification	C:\WINDOWS\Tasks\Windows Shell OneDrive Extensions.job	22CE389E63E27EB9AF106D70BEF9AF17.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4B646AFB-9341-4330-8FD1-C32485AEE619}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5DDE5591-A8AB-4897-93EF-1E4E943F85A7}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{965B9DBE-B104-44AC-950A-8A5F97AFF439}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAAD86D-CB5C-414B-A464-6356960C5787}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{AB88594E-89B0-4F04-BA7D-202B6E621AC2}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{3A4DBD3A-98CC-41CE-AD21-352D42B6F754}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7F62084E-2D62-44AB-AAC5-29085B8C72DB}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8A5E6109-376F-46A7-AE78-714BF8F611DC}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{9B666A44-986C-46D4-8702-765509B6712F}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{A8B28872-3324-4CD2-8AA3-7D555C872D96}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{C68E9BB6-3DBD-4C4B-910B-C5D84A7EBB03}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{E1E1D3A0-66EA-46D2-BBCF-43730668E1EB}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BB975E58-E769-4E5A-BA12-B765BC559FF3}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6DB38642-A70F-4C98-B82F-80D80E29E1E0}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{EFAF6EA3-615D-4F83-8748-2F7A576FCEA6}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0EA04667-E53B-4E81-8E7C-DE2CA114CBD6}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BFEF1779-0E92-45A1-BF5E-55991007F912}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D212259D-4648-4903-9FBD-02E88785D33C}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{31EE3286-D785-4E3F-95FC-51D00FDABC01}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{5526B4C6-63D6-41A1-9783-0FABF529859A}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0ADE05D-5621-47DF-8A08-8284E1AE0B51}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3055295A-CCDD-44B2-9F73-D8E8E626E5C1}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8E5A2506-A3B7-4219-8ED2-BCEB8FCA968E}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{77F1268B-6C19-4C61-962D-54691A128CD2}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E1842850-FB16-4471-B327-7343FBAED55C}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8E8F97CD-60B5-456F-A201-73065652D099}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{92C3F342-45DA-4511-853A-B3836AAFF5F5}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{008F6853-9CB4-41C5-A950-39D55E5E06BA}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0DCD4F35-9FD5-420b-A9AA-FED0E2AECEE0}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{409D7101-32D7-48F4-95A9-0BC792BF3596}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D1159422-16E3-462F-A93D-FB718E100407}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{47EFD4AD-CB46-4549-B24B-CEE415394C56}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{7B4D79DF-9EF0-429D-A0E9-D9B138C6A53B}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F1AF26F8-1828-4279-ABCE-074EF3235BD7}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F4982BAB-80E9-4838-A2A0-95D30F348161}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7A81DF49-1DB8-4DB4-B070-AD6758ECBA2A}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1D0B1B2F-4D44-48DC-AE5A-F4BBBAE2A83F}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CFDE1CF9-75B3-4B1E-B9A7-B5FB88A171E6}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{DA19C83F-D18B-404A-BE94-7786D428C01D}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{39E6E4A6-E6C3-48D7-8D25-7E964D8CD46F}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4D25F924-B9FE-4682-BF72-8AB8210D6D75}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{F3155057-4C2C-4078-8576-50486693FD49}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8EA86503-476F-476A-A55A-7225082DF3EB}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{315108E4-E3AF-460F-B264-F2ACC9E1ACEB}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D72A7651-8A16-476E-953C-347F0241FD32}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{53FE12C2-4429-488F-847B-7B285F8F6778}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{06CAD548-14DD-4FA3-9EA9-05F83C18CBD7}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{137E6E5E-A205-4657-A49F-1AB865787089}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6FC3C36D-7635-4D43-BA62-0D9D2F2CD06E}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{B5AF0562-94F3-42BD-F434-2604812C797D}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{DB35C569-5624-4CFC-8043-E5139F55A073}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4F8A50F6-69DE-4BE3-A33A-A1079B9AC0DB}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{83A5F7B7-DC75-44CE-9195-264F41709FA9}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{84938242-5C5B-4A55-B6B9-A1507543B418}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AC212FB9-3883-461E-A559-37A4F6100FB0}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F0626A63-410B-45E2-99A1-3F2475B2D695}\Compatibility Flags = "1024"	22CE389E63E27EB9AF106D70BEF9AF17.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "Regedit.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}\ProxyStubClsid	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "Notepad.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "batfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "Notepad.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "htafile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}\ProxyStubClsid	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}\TypeLib	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "cmdfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cmdfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jsfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "WScript.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "regfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "\"%1\" /S"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbefile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "%SystemRoot%\\system32\\mmc.exe \"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\Content Type = "application/hta"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "comfile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exefile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "Notepad.exe \"%1\""	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}\ProxyStubClsid32	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}\ProxyStubClsid32	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "JSFile"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\vbsfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htc\Content Type = "text/x-component"	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BF068D0-B735-11D3-B2CF-00500489D6A3}\TypeLib	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54F37842-CDD7-11D3-B2D4-00500489D6A3}	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\PersistentHandler	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile\ShellNew	22CE389E63E27EB9AF106D70BEF9AF17.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1532	22CE389E63E27EB9AF106D70BEF9AF17.exe
1532	22CE389E63E27EB9AF106D70BEF9AF17.exe
1532	22CE389E63E27EB9AF106D70BEF9AF17.exe
1532	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe
Token: SeRestorePrivilege	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe
Token: SeShutdownPrivilege	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1532	22CE389E63E27EB9AF106D70BEF9AF17.exe
1532	22CE389E63E27EB9AF106D70BEF9AF17.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	28
PID 1532 wrote to memory of 1324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	28
PID 1532 wrote to memory of 1324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	28
PID 1532 wrote to memory of 1324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	28
PID 1532 wrote to memory of 1960	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	29
PID 1532 wrote to memory of 1960	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	29
PID 1532 wrote to memory of 1960	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	29
PID 1532 wrote to memory of 1960	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	29
PID 1532 wrote to memory of 1196	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	30
PID 1532 wrote to memory of 1196	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	30
PID 1532 wrote to memory of 1196	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	30
PID 1532 wrote to memory of 1196	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	30
PID 1532 wrote to memory of 1740	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	31
PID 1532 wrote to memory of 1740	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	31
PID 1532 wrote to memory of 1740	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	31
PID 1532 wrote to memory of 1740	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	31
PID 1532 wrote to memory of 1980	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	32
PID 1532 wrote to memory of 1980	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	32
PID 1532 wrote to memory of 1980	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	32
PID 1532 wrote to memory of 1980	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	32
PID 1532 wrote to memory of 952	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	33
PID 1532 wrote to memory of 952	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	33
PID 1532 wrote to memory of 952	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	33
PID 1532 wrote to memory of 952	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	33
PID 1532 wrote to memory of 964	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	34
PID 1532 wrote to memory of 964	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	34
PID 1532 wrote to memory of 964	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	34
PID 1532 wrote to memory of 964	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	34
PID 1532 wrote to memory of 2036	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	35
PID 1532 wrote to memory of 2036	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	35
PID 1532 wrote to memory of 2036	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	35
PID 1532 wrote to memory of 2036	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	35
PID 1532 wrote to memory of 1108	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	36
PID 1532 wrote to memory of 1108	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	36
PID 1532 wrote to memory of 1108	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	36
PID 1532 wrote to memory of 1108	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	36
PID 1532 wrote to memory of 956	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	39
PID 1532 wrote to memory of 956	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	39
PID 1532 wrote to memory of 956	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	39
PID 1532 wrote to memory of 956	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	39
PID 1532 wrote to memory of 948	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	40
PID 1532 wrote to memory of 948	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	40
PID 1532 wrote to memory of 948	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	40
PID 1532 wrote to memory of 948	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	40
PID 1532 wrote to memory of 1776	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	42
PID 1532 wrote to memory of 1776	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	42
PID 1532 wrote to memory of 1776	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	42
PID 1532 wrote to memory of 1776	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	42
PID 1532 wrote to memory of 1940	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	43
PID 1532 wrote to memory of 1940	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	43
PID 1532 wrote to memory of 1940	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	43
PID 1532 wrote to memory of 1940	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	43
PID 1532 wrote to memory of 1416	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	45
PID 1532 wrote to memory of 1416	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	45
PID 1532 wrote to memory of 1416	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	45
PID 1532 wrote to memory of 1416	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	45
PID 1532 wrote to memory of 324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	48
PID 1532 wrote to memory of 324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	48
PID 1532 wrote to memory of 324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	48
PID 1532 wrote to memory of 324	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	48
PID 1532 wrote to memory of 1856	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	49
PID 1532 wrote to memory of 1856	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	49
PID 1532 wrote to memory of 1856	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	49
PID 1532 wrote to memory of 1856	1532	22CE389E63E27EB9AF106D70BEF9AF17.exe	49

C:\Users\Admin\AppData\Local\Temp\22CE389E63E27EB9AF106D70BEF9AF17.exe
"C:\Users\Admin\AppData\Local\Temp\22CE389E63E27EB9AF106D70BEF9AF17.exe"
1⤵
- Modifies system executable filetype association
- Adds policy Run key to start application
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}\*.*" /a /q"
  2⤵
  PID:1324
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com2.{62D8ED13-C9D0-4CE8-A914-47DD628FB1B0}""
  2⤵
  PID:1960
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com4.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
  2⤵
  PID:1740
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}\*.*" /a /q"
  2⤵
  PID:1980
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\com6.{00C6D95F-329C-409a-81D7-C46C66EA7F33}""
  2⤵
  PID:952
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\*.*" /a /q"
  2⤵
  PID:964
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt2.{20D04FE0-3AEA-1069-A2D8-08002B30309D}""
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}\*.*" /a /q"
  2⤵
  PID:1108
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt3.{1D2680C9-0E2A-469d-B787-065558BC7D43}""
  2⤵
  PID:956
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}\*.*" /a /q"
  2⤵
  PID:948
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt6.{17cd9488-1228-4b2f-88ce-4298e93e0966}""
  2⤵
  PID:1776
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}\*.*" /a /q"
  2⤵
  PID:1940
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\Users\Admin\AppData\Roaming\lpt7.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}""
  2⤵
  PID:1416
- C:\Windows\system32\cmd.exe
  cmd /c "del "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\*.*" /a /q"
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  cmd /c "rd "\\.\C:\WINDOWS\FONTS\COM4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}""
  2⤵
  PID:1856
- C:\Windows\system32\cmd.exe
  cmd /c "del \\.\C:\con.sys\*.* /a /q"
  2⤵
  PID:1264
- C:\Windows\system32\cmd.exe
  cmd /c "rd \\.\C:\con.sys"
  2⤵
  PID:588
- C:\Windows\system32\cmd.exe
  cmd /c "del \\.\C:\con.ini\*.* /a /q"
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  cmd /c "rd \\.\C:\con.ini"
  2⤵
  PID:436
- C:\Windows\system32\cmd.exe
  cmd /c "rd \\.\C:\con.usb"
  2⤵
  PID:1376
- C:\Windows\system32\cmd.exe
  cmd /c "del \\.\C:\con.usb\*.* /a /q"
  2⤵
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1532-54-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download