85370541ae0630c1bfb0ca871198c2534f0eb6e6319cab9a5980c568940c6ff3

Analysis

max time kernel
216s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows10Corruptions.zip
Size

25.9MB
MD5

58ced9055dad414215ccb68b9c03bf75
SHA1

fe0126aa4cba59bfa3cb3eeb1ce91b43832a1167
SHA256

85370541ae0630c1bfb0ca871198c2534f0eb6e6319cab9a5980c568940c6ff3
SHA512

06740e453829a2fbcba3a4e034106074eb221d79ba53051987ca9efac04306dc7c8408f2d8e74ea12071bd1eade79485a9a3d341679d3c22e29f7073d7b0349c
SSDEEP

786432:hT0wE+ZpLR9z1ITG06cdVVT+zCnz5UGvaaDWsY6kS:pa+fLR12q0HfCzmZaKNYs

Score

10^/10

adware evasion persistence stealer trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck = "\|E6IB9H431EG49-23CF-;F<;014EA208429HD\x7f%"	regedit.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000_Classes\lnkfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "Cslelp43/hpp-/91=55#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "\|97E97;22.42B2/53::/D6I8-2<433E3060;F}#"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu\ = "{37ea3a21-7493-4208-a011-7f9ea79ce9f5}"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	regedit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\EditFlags = 390b0203	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "Ч͗ѻɳʹѧɯɓŲѯv&尀匀礀猀琀攀洀㌀㈀尀挀洀搀⸀攀砀攀\u2000⼀䌀\u2000∀─\u3100∀\u2000─⨀"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\ = "Compatibility"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\Console	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon\ = "%SystemRoot%\\System32\\shell32.dll,2"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\IsolatedCommand = "]%&5^&#&+#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command\DelegateExecute = "{fe84h31g16<91163gd1fc=6179;5c;;78c5h}#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\Extended	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "Application"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\FriendlyTypeName = "Dvihlm362fon-16185$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-68"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "̩UͺɷѸͦѭ͕pɱt̨尀匀礀猀琀攀洀㌀㈀尀一伀吀䔀倀䄀䐀⸀䔀堀䔀\u2000⼀瀀\u2000─\u3100"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\lnkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "%SystemRoot%\\System32\\cmd.exe /C \"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "\x7f;6D98750076A0-228</C6F;.4;122E3072=FÂ€%"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\ = "Wjqttcwt#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\NeverShowExt = "$"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\SuppressionPolicyEx = "\|F431AE391D8GI053830A4E0.:I3<C1<796A9Â€#"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield = "$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\ = "{1531d583-8375-4d3f-b5fb-d23bbd169f22}"	regedit.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	regedit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	regedit.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5"	regedit.exe

Looks for VMWare Tools registry key 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\VMware, Inc.\VMware Tools	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\VMware, Inc.\VMware Tools	regedit.exe

Modifies Installed Components in the registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\LocalizedName = "@%SystemRoot%\\system32\\wmploc.dll,-128"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ComponentID = "IxvreTccl#"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\Version = "6/<09.4$"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ = "Microsoft Windows Media Player 12.0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\LocalizedName = "@%SystemRoot%\\system32\\themeui.dll,-2682"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Locale = ",#"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\IsInstalled = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\DontAsk = "2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Enabled = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\Enabled = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\ComponentID = "ADSI"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\ComponentID = "OVWDVduktx#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\ = "Burytmpi$Gpkapgimhquv%"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}\ComponentID = "Tridata"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Active Setup\Installed Components	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\StubPath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\IsInstalled = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}\Version = "11,1,17763,0"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "hn#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\ComponentID = "DOTNETFRAMEWORKS"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}\ = "Lowivoht Fyrnsvfs Drug$Ippwt&"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\ComponentID = "LhorGsqw&"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\IsInstalled = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\Version = "54,203:;83/0%"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\LocalizedName = "@%SystemRoot%\\system32\\shell32.dll,-32969"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\ = "Web Platform Customizations"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\ComponentID = "CCTGLH63b[6M#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}\Locale = "EN"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "2-2.3,9#"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}\Locale = "*"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\IsInstalled = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}\KeyFileName = "'TɼŵѵɦůŕͰɲ琀─尀猀礀猀琀攀洀㌀㈀尀洀猀椀攀昀琀瀀⸀搀氀氀"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\IsInstalled = "0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\StubPath = "D>_`Wipgszv__Uzwxfn43^`ki4ujplu0hxi /WsgsCrnfji%"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ = "HTML Help"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Version = "8-:,1/8;34$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\StubPath = "U"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Locale = ".%"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\ComponentID = "WMPACCESS"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\ = "Themes Setup"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}\ComponentID = "MVO_Awwk#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\ComponentID = "HTMLHelp"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "5502011241,47798&"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}\ = "DirectDrawEx"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}\Version = "10,4/3796502$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\ComponentID = "Theme Component"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}\Locale = "HQ#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}\Version = "33/3-5;:8603$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	regedit.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E515531-7A71-3CDD-8078-0A01C85C8F9D}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F00006F2-44BC-44EF-808B-B26002A183C2}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A57485B-151F-4868-945B-FBB95B574075}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F0-0000-0000-C000-000000000046}\InprocServer32\Class = "Mlftstphu1Oggkcf0Lnvesrt.Xotf2JnodbmGnews$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7071EC32-663B-4bc1-A1FA-B97F3B917C55}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{44CB442B-9DA9-49df-B3FD-023777B16E50}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{bbb5d0e2-6f4b-4c31-8744-22d0029c4b40}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E94137E0-92ED-4579-9251-18AF2A08CCD1}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E781F7F-9430-4F56-A233-70E6E0AC1AF9}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{61B3E12B-3586-3A58-A497-7ED7C4C794B9}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB002029-DC5F-45FC-A8D9-A6BE23A748AB}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AF7FEAD8-C345-4600-8894-6D6F0E5EDDCD}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3BBE95FE-C53F-11d1-B3A2-00A0C9083365}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41B89B6B-9399-11D2-9623-00C04F8EE628}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{882BC1E4-C79E-475D-8CC7-CC8D112FDB17}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F0183006-8A05-4180-846E-0A8452F6CA40}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{416ED4F7-AB31-11D1-BF72-0060083E43CF}\InprocServer32\Class = "Nkerrwpit2Qfilee0Kpxgsoq1Bfegwu.YieOqvjrquEoeuv$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020818-0000-0000-C000-000000000046}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4AF3F4A4-06C8-4B79-A523-633CC65CE297}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{33fd0563-d81a-4393-83cc-0195b1da2f91}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{934A7048-1E4A-4D6E-9A9A-CB739F519B07}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FA9342F0-B15B-473C-A746-14FCD4C4A6AA}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\Class = "Qleurvqjx.Rjflcg1Lpuisrt1Bcggsw0Ddp0QumwHFGpiiofFpats#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{10072CEC-8CC1-11D1-986E-00A0C955B42E}\InprocServer32\ThreadingModel = "Dtduwngot$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{334796A6-31DC-4B5D-8FD7-14E82186417C}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{76765b11-3f95-4af2-ac9d-ea55d8994f1a}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9F4F643B-8806-4861-8A79-6699E94DCF66}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCAE9D9B-E430-4454-8949-666D9F739994}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f4ba59cc-2506-45ae-84c8-78ea8d7f9b3e}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0968e258-16c7-4dba-aa86-462dd61e31a3}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{32B0C344-A3BB-4F6E-B8D9-E883BC150EEA}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6850404F-D7FB-32BD-8328-C94F66E8C1C7}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f6b13ba7-d626-45e5-82c5-26e596114dc0}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB012959-F4F6-44D7-9D09-DAA087A9DB57}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{aac1009f-ab33-48f9-9a21-7f5b88426a2e}\LocalServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EC529B00-1A1F-11D1-BAD9-00609744111A}\InprocServer32\ = "C:\\Windows\\System32\\ksproxy.ax"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED999FF5-223A-4052-8ECE-0B10C8DBAA39}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2025BCB1-370E-4103-9C34-883770F7F2A0}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3C633A2-46C8-498E-8FBB-CC6F721BBCDE}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{78317482-5b49-4093-9c34-2758fc63bef0}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BB5331F1-D8FF-4DDB-8A8F-2DF901123B33}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{c5b3bb9c-ed93-41c2-b340-e62b0d07652a}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7afb974e-3842-4106-a702-82a13e088f46}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27c98999-2895-4829-b080-5a8b65bd3db0}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8973b4ef-7da5-4031-a333-f65609a4dcf4}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E1D0AB13-2FE6-4DF0-8917-ED80CF0FEF6B}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E435C-F037-11CD-8701-00AA003F0F07}\InprocServer32\Class = "Microsoft.Office.Interop.Access._CheckBoxInOptionClass"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E9495B87-D950-4ab5-87A5-FF6D70BF3E90}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F7DD51E6-1CA0-4A76-B503-F96E0E64CA91}\InProcServer32\ = "C:\\Windows\\System32\\MbSmsApi.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7DF8EF76-D449-485f-B4EB-58DC96B31EDB}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E94F-E47C-11CD-8701-00AA003F0F07}\InprocServer32\15.0.0.0\Class = "Microsoft.Office.Interop.Access.CommandButtonClass"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6A08CF80-0E18-11CF-A24D-0020AFD79767}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{828B1AF2-C8F7-4694-BE09-68F5F4ED2EC2}\LocalServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F59D514C-F200-319F-BF3F-9E4E23B2848C}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{03837527-098B-11D8-9414-505054503030}\LocalServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1a9ca6d5-2488-46b1-b439-218f2314a059}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4286FA72-A2FA-3245-8751-D4206070A191}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ADE6444B-C91F-4E37-92A4-5BB430A33340}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C81B-3CFD-11D1-98BC-006008197D41}\InprocServer32\RuntimeVersion = "v2.0.50727"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{974C63D2-6846-4F6B-BF27-BF71ADB1E608}\InProcServer32	regedit.exe

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 49004e00540045004c00200020002d0020003600300034003000300030003000000056004d005700370031002e003000300056002e00310032003300340033003100340031002e004200360034002e003100390030003200310036003000370032003400000056004d0077006100720065002c00200049006e0063002e0020002d0020003100300030003000300000000000	regedit.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealth = "%windir%\\system32\\SecurityHealthSystray.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VMware User Process = "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\ = "Nyoe!Elmeo!xp#Ddnl!EJO%"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\NoExplorer = "1"	regedit.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1344	3340	WerFault.exe	47
2868	3960	WerFault.exe	103
3792	3488	WerFault.exe	46

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = ffffffffffffffff0000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = 00000000000000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Intel64 Family 6 Model 158 Stepping 10"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = ffffffffffffffff0000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = 010200049a020303	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status = "2"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = 00000000000000000100000000000100	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision = 0000000096000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "GenuineIntel"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "1025195519"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "2208"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = 0000000096000000	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status = "2"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "KfoxmnfJpvil$"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "Lqugo:7#Fepkp\| 9$Npeip 39<$Tvfqtmrh!23$"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "1025195519"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "2208"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 = "1"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision = 0000000096000000	regedit.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\16	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\19	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\20\Configuration Data = 05000000120000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information = 280000000000000000000000ffffffff	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "YQNNPWQaKGYEOCUH#"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\13\Configuration Data = 080404000d0401000404000202000204	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\15\Configuration Data = 050000000d0000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\17	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\26\Configuration Data = 05000000180000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\3\Configuration Data = 05000000010000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier = "ISA"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\12\Identifier = "PCI"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\14\Identifier = "PCI"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\34\Component Information = 000000000000000000000000ffffffff	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\5\Component Information = 00000002020000000401030403000101	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\7	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\15\Component Information = 000000000000000000000000ffffffff	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\17\Identifier = "SEL#"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\22\Configuration Data = 05000000140000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\24\Configuration Data = 05000000160000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "9db601d0-00000000-A"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = 01000000000000000000000001000000050000000800000000000000000000000000000000000000ffff0000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\12\Component Information = 000000000000000000000000ffffffff	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\26\Component Information = 02030103030103000400010203000200	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\33\Component Information = 000000000000000000000000ffffffff	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\5\Identifier = "PCI"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\8\Configuration Data = 05020300080301040402010104020004	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information = 00010303020300010400000204030400	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\13\Identifier = "PCI"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "PCI"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\28	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\19\Identifier = "PCI"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\24\Identifier = "QCI#"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\24\Component Information = 000000000000000000000000ffffffff	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\33	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information = 00010003000100010103020303010302	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities = "17441"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\16\Configuration Data = 08040400120103030304040200030203	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\17\Component Information = 000000000000000000000000ffffffff	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\34	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\14\Configuration Data = 050000000c0000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\17\Configuration Data = 050000000f0000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\29	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\6\Component Information = 000000000000000000000000ffffffff	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\8\Component Information = 000000000000000000000000ffffffff	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data = 0103030302010000030004040501000209040000001000000000000000000000000000000000020000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\10\Configuration Data = 05000000080000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\27\Identifier = "PCI"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\29\Configuration Data = 050000001b0000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\33\Configuration Data = 07010002210403040001030102020300	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\35\Configuration Data = 09040100230401030304030304020100	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\6\Configuration Data = 05000000040000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data = ffffffffffffffff0000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\23\Configuration Data = 05000000150000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\25\Configuration Data = 07030404170204030404000102020400	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\25\Component Information = 000000000000000000000000ffffffff	regedit.exe

Modifies Internet Explorer Protected Mode 1 TTPs 6 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\2500 = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "0"	regedit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4s.dll	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8FE7E181-BB96-11D2-A1CB-00609778EA66}\Compatibility Flags = "1024"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PHISHINGFILTER\HKeyRoot2 = "2147483650"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{0055C089-8582-441B-A0BF-17B458C2A3A8}\FWLink = "http://go.microsoft.com/fwlink/?LinkID=265486"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds\403 = "256"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL\winword.exe = "1"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\ed3e71a5_0	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{47206204-5ECA-11D2-960F-00C04F8EE628}\Compatibility Flags = "1024"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7B9379D2-E1E4-11D0-8444-00401C6075AA}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\powerpoint	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{81361143-FAF9-11D3-B0D3-00C04F612FF1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ZOOMLEVEL\ValueName = "VevgtZornSqSucttyq6&"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = efd5e7f74995d805	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{438DA5E0-F171-11D0-984E-0000F80270F8}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A2EDA89A-0966-4B91-9C18-AB69F098187F}\Compatibility Flags = "1024"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6p.dll	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\PresentationHost.exe = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\MSCompatibilityMode\MSCompatibilityMode = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4DDB6D36-3BC1-11D2-86F2-006008B0E5D2}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\MOVSYSCARET\HelpID = "iexplore.hlp#50299"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\FWLink = "http://go.microsoft.com/fwlink/?LinkID=215317"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6D940285-9F11-11CE-83FD-02608C3EC08A}\Compatibility Flags = "1024"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9590092D-8811-11CF-8075-444553540000}\Compatibility Flags = "16384"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCESSIBILITY\ZOOMLEVEL	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SUGGESTED_SITES\Text = "Enable Suggested Sites"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Compatibility Flags = "1024"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4CECCEB1-8359-11D0-A34E-00AA00BDCDFD}\Compatibility Flags = "1024"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}\Version = "100.0.0.0-112.200.19110.0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm70.dll	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\UserAgent\UserAgent	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FRIENDLY_ERRORS\CheckedValue = "yes"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4FA211A0-FD53-11D2-ACB6-0080C877D9B9}\Compatibility Flags = "2097152"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7584c670-2274-4efb-b00b-d6aaba6d3850}\AlternateCLSID = "{6A6F4B83-45C5-4ca9-BDD9-0D81C12295E4}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\ACCELERATED_GRAPHICS\Type = "jurxt#"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6D940285-9F11-11CE-83FD-02608C3EC08A}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CF6866F9-B67C-4B24-9957-F91E91E788DC}\Compatibility Flags = "1024"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_ERROR_CACHE\HKeyRoot = "2147483649"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_INPUT_PROMPTS\HelpPane.exe = "1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4F720B9C-24B1-4948-A035-8853DC01F19E}\Compatibility Flags = "1024"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{AF949550-9094-4807-95EC-D1C317803333}\FWLink = "iuts;03zkqfpzt/ojgupwsiv1crn3gn.yv2irufuoiv/hxrnqtgu/oaqekg/dhh-sqt#"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6C68955E-F965-4249-8E18-F0977B1D2899}\Compatibility Flags = "1024"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{98cb4060-d3e7-42a1-8d65-949d34ebfe14}\Compatibility Flags = "1024"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A3796166-A03C-418A-AF3A-060115D4E478}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{000D51DD-18E2-4D85-919A-10E3746C3F1C}\CompatibilityFlags = "0x0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{CC7E636D-39AA-49B6-B511-65413DA137A1}\Subcomponents\{48FFE35F-36D9-44bd-A6CC-1D34414EAC0D}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5d04f46-b4b2-4202-a191-f780421b4200}\AppName = "imjpdct.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\InPrivate = "res://ieframe.dll/inprivate.htm"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{02466323-75ed-11cf-a267-0020af2546ea}	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{55963676-2F5E-4BAF-AC28-CF26AA587566}\Compatibility Flags = "1024"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\UNPUXHost.exe = "11000"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\D50177C73771E26F40660CA3C5076D73369AD830	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL3.0\Mask = "32"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\International\CodePointToFontMap = 1a000000540069006d006500730020004e0065007700200052006f006d0061006e00000000000000000000000000000000000000000000000000000000000000000000005300650067006f006500200055004900200048006900730074006f007200690063000000000000000000000000000000000000000000000000000000000000004d005600200042006f006c006900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000045006200720069006d006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004e00690072006d0061006c00610020005500490000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c00650065006c0061007700610064006500650020005500490000000000000000000000000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002000480069006d0061006c00610079006100000000000000000000000000000000000000000000000000000000004d00790061006e006d006100720020005400650078007400000000000000000000000000000000000000000000000000000000000000000000000000000000005300650067006f0065002000550049000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004d0061006c00670075006e00200047006f0074006800690063000000000000000000000000000000000000000000000000000000000000000000000000000000470061006400750067006900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004d006f006e0067006f006c00690061006e00200042006100690074006900000000000000000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400200054006100690020004c00650000000000000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f006600740020004e0065007700200054006100690020004c007500650000000000000000000000000000000000000000000000430061006d00620072006900610020004d00610074006800000000000000000000000000000000000000000000000000000000000000000000000000000000005300650067006f0065002000550049002000530079006d0062006f006c00000000000000000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002000590061004800650069000000000000000000000000000000000000000000000000000000000000000000000059007500200047006f007400680069006300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f006600740020004a00680065006e00670048006500690000000000000000000000000000000000000000000000000000000000530069006d00530075006e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400200059006900200042006100690074006900000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f0066007400200050006800610067007300500061000000000000000000000000000000000000000000000000000000000000004a006100760061006e0065007300650020005400650078007400000000000000000000000000000000000000000000000000000000000000000000000000000041007200610062006900630020005400790070006500730065007400740069006e006700000000000000000000000000000000000000000000000000000000004d0069006e0067004c00690055002d00450078007400420000000000000000000000000000000000000000000000000000000000000000000000000000000000530069006d00530075006e002d004500780074004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000c5000000200000007f00000000a0000000ff06000000000700004f07000001500700007f0700000080070000bf07000002c0070000ff07000003a0080000ff0800000000090000ff0d000004000e0000ff0e000005000f0000ff0f000006001000009f10000007a0100000ff1000000800110000ff11000009001200009f13000003a01300007f1600000a80160000ff1600000180170000ff1700000500180000af1800000bb0180000ff1800000a501900007f1900000c80190000df1900000de01900001f1a000005501c00007f1c000004d01c0000ff1c000004001d0000ff1f00000000200000222000000e23200000252000000f26200000262000000e272000002e2000000f2f2000002f2000000b30200000302000000e31200000312000000f32200000342000000e35200000382000000f392000003a2000000e3b2000003b2000000f3c2000003e200000003f200000432000000f44200000462000000e47200000562000000f57200000572000000e582000005d2000000f5e2000005f2000000e602000006f2000000f70200000942000000e952000009c2000000fa0200000bd20000000d0200000df2000000ee0200000012100000f02210000052100000e06210000062100000f072100001d2100000e1e210000212100000f22210000222100000e23210000232100000f242100003a2100000e3b2100003c2100000f3d2100004b2100000e4c2100004c2100000f4d2100004e2100000e4f2100004f2100000f502100005221000008532100005e2100000e5f2100005f21000008602100008821000010892100008921000011902100002a2300000e2b2300002f2300000f30230000cf2300000ed0230000db2300000fdc230000df2300000ee0230000fa2300000f00240000262400000f402400004a2400000f60240000732400000e74240000e92400000fea240000f42400000ef5240000752700000f762700007f2700000e80270000c22700000fc3270000c82700000ec9270000cb2700000fcc270000cc2700000ecd270000cf2700000fd0270000ee2700000eef270000ef2700000ff0270000ff2700000e00280000ff2800000f00290000ff2a00000e002b0000ff2b00000f002c00005f2c000001602c00007f2c000000802c0000ff2c000001002d00002f2d000008302d0000df2d000003e02d0000ff2d000008002e0000312e00000f322e0000422e000008802e0000f32e000012002f0000d52f000012f02f0000fb2f000013003000000330000013043000000430000012053000001730000013183000001c300000121d3000001e300000131f30000020300000122130000029300000132a3000003d300000123e3000003e300000133f3000003f3000001240300000ff30000011003100002f31000012303100008f3100000990310000ef31000012f0310000ff31000011003200001f3200000920320000443200001145320000453200000f46320000463200001147320000473200000f483200005f32000011603200007f3200000980320000ff3300001100340000bf4d000013c04d0000ff4d00000f004e0000a59f000013a69f0000b39f000012b49f0000bb9f000010bc9f0000c29f000011c49f0000c69f000011cc9f0000cc9f00001100a00000cfa4000014d0a40000ffa400000800a500003fa600000340a600009fa600000800a7000016a700000817a700001fa700000020a70000ffa700000830a800003fa800000440a800007fa800001560a900007fa900000980a90000dfa9000016e0a90000ffa900000760aa00007faa00000700ab00002fab00000300ac0000ffd700000900e00000fff800001300f900002dfa00001230fa00006dfa00001100fb0000fffb00000000fc00005bfc0000175efc000063fc00000064fc0000f1fc000017f2fc0000f4fc000000f5fc00003bfd0000173cfd00003ffd00000050fd0000f1fd000017f2fd0000f2fd000000f3fd0000f3fd000017f4fd0000f4fd000000f5fd0000f9fd000017fafd0000fdfd00000010fe00001ffe00001020fe000023fe00000024fe000026fe00000f30fe00006ffe00001070fe0000fcfe000000fffe0000fffe00000f00ff00009fff000011a0ff0000dcff000009e0ff0000eeff000012f0ff0000ffff00000880020100df02010001000301004f0301000180030100df03010001000401004f0401000f500401007f0401000180040100af04010003000801005f08010001000901003f09010001a00901007f0a010001400b01007f0b010001000c01004f0c010001001001007f10010001d0100100ff10010004002001007f24010001003001002f3401000100b00100ffb001001100d301005fd301000f00d40100ffd701000e00f00100fff601000f00f90100fff901000f00000200dfa602001800a702001fb802001820b80200afce02001900f802001ffa020018	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEFixedFontName = "Waok#"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{AD5FBDB8-C518-47F7-B4F1-F1F58D21A716}\Compatibility Flags = "1024"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{E3286BF1-E654-42FF-B4A6-5E111731DF6B}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{00021a14-0000-0000-c000-000000000046}\BlockType = "1z2#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\BlockType = "0x00;0x40;0x40;0x40"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9478f640-7f1c-11ce-be57-00aa0051fe20}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C8F209F8-480E-454C-94A4-5392D88EBA0F}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E5D419D6-A846-4514-9FAD-97E826C84822}	regedit.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "jvxp;13hr1nkgspsqgv2epo/fzpmrm3p/?NkokIeA459155#"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "ivxt>3/io/qkgvrtpiv2epm1fynlnm2p1?PkpnJf?399272&"	regedit.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\MobilePC\AdaptableSettings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Remote Assistance	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CPrintDialog%5Cresources.pri\1d44cc5c2941112\a37dfe62	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\69\52C64B7E\@%SystemRoot%\system32\flightsettings.dll,-103 = "Xjrepys$Knvighv#Wftwmdi%"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Control Panel\Desktop\WindowMetrics\SmCaptionFont = f703ff02000201000302000101030304bc0304040000000000000000005400610068006f006d00610000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Save_Session_History_On_Exit = "rp#"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\PrivacyAdvanced = "1"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Console\FontFamily = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-19\Printers\DevModePerUser	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager\Renderers\SubscribedContent-338387	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies = "ħїɔňŒɑ͖P͈ŉ䰀䔀─尀䄀瀀瀀䐀愀琀愀尀䰀漀挀愀氀尀䴀椀挀爀漀猀漀昀琀尀圀椀渀搀漀眀猀尀䤀一攀琀䌀漀漀欀椀攀猀"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Explorer\wnsId = "Uzsxfo%"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\CharMode = "1x31420424#"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\TileDataModel\OldAUMIDs\Microsoft.Messaging_8wekyb3d8bbwe!App	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AccountsControl_cw5n1h2txyewy%5Cresources.pri	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\Colors\ColorHistory1 = "12826368"	regedit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\International\sGrouping = "3=0&"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Control Panel\PowerCfg\PowerPolicies\3\Name = "Ap{e\|s!Qn&"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\EUDC\950	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\Desktop\FontSmoothingType = "2"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Control Panel\Infrared\File Transfer\AllowSend = "1"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Speech\Preferences\AppCompatDisableMSAA\devenv.exe = "$"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Document Windows\height = 03030303	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Settings	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs	regedit.exe
Key created	\REGISTRY\USER\S-1-5-19\AppEvents\Schemes\Apps\.Default\AppGPFault\.Current	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\RestoreUp	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.SecHealthUI_cw5n1h2txyewy%5Cresources.pri\1d44cc5b9d05a27\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\resources. = "[irerzv#Uidytkx{%"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\AppEvents\EventLabels\LowBatteryAlarm	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\CTF\SortOrder\Language	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Keyboard\InitialKeyboardIndicators = "41486<6769$"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\s1159 = "DQ%"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Cortana_cw5n1h2txyewy%5Cresources.pri\1d44cc5bdd8cb83\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\resources.pri? ms- = "Siescl#"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CParentalControls_cw5n1h2txyewy%5Cresources.pri\1d44cc5afd90d30\a37dfe62	regedit.exe
Key created	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\SystemExit	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Control Panel\Colors\ButtonText = "3!4 4&"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy%5Cresources.pri\1d44cc5ddebaa52\a37dfe62\@{C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n = "Ojdtstqfx Cqtprrexkrr&"	regedit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.12228.20364\OfficeClickToRun.exe = 5504414350010000000000000007000000280000004820ad001fbcad0001000000000000000000000a0021000067077cbac54cd40100000000000000000200000028000000000000000000000000000000000000000000000000000000f8100d00000000000100000001000000	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Mouse\DockTargetPenDragOutWidth = "61&"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\Accessibility\Keyboard Response\Last Valid Repeat = "0"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows NT\CurrentVersion\TileDataModel	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\TimeOut\TimeToWait = "630403%"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.SoftLanding\Setting = "c<wqcst.e>sirklog.s>vicmlh,u:xsawt/t=exdlq.w:fdgke,s=nogl=fegke.s<dcqphs.t<mlvwhoirGrdbmfd,s:pqfm>tmpe,s<wilh0s;lsfk;wqauw-s<yqlr%"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Usb.Notification\appType = "crq;vywtfo#"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\WAB\WAB4\Wab File Name\ = "$"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\ime\IMTC70\PuncEnable = "4z14144142$"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\Notification.Looping.Alarm8	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "}gv%"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "}3430000103234-1123144330010044033404~#"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ = "%"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon = "mqhwgqp1epp'331447&"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-20\AppEvents\Schemes\Apps\.Default\Minimize\.Default	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Windows.Photos_2019.19071.17920.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d592f167dce088\a37dfe62\@{C:\Program Files\WindowsApps\Microsoft.Windows.Pho = "Sjqtqu#brs$"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Colors\WindowFrame = "214!230!224#"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.LocationManager\wnsId = "Tzsueq%"	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CPrintDialog%5Cresources.pri\1d44cc5c2941112\a37dfe62\@{C:\Windows\PrintDialog\resources.pri? ms-resource:///resources/DisplayName} = "PvmpuEibooi#"	regedit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Wltixid=#"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\AppEvents\EventLabels\PanelSound\ = "Djwcpdmjucwmrn#Taoeo&"	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A48F6A2-4E17-4A86-ACA9-A93A958ECAFB}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5D6DAAA5-69B8-33EC-B902-21218FFC16C1}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DECBCB7-BAC0-316D-9131-43035C5CB480}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4557D1F9-A47E-5A8A-B6F2-74B42EF7F09E}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7ED1C71-87F7-4378-A840-C9200DACEE47}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D04B46F-C8BD-45B4-8899-0400D7C2C60F}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F9F55E6B-65CC-43B3-9E39-F62BD18B0B9A}\ProxyStubClsid	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.SheetBinaryMacroEnabled.12\CLSID\ = "\x7f1322097314031.2304/F010-030431032269Â€#"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IAS.ExtensionHost.1\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ms-settings-screenrotation\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.xltx\PreviewDetails = "prop:System.Title;System.Author;System.Size;System.DateModified;System.Keywords;System.Category;System.ContentStatus;System.ContentType;System.OfflineAvailability;System.OfflineStatus;System.File.Owner;System.Subject;System.Comment;System.DateCreated;System.DateAccessed;System.Attributes;System.SharedWith;System.ComputerName;System.Document.LastAuthor;System.Document.DateCreated;System.Document.DateSaved;System.Document.DatePrinted"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{305106C2-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6ec9e41b-6709-5647-9918-a1270110fc4e}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{72E930A7-DE83-4FDC-B607-1BFC566A1E78}\ = "__x_Windows_CInternal_CData_CActivities_CIActivityIndexer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\1.0\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BA35B84E-A623-471B-8B09-6D72DD072F25}\1.6\0\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A37D8B2-2256-3FE3-8BF0-4FC421A1244F}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBA0D1E4-ECC6-4148-94ED-F4B37EC05B3E}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000_Classes\7-Zip.deb	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mrw\Content Type = "image/MRW"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C10ECDDA-4D24-4224-84E3-4D58D5C46FDA}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{545AE700-50BF-11D1-9FE9-00600832DB4A}\MiscStatus	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{33129C95-D716-4FD4-81CD-43DEF9B39574}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A9B4786C-08E3-344F-A651-2F9926DEAC5E}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\IsShortcut = "$"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\DefaultIcon\ = "ШœѼͳ\u0378ͥɱTѳŰɶ̥尀匀礀猀琀攀洀㌀㈀尀椀洀愀最攀爀攀猀⸀搀氀氀Ⰰⴀ㜀㈀"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91\cba9e78b-49a3-49ea-93d4-6bcba8c4de07	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.LockApp_10.0.17763.1_neutral__cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPrefetcher.Internal.ContentPrefetcherTask.ClassId.1\CustomProperties	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0006F059-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{031E4825-7B94-4dc3-B131-E946B44C8DD5}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{884e2012-217d-11da-b2a4-000e7bbb2b09}\ProgID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D7EF888-1D3C-484A-A906-9F49D99BB344}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C90352F7-643C-4FBC-BB23-E996EB2D51FD}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C03E8500-781E-49a1-8190-CE902D0B2CE7}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2292701737-974706272-3621264751-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C073D84-B51C-48C9-AA9F-68971E1F6E38}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D73733C7-CC80-11D0-B225-00C04FB6C2F5}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\PersistentHandler\ = "{098f2470-bae0-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C001B9AE-B645-4fbb-A37C-167F89B097A6}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3059007C-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5D00F5B1-A357-11D1-A19C-0000F875B132}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1C0A095-DF97-3441-BFC1-C9F194E494DB}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E68d2B3E-192D-448E-827E-239082D74DC6}\ = "Windows.Networking.UX.ProxyStub"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DXImageTransform.Microsoft.Matrix.1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{d14f6ec4-d2e2-5b57-ba0d-cb0bfac3ef13}\ = "FIVector_1_Windows__CDevices__CSms__CSmsMessageRegistration"	regedit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\4\1\0\0 = 8600320202040404314d3e3c11025456445554517f330403006e0009000400efbe2f4d3a3c2650db7a2e0000009d06000000000100000000000000000044000000000028f81f015300740061007200740020004d0065006e007500000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003600000018000000	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08F6C813-3CFD-11D1-98BC-006008197D41}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DEFDE5C9-0449-4377-9DE7-3B22163B8315}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{070996BF-13E3-4008-86A9-DFA7AF5D5A27}\ = "MCHPEopNgtsdhlqiKosvJbqfngv$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3050F5AB-98B5-11CF-BB82-00AA00BDCE0B}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000630FA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "}32020537-1334.3414/F1400421341033148}#"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B1F419E-0B45-42B1-A18C-3A2A8E1715DB}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DB283E60-7ADB-4CF6-9758-2931893A12FC}\ProxyStubClsid32	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppXe05qdnx2p14g0mw29139zqs9s5n3wcne\Shell\open\DesiredInitialViewState = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C10A0-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{056677EF-7E5C-55DD-9949-94B09922F64F}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB4D76FE-8863-4027-9D8A-4A00BEDF74D7}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3DD4F92-658A-410F-84FD-6FBBBEF2FFFE}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F0248C1-62B3-42D7-B927-029119E6AD14}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{816efc7d-b90b-551f-ae4c-ce1f75a3d067}\ProxyStubClsid32\ = "\x7f9gc7dh52.e7e814eee1fc4g05;8dehh6ed81}$"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84302F97-7F7B-4040-B190-72AC9D18E420}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8abbc53e-fa55-4ecf-ad8e-c984e5dd1550}\ProxyStubClsid32	regedit.exe

Runs .reg file with regedit 5 IoCs

pid	Process
3036	regedit.exe
2336	regedit.exe
1080	regedit.exe
4016	regedit.exe
3860	regedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Windows10Corruptions.zip
1⤵
PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2020

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Documents\Windows10Corruptions\ShiftedHKU.reg"
1⤵
- Modifies system executable filetype association
- Looks for VMWare Tools registry key
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Runs .reg file with regedit
PID:3036

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Documents\Windows10Corruptions\ShiftedHKLM.reg"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies system executable filetype association
- UAC bypass
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Checks BIOS information in registry
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Runs .reg file with regedit
PID:2336

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Documents\Windows10Corruptions\ShiftedHKCU.reg"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Looks for VMWare Tools registry key
- Modifies Installed Components in the registry
- Adds Run key to start application
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Runs .reg file with regedit
PID:1080

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Documents\Windows10Corruptions\ShiftedHKCR.reg"
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Modifies registry class
- Runs .reg file with regedit
PID:4016

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3340 -ip 3340
1⤵
PID:3516

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Documents\Windows10Corruptions\ShiftedHKCC.reg"
1⤵
- Runs .reg file with regedit
PID:3860

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3340 -s 2480
1⤵
- Program crash
PID:1344

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3960
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3960 -s 520
  2⤵
  - Program crash
  PID:2868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3960 -ip 3960
1⤵
PID:2528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 416 -p 3488 -ip 3488
1⤵
PID:4560

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3488 -s 4592
1⤵
- Program crash
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1656

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:228