08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105

Analysis

max time kernel
36s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-02-2023 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe
Size

20KB
MD5

30a45c1799f30a182284b627f6fbc99a
SHA1

f914e0f954d92ce8dffb662516e4fe9a3a67c637
SHA256

08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105
SHA512

ea53b4a023c966110de098edfd404cc040e262884dc7f02b8e48bbec55c52456dc822d0ad08257cea70f60309381403f359979965ab21508b64c6cfb482f7a3b
SSDEEP

96:euv6Sy9pU03fpfc1FDWLWLmXz9fgFyc2:nG9Wp60mxfJc

Score

10^/10

adware evasion persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	reg.exe

Modifies firewall policy service 2 TTPs 36 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe

Modifies security service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Parameters	reg.exe

Modifies system executable filetype association 2 TTPs 45 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe

Modifies Installed Components in the registry 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe

Registers new Print Monitor 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	reg.exe

Sets file execution options in registry 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	reg.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CEBC955E-58AF-11D2-A30A-00A0C903492B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\P3\Write	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6980ACA5-CFB6-11D0-BF8B-0000F81E8509}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BDE-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{974E1D88-BADF-4C80-8594-A59039C992EA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE0-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D92D7607-05D9-4DD8-B68B-D458948FB883}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{466d66fa-9616-11d2-9342-0000f875ae17}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7F1232EE-44D7-4494-AB8B-CC61B10E21A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F7629763-7562-4d3a-8468-6CA5563852B2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\PlaySound	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8D04238E-9FD1-41C6-8DE3-9E1EE309E935}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\Scripts\14	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\Scripts\34	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{648A5600-2C6E-101B-82B6-000000000014}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5b.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\FindProvidersURL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8CE3BAE6-AB66-40B6-9019-41E5282FF1E2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f1d-c551-11d3-89b9-0000f81fe221}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\FTPUI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{21347690-EC41-4F9A-8887-1F4AEE672439}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{261F6572-578B-40A7-B72E-61B7261D9F0C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4774922A-8983-4ECC-94FD-7235F06F53A1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{992cffa0-f557-101a-88ec-00dd010ccc48}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{EFEF7FDB-0CED-4FB6-B3BB-3C50D39F4120}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00021a13-0000-0000-c000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\CompatibilityViewDomains	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0006F063-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B375275F-4705-4D2C-88C1-A891105B9ABA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BF2-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Suggested Sites	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{E5E2F8B2-79A4-495C-8581-90BA2C845CC2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A968A4B4-C492-4834-B651-17602C3885C8}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\AllSitesCompatibilityMode	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{06BE7323-EF34-11d1-ACD8-00C04FA31009}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28AB0005-E845-4FFA-AA9B-F4665236141C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DB640C86-731C-484A-AAAF-750656C9187D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F2175210-368C-11D0-AD81-00A0C90DC8D9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A17B153F-2267-4161-A165-73DCD6C31BEF}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\International\Scripts\36	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C533ADF1-0C80-11d1-8C54-00A02468F316}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C5B86F32-69EE-11d2-875F-00A0C93C09B3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{898EA8C8-E7FF-479B-8935-AEC46303B9E5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\DragDrop\{9da1d2cb-796d-4bec-bbaa-0aa9ccd80e15}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\URLSearchHooks	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{80F49562-6A9A-11d2-875F-00A0C93C09B3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9AADA567-04E0-11D4-9148-00C04F610D24}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20F22571-AA1C-4724-AD0A-BDE2D19D6163}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3DE48111-FA01-11D3-BDE3-0050DACD2017}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D481AC98-6FA1-11D4-8F71-0050DACD1F80}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{996BF5E0-8044-4650-ADEB-0B013914E99C}\Version	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C523F39F-9C83-11D3-9094-00104BD0D535}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8520DAD7C5154DD39846DB1714990E7F\SourceList\Media	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020965-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFFA805B-896A-41FF-9FE0-840DA6476686}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{03C85CD9-D760-3AA8-94BD-F774407391CB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EE7A93CF-9D9F-441E-9A83-9DF4ACD2E42E}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3C51B703-0A39-3894-A73A-0F4EBF240090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002093C-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{64480E73-E204-44D6-A460-D3315929C81C}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91493495-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDEADEF1-C265-11D0-BCED-00A0C90AB50F}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\pfmfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000500-0000-0010-8000-00AA006D2EA4}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000208A2-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D349328-10BE-42FF-9CF5-81810A2D9BE3}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{52B8A6AE-19A6-4FDF-8174-F56234FEB48B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2253A7C8-C563-386D-BDC6-B55E72015C02}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.xltm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1DDDB704-CF99-4B8A-B746-DABB01DD13A0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{32F6F4E0-0D7F-40DC-B812-E9C91F6CD5CB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD9DA664-8594-11D1-B16A-00C0F0283628}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9303F46-F5BB-4246-BB6F-ABF41609FDF9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF532CCD-0D74-11D4-9A74-0080C7FB3577}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{57AB7683-4274-37C0-944C-6F14A1980B4D}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DF2BBE39-40A8-433B-A279-073F48DA94B6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\00004100810000000000000000F01FEC	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0352-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{305104B7-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924C6BA5-40DF-404C-B599-26C7AA48CF0E}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{51973C2A-CB0C-11D0-B5C9-00A0244A0E7A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VSTA.xdr.8.0\shell\Open\ddeexec\Application	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\MiscStatus	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00020885-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00021267-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00024443-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9838AAB6-32FD-455A-823D-83CFE06E4D48}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B527E447-3D4D-44DF-B5E9-BD405421C0D1}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF02F16B-B6BD-427C-9EB2-74E02A6F1326}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020907-0000-0000-C000-000000000046}\InprocHandler32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ABC01078-F197-4B0B-ADBC-CFE684B39C82}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002446E-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{404FFE31-0437-4EB9-90F9-ECDE04B076BF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D2E96D4-34D8-4936-A277-92460F1B8C34}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AC717711-B7DB-11D3-80AD-0050DA5F5DCA}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB91FC57-B485-414A-A2D5-C7B776A95FCD}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\FStock.Factoid\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0356-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D4EB8D0-A434-4F3C-936A-FD2FB413DC2B}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9063868-81DA-4928-8243-68F33CC5F2CF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{824C0AE8-84B7-4CBA-BD42-FBBCD8B8797C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{961C9797-5831-4eae-AA02-565849D0A048}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{493D8A71-1DB1-11D1-98A2-006008197D41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{85967311-2AB5-4E7C-A12D-D587392E308B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EC9E51C1-4E5D-11D3-9144-00104BA11C5E}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18A06B6B-2F3F-4E2B-A611-52BE631B2D22}\Conversion\Readable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000C0399-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideMacroEnabled.12\shell\New	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1932	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 768	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	28
PID 912 wrote to memory of 768	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	28
PID 912 wrote to memory of 768	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	28
PID 912 wrote to memory of 768	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	28
PID 912 wrote to memory of 1212	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	29
PID 912 wrote to memory of 1212	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	29
PID 912 wrote to memory of 1212	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	29
PID 912 wrote to memory of 1212	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	29
PID 912 wrote to memory of 1708	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	31
PID 912 wrote to memory of 1708	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	31
PID 912 wrote to memory of 1708	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	31
PID 912 wrote to memory of 1708	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	31
PID 912 wrote to memory of 1248	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	34
PID 912 wrote to memory of 1248	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	34
PID 912 wrote to memory of 1248	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	34
PID 912 wrote to memory of 1248	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	34
PID 912 wrote to memory of 388	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	35
PID 912 wrote to memory of 388	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	35
PID 912 wrote to memory of 388	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	35
PID 912 wrote to memory of 388	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	35
PID 912 wrote to memory of 1484	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	37
PID 912 wrote to memory of 1484	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	37
PID 912 wrote to memory of 1484	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	37
PID 912 wrote to memory of 1484	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	37
PID 768 wrote to memory of 1932	768	cmd.exe	39
PID 768 wrote to memory of 1932	768	cmd.exe	39
PID 768 wrote to memory of 1932	768	cmd.exe	39
PID 768 wrote to memory of 1932	768	cmd.exe	39
PID 1212 wrote to memory of 588	1212	cmd.exe	38
PID 1212 wrote to memory of 588	1212	cmd.exe	38
PID 1212 wrote to memory of 588	1212	cmd.exe	38
PID 1212 wrote to memory of 588	1212	cmd.exe	38
PID 1708 wrote to memory of 1588	1708	cmd.exe	44
PID 1708 wrote to memory of 1588	1708	cmd.exe	44
PID 1708 wrote to memory of 1588	1708	cmd.exe	44
PID 1708 wrote to memory of 1588	1708	cmd.exe	44
PID 1248 wrote to memory of 704	1248	cmd.exe	43
PID 1248 wrote to memory of 704	1248	cmd.exe	43
PID 1248 wrote to memory of 704	1248	cmd.exe	43
PID 1248 wrote to memory of 704	1248	cmd.exe	43
PID 388 wrote to memory of 1688	388	cmd.exe	42
PID 388 wrote to memory of 1688	388	cmd.exe	42
PID 388 wrote to memory of 1688	388	cmd.exe	42
PID 388 wrote to memory of 1688	388	cmd.exe	42
PID 912 wrote to memory of 600	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	45
PID 912 wrote to memory of 600	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	45
PID 912 wrote to memory of 600	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	45
PID 912 wrote to memory of 600	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	45
PID 912 wrote to memory of 1860	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	47
PID 912 wrote to memory of 1860	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	47
PID 912 wrote to memory of 1860	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	47
PID 912 wrote to memory of 1860	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	47
PID 1484 wrote to memory of 280	1484	cmd.exe	46
PID 1484 wrote to memory of 280	1484	cmd.exe	46
PID 1484 wrote to memory of 280	1484	cmd.exe	46
PID 1484 wrote to memory of 280	1484	cmd.exe	46
PID 912 wrote to memory of 1360	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	50
PID 912 wrote to memory of 1360	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	50
PID 912 wrote to memory of 1360	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	50
PID 912 wrote to memory of 1360	912	08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe	50
PID 1860 wrote to memory of 2032	1860	cmd.exe	52
PID 1860 wrote to memory of 2032	1860	cmd.exe	52
PID 1860 wrote to memory of 2032	1860	cmd.exe	52
PID 1860 wrote to memory of 2032	1860	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe
"C:\Users\Admin\AppData\Local\Temp\08694264b281488ee7e62bb7a7ef8af4216a2eab64c51ad7859f518058a47105.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k ping 192.168.0.1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\PING.EXE
    ping 192.168.0.1
    3⤵
    - Runs ping.exe
    PID:1932
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_CURRENT_CONFIG\System\CurrentControlSet\SERVICES\TSDDD\DEVICE0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_CONFIG\System\CurrentControlSet\SERVICES\TSDDD\DEVICE0 /f
    3⤵
    PID:588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_CURRENT_CONFIG\System\CurrentControlSet\Control\Print\Printers /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_CONFIG\System\CurrentControlSet\Control\Print\Printers /f
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_CURRENT_CONFIG\Software\Fonts /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_CONFIG\Software\Fonts /f
    3⤵
    PID:704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_USERS\S-1-5-21-2047949552-857980807-821054962-504_Classes\windowsdefender /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_USERS\S-1-5-21-2047949552-857980807-821054962-504_Classes\windowsdefender /f
    3⤵
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_USERS\S-1-5-21-2047949552-857980807-821054962-504_Classes\read /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_USERS\S-1-5-21-2047949552-857980807-821054962-504_Classes\read /f
    3⤵
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_USERS\S-1-5-21-2047949552-857980807-821054962-504_Classes\ms-xgpueject /f
  2⤵
  PID:600
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_USERS\S-1-5-21-2047949552-857980807-821054962-504_Classes\ms-xgpueject /f
    3⤵
    PID:568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_LOCAL_MACHINE /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_LOCAL_MACHINE /f
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Modifies firewall policy service
    - Modifies security service
    - Modifies system executable filetype association
    - Modifies Installed Components in the registry
    - Registers new Print Monitor
    - Sets file execution options in registry
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Maps connected drives based on registry
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /k reg delete HKEY_CURRENT_USER /f
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_CURRENT_USER /f
    3⤵
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Modifies Internet Explorer settings
    PID:1744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Change Default File Association

T1042

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/280-69-0x0000000000000000-mapping.dmp

Download
memory/388-60-0x0000000000000000-mapping.dmp

Download
memory/568-72-0x0000000000000000-mapping.dmp

Download
memory/588-63-0x0000000000000000-mapping.dmp

Download
memory/600-67-0x0000000000000000-mapping.dmp

Download
memory/704-65-0x0000000000000000-mapping.dmp

Download
memory/768-56-0x0000000000000000-mapping.dmp

Download
memory/1212-57-0x0000000000000000-mapping.dmp

Download
memory/1248-59-0x0000000000000000-mapping.dmp

Download
memory/1360-70-0x0000000000000000-mapping.dmp

Download
memory/1484-61-0x0000000000000000-mapping.dmp

Download
memory/1588-64-0x0000000000000000-mapping.dmp

Download
memory/1688-66-0x0000000000000000-mapping.dmp

Download
memory/1708-58-0x0000000000000000-mapping.dmp

Download
memory/1744-73-0x0000000000000000-mapping.dmp

Download
memory/1860-68-0x0000000000000000-mapping.dmp

Download
memory/1932-62-0x0000000000000000-mapping.dmp

Download
memory/2032-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads