0f74f24a5c1b60aca05d1292e91b351243b3cd95dda66cd6dfdd13e8fd0c26a0

Resubmissions

03-03-2023 01:44

230303-b6arcsfc9s 10

03-03-2023 01:42

230303-b4nv7sfc7z 7

03-03-2023 01:39

230303-b2ymmafg72 8

Analysis

max time kernel
750s
max time network
478s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2023 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

regdelete-readme-edits.zip
Size

102KB
MD5

c311b0155c1b4b6fa69907535561ab6e
SHA1

6f67ac188a59afe75c9823aa67c71f5965da3ed5
SHA256

0f74f24a5c1b60aca05d1292e91b351243b3cd95dda66cd6dfdd13e8fd0c26a0
SHA512

85fed902be923a86c69320568c2bf7e122a415f83cb82f414b4928da744d037e2096f2121289e988f6462da52a84bd8b0c70814e30e1f5182d64454a1c9d8484
SSDEEP

3072:YmKFecO/Q3TWn8N2ArDlz4N7/82WXYAikEC:0xO/Ln8RGNL8xriJC

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	smss.exe

Modifies system executable filetype association 2 TTPs 49 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\lnkfile\shellex\ContextMenuHandlers	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\lnkfile\shellex	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0097-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0015-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBC}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E169-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E17C-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\LocalServer32	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48B4E58D-2791-456C-9091-D524C6C706F2}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0075-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0013-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEEA-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0006-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBC}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{912ABC52-36E2-4714-8E62-A8B73CA5E390}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0036-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0055-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBC}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0054-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0072-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0018-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0052-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0068-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0024-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0050-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0041-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0088-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0028-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBC}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0039-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC7ADC2B-CC8C-48d2-A820-1BC605B0D3C7}\LocalServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0050-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\InprocServer32\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0099-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0064-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0059-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0058-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32	Process not Found

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	hell9o.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	smss.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	hell9o.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
560	3740	WerFault.exe	29

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	smss.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	smss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	smss.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	smss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	smss.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LinksBar	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-word	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IETld	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Setup	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\4	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Settings	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\powerpoint	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Security	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\SQM	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-excel	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Services	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Document Windows	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21	smss.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	Process not Found
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "15"	Process not Found
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	Process not Found
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ra\shell\PlayWithVLC\command	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B3B9F9D0-EBFF-46A4-A847-D663D8B0977E}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/ec3	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6D07112F-B30D-47B4-B5CE-45B26C29205A}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\Windows.Networking.ContentPre	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244EC-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE7C4271-210C-448D-9F54-76DAB7047B28}\ProxyStubClsid32	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91493460-5A91-11CF-8700-00AA0060263B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0091-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\00006100C80000000100000000F01FEC	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3051046C-98B5-11CF-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DFB6AA6C-1068-420F-969D-01280FCC1630}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage\1252	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3A37C5E-8D71-487D-A9E1-B9A1B3BA9CBB}\ProxyStubClsid32	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\powerpointxmlfile\shell\Open	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.tod\OpenWithProgids	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.fh\AppXj4qrs60k02d8kcd8ycgdx89mga9t57z3	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage\1253	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CLSID	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3BD9B6CC-D6CF-34C9-A032-B9131B8081D4}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{603AEDF8-9575-4D30-B8CA-124D1C98EBD8}	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\ScreenClipping	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244BB-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0098-ABCDEFFEDCBB}	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34527502-D3DB-4205-A69B-789B27EE0414}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7C1462F-9736-466C-B2C1-B6B2DEDBF4A7}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSILink\shellex\ContextMenuHandlers\{1d27f844-3a1f-4410-85ac-14651078412d}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\Verb\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5730A90-1A2C-11CF-8C23-00AA006B6814}\InprocServer32	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5007373A-20D7-458F-9FFB-ABC900E3A831}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{64818D11-4F9B-11CF-86EA-00AA00B929E8}\AuxUserType\2	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{77F1B653-3AB7-4DF6-874C-1B8FD30C18A0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{863A99A0-21BC-11D0-82B4-00A0C90C29C5}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBB}	smss.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.m4a	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBA}\InprocServer32	smss.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A68-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2B38398-BC32-437B-81C3-A2F6D8697568}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{03D65B1A-BBF6-3BDC-BC53-85E02415670D}\2.0.0.0	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C282417B-2662-44B8-8A94-3BFF61C50900}\Conversion\Readable	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A82536D7-C8E6-4CEF-AA66-11E97EDDFC6D}\InProcServer32	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D719729-5333-406C-BF12-8DE787FD65E3}\TypeLib	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C5621364-87CC-4731-8947-929CAE75323E}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{27D51657-6EA9-3956-A11C-C6303EC9A3AD}	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.vqf\shell\AddToPlaylistVLC	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244DB-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{501a5755-064c-5034-9e9a-1d94e924d5a8}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.html\AppX4hxtad77fbk3jkkeerkrm0ze94wjf3s9	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BFFC57B-DF4D-48F7-8C61-B3C969839F74}\InProcServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.ShellExperienceHost_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXmam9qnhv75mk1bhtxjzdd92dgzf4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocProtocol.MMS	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.vsdx\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0000009B-0000-0010-8000-00AA006D2EA4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00020988-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Template\CLSID	Process not Found
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2F01EB29-BD57-11D2-9238-00A02448799A}\ProxyStubClsid32	Process not Found

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
1908	Process not Found
1624	Process not Found
3468	Process not Found
768	Process not Found
2636	Process not Found
3724	Process not Found
816	Process not Found
4864	Process not Found
4912	Process not Found
4880	Process not Found
3200	Process not Found
4920	Process not Found
4668	Process not Found
4980	Process not Found
2980	Process not Found
2868	Process not Found
4896	Process not Found
3420	Process not Found
1556	Process not Found
3380	Process not Found
3412	Process not Found
4048	Process not Found
2284	Process not Found
3680	Process not Found
4332	Process not Found
2828	Process not Found
2816	Process not Found
844	Process not Found
2088	Process not Found
3088	Process not Found
3352	Process not Found
1336	Process not Found
1640	Process not Found
1984	Process not Found
1912	Process not Found
3028	Process not Found
4604	Process not Found
1428	Process not Found
2260	Process not Found
4008	Process not Found
2516	Process not Found
1888	Process not Found
4380	Process not Found
3312	Process not Found
2108	Process not Found
2988	Process not Found
2096	Process not Found
3832	Process not Found
4696	Process not Found
1568	Process not Found
1796	Process not Found
2652	Process not Found
1236	Process not Found
2296	Process not Found
552	Process not Found
3888	Process not Found
3144	Process not Found
1484	Process not Found
4120	Process not Found
4748	Process not Found
2584	Process not Found
4456	Process not Found
2720	Process not Found
2728	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2040	Process not Found
Token: SeCreatePagefilePrivilege	2040	Process not Found

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3532	Process not Found

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 1944	3208	hell9o.exe	103
PID 3208 wrote to memory of 1944	3208	hell9o.exe	103
PID 1944 wrote to memory of 4900	1944	cmd.exe	105
PID 1944 wrote to memory of 4900	1944	cmd.exe	105
PID 1944 wrote to memory of 3540	1944	Process not Found	9086
PID 1944 wrote to memory of 3540	1944	Process not Found	9086
PID 1944 wrote to memory of 4428	1944	Process not Found	8532
PID 1944 wrote to memory of 4428	1944	Process not Found	8532

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\regdelete-readme-edits.zip
1⤵
PID:1876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4672

C:\Users\Admin\Desktop\regdelete-readme-edits\hell9o.exe
"C:\Users\Admin\Desktop\regdelete-readme-edits\hell9o.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CLASSES_ROOT /f
    3⤵
    - Modifies system executable filetype association
    - Registers COM server for autorun
    - Modifies registry class
    PID:4900
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_CURRENT_USER /f
    3⤵
    PID:3540
- - C:\Windows\system32\reg.exe
    reg DELETE HKEY_LOCAL_MACHINE /f
    3⤵
    PID:4428

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 3740 -ip 3740
1⤵
PID:3628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3740 -s 1868
1⤵
- Program crash
PID:560

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa394e055 /state1:0x41c64e6d
1⤵
PID:3532

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000015c 00000084
1⤵
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4428

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000003ec 00000084
1⤵
- Modifies Installed Components in the registry
- Modifies system executable filetype association
- Adds Run key to start application
- Modifies Internet Explorer settings
PID:3540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\regdel.CMD

Filesize
159B

MD5
e26bcceba32f987399a0decf331f0697

SHA1
64540b56c5ff6dbb963faa50a85159c62edf7365

SHA256
0fd1b221f5a865fd9d796857f51724ad6460d409e2cffe8cfaef091daa689d05

SHA512
d96236da499970dfd6702150a5140e947547e50e3ec6b5ee3d7923ddcc637a01a9e747ecac0b81d4268cbe1a7788c63d5b4ec1373fc46318d8a5d676f510d508

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads