ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

Resubmissions

24/11/2023, 00:09

231124-aflv9see3x 6

23/11/2023, 23:51

231123-3wgkpsed3v 8

Analysis

max time kernel
396s
max time network
442s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2023, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[email protected]
Size

4.4MB
MD5

6a4853cd0584dc90067e15afb43c4962
SHA1

ae59bbb123e98dc8379d08887f83d7e52b1b47fc
SHA256

ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec
SHA512

feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996
SSDEEP

98304:XyDt6K4MJVnjOobt/JN1LA5elHc+S4fRp5UvluKo:XyDtK8bbxn+IHcBEV/F

Score

8^/10

persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 42 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\trust	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\trust	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher	regedit.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	regedit.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate = "04/01/14"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 52004f0043004b005300200020002d002000310000000000	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	regedit.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\HasLUAShield	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}\	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command\DelegateExecute = "{ea72d00e-4960-42fa-ba92-7792a7944c1d}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu\ = "{37ea3a21-7493-4208-a011-7f9ea79ce9f5}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ = "Windows Batch File"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers\Console	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\ = "@shell32.dll,-50944"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command\ = "\"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command\ = "%SystemRoot%\\System32\\NOTEPAD.EXE /p %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\IsShortcut	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command\ = "%SystemRoot%\\System32\\cmd.exe /C \"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen\ = "{470C0EBD-5D73-4d58-9CED-E91E22E23282}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\IsShortcut	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers\ShimLayer Property Page	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\HasLUAShield	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\FriendlyTypeName = "@shell32.dll,-4153"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\Extended	regedit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\EditFlags = 30000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\SuppressionPolicyEx = "{F211AA05-D4DF-4370-A2A0-9F19C09756A7}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler\ = "{86C86720-42A0-1069-A2E8-08002B30309D}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\ = "Shortcut to MS-DOS Program"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\ = "Compatibility"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers\ShimLayer Property Page	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\ = "MS-DOS Application"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\EditFlags = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\ = "@shell32.dll,-50944"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon\ = "%1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "@%SystemRoot%\\System32\\acppage.dll,-6002"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers	regedit.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00024500-0000-0000-C000-000000000046}\InprocServer32\RuntimeVersion = "v2.0.50727"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE9472BF-B0C3-11D2-8D24-00A0C9441E20}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0168-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0254-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0045-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4955DD33-B159-11D0-8FCF-00AA006BCC59}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{da5a95c1-cb6b-4798-88a9-473c087d9464}\InProcServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0009-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B9033E87-33CF-4D77-BC9B-895AFBBA72E4}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEE2-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DA936B63-AC8B-11D1-B6E5-00A0C90F2744}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0035-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0391-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27C7D4DD-D73D-426A-AD9C-F989722095FD}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0043-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{efce38d3-8914-4674-a7df-ae1b3d654b8a}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f4d8c39a-f43d-42b4-9bdf-4e48d3044ba0}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00021400-0000-0000-C000-000000000046}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0139-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0386-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0155-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4075B76F-FCDC-43B6-B0B9-5A005B38B335}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6BC096E1-0CE6-11D1-BAAE-00C04FC2E20D}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A44FFB7-8140-432F-BEC5-1B5FF725BAC8}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9D5F55E3-B423-492F-AC3B-B7F6CBC563B9}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0049-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0068-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0335-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0A4B5474-4226-4D28-B4FC-369CC68A7211}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0345-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E846F0A0-D367-11D1-8286-00A0C9231C29}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5A4ED3BD-2F40-44B4-93DA-2B5ECC197B26}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B490264C-8D8F-40FD-B1BE-CD69AD779EC1}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0099-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0207-ABCDEFFEDCBB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0099-ABCDEFFEDCBA}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0331-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0143-ABCDEFFEDCBC}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0253-ABCDEFFEDCBA}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0268-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EFA97F08-EE06-42EC-AAAF-F8CB106247A2}\InProcServer32	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0342-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0149EEDF-D08F-4142-8D73-D23903D21E90}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B7BBD408-F09C-4aa8-B65E-A00B8FE0F0B9}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBC}\InprocServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E19F9331-3110-11D4-991C-005004D3B3DB}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00eebf57-477d-4084-9921-7ab3c2c9459d}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{19BA17F2-2602-4E77-9027-103894607626}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56871D63-FE46-4c7e-84BB-5DB82D4A99F8}\InProcServer32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0050-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	regedit.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\A:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\O:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\D:	regedit.exe
File opened (read-only)	\??\B:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\F:	regedit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	msinfo32.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	msinfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	msinfo32.exe

Checks processor information in registry 2 TTPs 54 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz = "3000"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data = ffffffffffffffff0000000000000000	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz = "3000"	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information = 00000000000000000100000000000100	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status = "2"	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision = 0000000001000000	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet = "823868927"	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data = ffffffffffffffff0000000000000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier = "Intel64 Family 6 Model 61 Stepping 2"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier = "GenuineIntel"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status = "2"	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision = 0000000001000000	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet = "823868927"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision = 0000000001000000	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString = "Intel Core Processor (Broadwell)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier = "Intel64 Family 6 Model 61 Stepping 2"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 = "1"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier = "GenuineIntel"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision = 0000000001000000	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information = 00000000000000000000000000000000	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString = "Intel Core Processor (Broadwell)"	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	regedit.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier = "ACPI BIOS"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSReleaseDate	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data = 01000000000000000000000000000000	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data = 01000000000000000000000001000000050000000800000000000000000000000000000000000000ffff0000	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	msinfo32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities = "33957"	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data = ffffffffffffffff0000000000000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier = "UNKNOWN_KEYBOARD"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier = "Intel64 Family 6 Model 61 Stepping 2"	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data = ffffffffffffffff0000000002000000050000000c0000000000000000000000000000008000fe0300003f00fe000100050000000800000000000000000000000000000000000c0000000400	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease = "255"	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information = 00000000000000000000000000000000	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "6acb0948-03226c32-A"	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information	regedit.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information = 280000000000000000000000ffffffff	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease	regedit.exe
Set value (int)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease = "0"	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information = 000000000000000000000000ffffffff	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier = "PCI"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer = "DADY"	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Capabilities	regedit.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	regedit.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	regedit.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information = 000000000000000000000000ffffffff	regedit.exe
Key created	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier	regedit.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	regedit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	regedit.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion = "pc-q35-6.1"	regedit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\35	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\31	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-powerpoint	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\17	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\9	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\12	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-excel	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\6	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\New Windows	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\20	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\PageSetup	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Setup	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\36	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\5	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\30	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Security	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\3	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0\{219ED5A0-9CBF-4F3A-B927-37C9E5C5F14F}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\13	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\25	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-word	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\14	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\18	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\29	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Download	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\11	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\word	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\22	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Help_Menu_URLs	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Zoom	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\24	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\DOMStorage	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21	regedit.exe
Key deleted	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE	regedit.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe%5Cresources.pri	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4af3663bb	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace48ea9bf97\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\0018C00BC20A2814	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.EnterpriseDataProtection	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.BthQuickPair	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000070	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4a450ec0e	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace47e810af5\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.NfpAppAcquire	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4af3663bb\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy%5Cresources.pri\1d5acddeb9898a7\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CWindows.CBSPreview_cw5n1h2txyewy%5Cresources.pri\1d5acdde3e269d3	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.WindowsUpdate.Notification	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.BitLockerPolicyRefresh	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.Print.Notification	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.HelloFace	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Software	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\EUDC	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4c5ed6b63\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe%5Cresources.pri	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.windows.narratorquickstart_8wekyb3d8bbwe%5Cresources.pri\1d5acdded540f4d\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe%5Cresources.pri	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Software\Microsoft\Speech_OneCore	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Software\Microsoft	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.AAD.BrokerPlugin_cw5n1h2txyewy%5Cresources.pri\1d5acdde7226641\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\AppData\S-1-15-2-536077884-713174666-1066051701-3219990555-339840825-1966734348-1611281757	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Accessibility\SlateLaunch	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\ClickToRun	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.ContentDeliveryManager_cw5n1h2txyewy%5Cresources.pri\1d5acddd82645c0\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Uninstall	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CProgram Files%5CWindowsApps%5CMicrosoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe%5Cresources.pri\1d5ace4f533928b\a37dfe62	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5Cmicrosoft.creddialoghost_cw5n1h2txyewy%5Cresources.pri\1d5acddee21b7ec	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.HTM\OpenWithList	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\PushNotifications\Backup\Windows.SystemToast.ServiceInitiatedHealing.Notification	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\System\GameConfigStore\Parents	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\International	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\Assemblies\0x00000409	regedit.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	regedit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}\LocalServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{46ABCF2E-9DD4-47A2-AB8C-C6408349BCD8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{de881c69-6642-54de-a8f7-d1a88b2404cf}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{624BD588-9060-4109-B0B0-1ADBBCAC32DF}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Psisdecd.ATSCTerrestrial.1	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BDATuner.ComponentTypes\CurVer	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f9a2c18-d89e-463e-b4f4-bb90152acc64}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BA9EB90-732C-11D0-8816-00A0C903B83C}\TypeLib	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4DE4F0E2-9E33-491B-BDD7-D653AC0F68A4}\ProxyStubClsid	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E8304B8-CBD1-44F8-B0E8-89C625B2002E}\TypeLib\ = "{0EA692EE-BB50-4E3C-AEF0-356D91732725}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBA}\ = "Java Plug-in 1.6.0_204"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32BF870-EEE7-4AD2-AAF1-A87EFFCF00A4}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{19114AA9-1B93-3390-8108-20D7EE22F621}\15.0.0.0\RuntimeVersion = "v2.0.50727"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C3BEF65A-AC53-3CAC-BD71-1378B80751DE}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7F2775F-FC5C-44F9-858A-CAA061604440}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0287-ABCDEFFEDCBB}\ = "Java Plug-in 1.8.0_287"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CD6CB0A8-D6EF-33E8-888E-FE8C78CA568F}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\System.Security.Policy.GacMembershipCondition\ = "System.Security.Policy.GacMembershipCondition"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0295-ABCDEFFEDCBC}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{09D7E883-EB64-5A37-949E-3C0FA8ABDC7E}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{22FE8E9E-1B49-45E4-AC1C-5D7EE2ADA429}\AsynchronousInterface	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A666634D-333F-4CC9-AF78-65ED7DB1D6C3}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9E7D408-F27A-4471-B2F4-E76EFCBEBCCA}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0035-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBB}\InprocServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208AB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{34a05b20-4aab-11cf-ae2c-00aa006ebfb9}\ProxyStubClsid	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\ISO_8859-5\AliasForCharset = "iso-8859-5"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DC3A3D30-722C-3A39-BD0B-342DEF95E61E}\15.0.0.0\Class = "Microsoft.Office.Interop.Graph.XlDataSeriesType"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0AD67D92-C11B-419A-AA28-9045B4169097}\InProcServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0291-ABCDEFFEDCBB}\InprocServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DefragEngine.DefragEngine	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBA61194-67A5-59A7-A551-544F81088916}\ProxyStubClsid32\ = "{8BDCE735-A077-406B-B526-F1465DD4D35C}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{356F2F88-05A6-4728-B9A4-1BFBCE04D838}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96125FE4-250A-41E2-A473-A49A849703C8}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{b60de92b-4e12-55af-b42f-afe2d70ba278}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JSEFile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0141-ABCDEFFEDCBC}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{77148E19-0C14-4138-8FB4-E0F456F53E1D}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91493441-5A91-11CF-8700-00AA0060263B}\LocalServer32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{eb124705-128b-40d4-8dd8-d93ed12589a4}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208CB-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2BE230D0-625B-11E6-8B77-86F30CA893D3}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.heifs\Shell\setdesktopwallpaper\Command\DelegateExecute = "{ff609cc7-d34d-4049-a1aa-2293517ffcc6}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.png\Shell\3D Edit\command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2206CDB0-19C1-11D1-89E0-00C04FD7A829}\ProgID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0098-ABCDEFFEDCBA}\InprocServer32\ = "C:\\Program Files\\Java\\jre-1.8\\bin\\jp2iexp.dll"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B3F5BF64-7FC0-5D8C-978C-A38D5B18A51D}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\OneNote.Folder.1\shell\OpenAsReadOnly\ = "Open"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Application.16\ = "Microsoft Excel Application"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E558E87-DFA7-409C-80AE-DD74C0BA0933}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E5EAEB6-4B55-567E-9C56-2B62BF4EDE8F}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{c2ebcc97-d1f8-5bf2-bffd-ac43d71528ab}\ProxyStubClsid32	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{686ba761-d755-4927-929f-94c8f67af1df}\1.0\0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0063-ABCDEFFEDCBA}\ = "Java Plug-in 1.7.0_63"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{64805F97-C543-4545-8FB8-C376EB8AB099}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA67109E-367B-4956-9BA5-471DFFD20C0F}\ProxyStubClsid32	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2FDB9D9-E6E0-425A-899F-C9562549996D}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0F0928B7-11DD-31DD-A0D5-BB008AE887BF}\2.0.0.0	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1BE9600A-4635-35F3-9934-B4D25604732C}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Excel, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A761B997-6F90-3C4E-9677-EA06329D5926}\15.0.0.0\Assembly = "Microsoft.Office.Interop.Word, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC07EF6E-37EF-5917-BE23-593807CAA80D}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7170F2E0-9BE3-11D0-A009-00AA00B605A4}\InprocServer32	regedit.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2720	notepad.exe
3544	notepad.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5064	regedit.exe

Runs regedit.exe 2 IoCs

pid	Process
2656	regedit.exe
3784	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2656	regedit.exe
3784	regedit.exe
2124	msinfo32.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4180	[email protected]
Token: SeCreatePagefilePrivilege	4180	[email protected]
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE
Token: SeShutdownPrivilege	4180	[email protected]
Token: SeCreatePagefilePrivilege	4180	[email protected]
Token: SeShutdownPrivilege	4180	[email protected]
Token: SeCreatePagefilePrivilege	4180	[email protected]
Token: SeDebugPrivilege	1848	taskmgr.exe
Token: SeSystemProfilePrivilege	1848	taskmgr.exe
Token: SeCreateGlobalPrivilege	1848	taskmgr.exe
Token: 33	1848	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1848	taskmgr.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4180	[email protected]
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe
1848	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2656	regedit.exe
2656	regedit.exe
3784	regedit.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\[email protected]
"C:\Users\Admin\AppData\Local\Temp\[email protected]"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c 0x320
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Checks BIOS information in registry
- Checks processor information in registry
- Enumerates system info in registry
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\sssss.reg"
1⤵
- Opens file in notepad (likely ransom note)
PID:2720

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1848

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe" "C:\Users\Admin\Desktop\sssss.reg"
1⤵
- Opens file in notepad (likely ransom note)
PID:3544

C:\Windows\regedit.exe
"regedit.exe" "C:\Users\Admin\Desktop\sssss.reg"
1⤵
- Checks BIOS information in registry
- Modifies system executable filetype association
- Registers COM server for autorun
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Runs .reg file with regedit
PID:5064

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Adds Run key to start application
- Enumerates connected drives
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\ResetClose.nfo"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
512KB

MD5
dba7f1ca7d6aa8017682b1320c9067b1

SHA1
2a87c336f7919c4ac0e6bb9a5844bcd7df3b08e7

SHA256
d067305e2af7a5c1d606cb1e52bd1b19faa6c53f61a6dcf9648ffd87183cca73

SHA512
8619f06f810455f5394c0be251c1c9452e6568e28870f1958a6647b6b1fc8aaa9b6ac631bf2639795495f00717735dfcbefc6b60b711551d31b19cb7f37d5aad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\Desktop\sssss.reg

Filesize
33.4MB

MD5
7795033b93f1d9df7f453bdcac8bb991

SHA1
df9f57c70e95e5039333af019a53a05fff873a91

SHA256
115ce80344a299229da501fb73411a9ea6ccf31f8459dfcf87d53c433c1d8772

SHA512
b25a84ebf698f5979369dff11b43ad2ce812348c73b4cdbbc7fc7eeed77ebc4eb553a50a740e7a32a0d82f288d0ba0d458054c0a312aaf4c5b74965ef5cc8c02

Download Submit
C:\Users\Admin\Desktop\sssss.reg

Filesize
33.4MB

MD5
3302ccd86b539b8594628fd58b5cb959

SHA1
a9d549fec48acd911ba5e834b6280c2a465e0732

SHA256
86e6ae5778c8fb4af604b472c41f67f9ec43fe61d9c7be02792d6fbf5c312307

SHA512
3aa9b5f3ac22c8e389c2fdb15cb29a918decb963bf86265469de950f75ff4a14976b1424f172fb03bc4c06421a6ea03dde522f445b603aa1fc5967c581442960

Download Submit
memory/1848-66-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-56-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-65-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-64-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-63-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-62-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-67-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-68-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-58-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/1848-57-0x0000025952700000-0x0000025952701000-memory.dmp

Filesize
4KB

Download
memory/4180-17-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-41-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-55-0x00007FFFB0710000-0x00007FFFB11D1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-40-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-39-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-38-0x00007FFFB0710000-0x00007FFFB11D1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-20-0x000000001D310000-0x000000001D31E000-memory.dmp

Filesize
56KB

Download
memory/4180-19-0x000000001D340000-0x000000001D378000-memory.dmp

Filesize
224KB

Download
memory/4180-18-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-0-0x0000000000350000-0x00000000007B4000-memory.dmp

Filesize
4.4MB

Download
memory/4180-16-0x000000001B4E0000-0x000000001B4E8000-memory.dmp

Filesize
32KB

Download
memory/4180-14-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-3-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-2-0x000000001B4D0000-0x000000001B4E0000-memory.dmp

Filesize
64KB

Download
memory/4180-1-0x00007FFFB0710000-0x00007FFFB11D1000-memory.dmp

Filesize
10.8MB

Download