2711c03fe875ace84d319a3c23253fe2fc446d5d40364211c7323d9fa989df7c

Analysis

max time kernel
3s
max time network
28s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 01:48

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

3b95feaab29491ac65b7840f86436c25.exe
Size

68KB
MD5

3b95feaab29491ac65b7840f86436c25
SHA1

6074c1fd12e7d0213066ab1b1656397f45a43537
SHA256

2711c03fe875ace84d319a3c23253fe2fc446d5d40364211c7323d9fa989df7c
SHA512

0b3c1dc500e64c3f42ca70121c7dd3a5aab11718f165fd5c7f3da1e72f7b0c85f4cea4821ad17abdc0820dc53011b2b8f5786d23ba76002f02c585ea3a261c3e
SSDEEP

768:/8Auby53IqpHaZOCcHy77BwRdrW+ZnOZbtR0dkN6MyMZ/ytjirERfE0DJZFU5E:Oby19oZkH07BM14dtyk6M0DJ

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	reg.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1A610570-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\trust	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2008	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName\LocalizedNames	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\SystemCertificates\trust\CRLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2008	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2003	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{1A6631C0-3EA2-11D1-AE01-006097C6A9AA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	reg.exe

Modifies Installed Components in the registry 2 TTPs 37 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4s.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{283807B8-2C60-11D0-A31D-00AA00B92C03}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7DA087-B7F4-4829-B038-DA01DFB5D879}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B29-F830-49DE-A31B-5BB9D7F6B407}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{C1D79200-7718-4656-A7B2-F23046E264E7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7l.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{26EC0B63-AA90-458A-8DF4-5659F2C8A18A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BD57A9B2-4E7D-4892-9107-9F4106472DA4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BE4191FB-59EF-4825-AEFC-109727951E42}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AECF5D2E-7A18-4DD2-BDCD-29B6F615B448}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LEGACY_DISPPARAMS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\DE9132D488A64BA12FC5570359923764E37A50A6	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00024512-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7F1232EE-44D7-4494-AB8B-CC61B10E21A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{33d9a760-90c8-11d0-bd43-00a0c911ce86}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{233A9694-667E-11d1-9DFB-006097D50408}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{29c13b62-b9f7-4cd3-8cef-0a58a1a99441}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E476CBFF-E229-4524-B6B7-228A3129D1C7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\INTRANETFIRST	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{0C1E01A6-7923-46D8-8E3D-0F62B4A0250B}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\International\Scripts\22	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7007acc7-3202-11d1-aad2-00805fc1270e}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B6FFC24C-7E13-11D0-9B47-00C04FC2F51D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B1D4ED44-EE64-11D0-97E6-00C04FC30B4A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{889D2FEB-5411-4565-8998-1DD2C5261283}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7849596a-48ea-486e-8937-a2a3009f31a9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{84926CA0-2941-101C-816F-0E6013114B7F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{931a8c29-3ea9-494d-91e7-22e9a9247687}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{121E91E7-E915-4AA6-89F3-BA62D10A4C49}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{279D6C9A-652E-4833-BEFC-312CA8887857}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{76EE578D-314B-4755-8365-6E1722C001A2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\EmbedExtnToClsidMappings	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7i.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{46646B43-EA16-11CF-870C-00201801DDD6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4D4C9FEF-ED80-47EA-A3FA-3215FDBB33AB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6f.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AB237044-8A3B-42BB-9EE1-9BFA6721D9ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D256B2D9-9C58-445A-8C38-C3AAA84EF137}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9da1d2cb-796d-4bec-bbaa-0aa9ccd80e15}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\CompanyName	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6059B947-EC52-11CF-B509-00A024488F73}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8136114F-FAF9-11D3-B0D3-00C04F612FF1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSL2.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm71.dll	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Desktop\General	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6E2270FB-F799-11CF-9227-00AA00A1EB95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F08DF954-8592-11D1-B16A-00C0F0283628}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{92883667-E95C-443D-AC96-4CACA27BEB6E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A95845D8-8463-4605-B5FB-4F8CFBAC5C47}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E500-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2764BCE5-CC39-11D2-B639-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3050F4F5-98B5-11CF-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{947F2947-2296-42FE-92E6-E2E03519B895}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\International\Scripts\36	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\International\Scripts	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3050f4d8-98b5-11cf-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm50.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002000D-0000-0000-C000-000000000046}	reg.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bz2\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bzip2	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tar\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tar\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tgz\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\ddeexec	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\JavaPlugin.10802	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bz2	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bzip2\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bzip2\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.rar\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tar\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bz2\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bz2\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tgz\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.7z	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.gz	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.rar\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.rar\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tar	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\MuiCache	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.7z\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.7z\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.gz\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.gz\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.rar	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tgz\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.tgz	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\JavaPlugin.10802\CLSID	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.bzip2\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.gz\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\7-Zip.7z\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\DefaultIcon	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB\shell	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\FirefoxPDF-308046B0AF4A39CB	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	reg.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1108	shutdown.exe
Token: SeRemoteShutdownPrivilege	1108	shutdown.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1312	2236	3b95feaab29491ac65b7840f86436c25.exe	28
PID 2236 wrote to memory of 1312	2236	3b95feaab29491ac65b7840f86436c25.exe	28
PID 2236 wrote to memory of 1312	2236	3b95feaab29491ac65b7840f86436c25.exe	28
PID 2236 wrote to memory of 1312	2236	3b95feaab29491ac65b7840f86436c25.exe	28
PID 2236 wrote to memory of 1108	2236	3b95feaab29491ac65b7840f86436c25.exe	30
PID 2236 wrote to memory of 1108	2236	3b95feaab29491ac65b7840f86436c25.exe	30
PID 2236 wrote to memory of 1108	2236	3b95feaab29491ac65b7840f86436c25.exe	30
PID 2236 wrote to memory of 1108	2236	3b95feaab29491ac65b7840f86436c25.exe	30
PID 2236 wrote to memory of 1736	2236	3b95feaab29491ac65b7840f86436c25.exe	33
PID 2236 wrote to memory of 1736	2236	3b95feaab29491ac65b7840f86436c25.exe	33
PID 2236 wrote to memory of 1736	2236	3b95feaab29491ac65b7840f86436c25.exe	33
PID 2236 wrote to memory of 1736	2236	3b95feaab29491ac65b7840f86436c25.exe	33
PID 1312 wrote to memory of 1168	1312	cmd.exe	32
PID 1312 wrote to memory of 1168	1312	cmd.exe	32
PID 1312 wrote to memory of 1168	1312	cmd.exe	32
PID 1312 wrote to memory of 1168	1312	cmd.exe	32
PID 2236 wrote to memory of 2320	2236	3b95feaab29491ac65b7840f86436c25.exe	35
PID 2236 wrote to memory of 2320	2236	3b95feaab29491ac65b7840f86436c25.exe	35
PID 2236 wrote to memory of 2320	2236	3b95feaab29491ac65b7840f86436c25.exe	35
PID 2236 wrote to memory of 2320	2236	3b95feaab29491ac65b7840f86436c25.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3b95feaab29491ac65b7840f86436c25.exe
"C:\Users\Admin\AppData\Local\Temp\3b95feaab29491ac65b7840f86436c25.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C attrib -A -R -S -H C:\ntldr & del /F /Q C:\ntldr
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Windows\SysWOW64\attrib.exe
    attrib -A -R -S -H C:\ntldr
    3⤵
    - Views/modifies file attributes
    PID:1168
- C:\Windows\SysWOW64\shutdown.exe
  "C:\Windows\System32\shutdown.exe" -r -f -t 20 -c "YOU HAVE JUST LOST THE GAME"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "hkcu\Software" /f
  2⤵
  - Manipulates Digital Signatures
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:1736
- C:\Windows\SysWOW64\reg.exe
  "C:\Windows\System32\reg.exe" delete "hklm\Software" /f
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Manipulates Digital Signatures
  - Modifies Installed Components in the registry
  - Adds Run key to start application
  - Installs/modifies Browser Helper Object
  - Modifies Internet Explorer settings
  PID:2320