1786d9bdb752a866bba3beaa27f0b6e635e4c6449bcc32105539551758186492

Analysis

max time kernel
16s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AntivirusDefender-main/AntivirusDefender3.2.bat
Size

164B
MD5

0559cbad4de4ff67440f857255584ac4
SHA1

e75403dfca205ab43117b00e0300ade704fc0bf5
SHA256

3c980efd376b67af91d4088d9bf7aa426eba9181e2c96738888ee148a6a4e141
SHA512

138adf13cd645c38ed5a07bc398057f6ac967e06bffab8ba20c7cedcb3dcffe4402cd5cd988d0388f5ee186209038e452194926fed5d7ad80abff1003c9d1174

Score

8^/10

discovery persistence

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation\DEFAULT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.2	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.80.1!7	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{6078065b-8f22-4b13-bd9b-5b762776f386}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.10	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9FA65764-C36F-4319-9737-658A34585BB7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2010	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CRLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{4ECC1CC8-31B7-45CE-B4B9-2DD45C2FF958}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9FA65764-C36F-4319-9737-658A34585BB7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2222	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2007	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006	reg.exe

Modifies Installed Components in the registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8F5D9E08-71EC-370E-BA96-36E6EF916DF2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	reg.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4240	icacls.exe
2916	icacls.exe

Modifies system executable filetype association 2 TTPs 49 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\lnkfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0211-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0006-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0051-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0338-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0025-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0090-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0199-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0207-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0055-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0100-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0018-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0354-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0385-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0211-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0035-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0279-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0135-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0065-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0284-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0331-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0041-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0218-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7C50E1E9-DB15-4410-89C5-D27F4B727368}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0180-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0116-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0114-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0343-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0335-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0203-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f07f3920-7b8c-11cf-9be8-00aa004b9986}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0332-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0204-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0316-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0151-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0228-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0314-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0109-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0027-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0352-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0016-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0079-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0126-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0110-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0030-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0103-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0090-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0067-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7751F46E-39B2-4b50-A7E3-23EF598ECD85}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0254-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0168-ABCDEFFEDCBB}\InprocServer32	reg.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\DA5AFC10F5D3DBFDCB9E2A2506323260051D77CF	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{009541A0-3B81-101C-92F3-040224009C02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{02466323-75ed-11cf-a267-0020af2546ea}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1fb464c8-09bb-4017-a2f5-eb742f04392f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{59DC47A8-116C-11D3-9D8E-00C04F72D980}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7j.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ErrorThresholds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{53655704-5956-11D3-91AA-005004B34F28}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\ms-settings-displays-topology	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1141B704-053E-11D0-9DF0-00C04FD7BF41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{38F03426-E83B-4E68-B65B-DCAE73304838}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A09AE68F-B14D-43ED-B713-BA413F034904}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B1D4ED44-EE64-11D0-97E6-00C04FC30B4A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D74CA70F-2236-4BA8-A297-4B2A28C2363C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E18AF75A-08AF-11D3-B64A-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{22FC6CE8-7D47-479F-B74A-BFBB04ADB9AF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6h.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6v.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DPA	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7007ACCF-3202-11D1-AAD2-00805FC1270E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8D91090E-B955-11D1-ADC5-006008A5848C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{40F8967E-34A6-474A-837A-CEC1E7DAC54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8936033C-4A50-11D1-98A4-00A0C90F27C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C63344D8-70D3-4032-9B32-7A3CAD5091A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D02AAC50-027E-11D3-9D8E-00C04F72D980}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\AUTOAPPENDIE	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6n.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\CompatibilityViewDomains	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\ShowLeftAddressToolbar	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{08B0e5c0-4FCB-11CF-AAA5-00401C608501}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41473CFB-66B6-45B8-8FB3-2BC9C1FD87BA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{65104D73-BA60-4160-A95A-4B4782E7AA62}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9A60A782-282B-4D69-9B2A-0945D588A125}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA8A9780-280D-11CF-A24D-444553540000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ACR	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Home_Page	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{98cb4060-d3e7-42a1-8d65-949d34ebfe14}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E56CCB42-598C-462D-9AD8-4FD5B4498C5D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INTRANET	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{855F3B16-6D32-4FE6-8A56-BBB695989046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\International	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8D13E03F-8289-4c15-A84F-7A8F655C830A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2BD0D2F2-52EC-11D1-8C69-0E16BC000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ECABAFC0-7F19-11D2-978E-0000F8757E2A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f29-c551-11d3-89b9-0000f81fe221}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\21	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{42C68651-1700-4750-A81F-A1F5110E0F66}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{DBB177CC-6908-4B53-9BEE-F1C697818D65}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f22-c551-11d3-89b9-0000f81fe221}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DOMStore	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EmbedExtnToClsidMappings	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4u.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm64.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PolicyCache\Microsoft.WindowsStore_8wekyb3d8bbwe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7AC3193A-D19C-3FC5-8FC4-85D98E7A2F8F}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EDD019A1-DD0D-422F-9915-66E7C244BC81}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{13ED66C7-BF9F-48F4-9B32-A3C72336E4CA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.ogm	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\shell\OnenotePrintto	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11B48E3F-E93F-4960-8998-F755B4D9C64D}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{96274226-3195-4CDE-B0A0-0F6256C7A65A}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.19041.1023_neutral__cw5n1h2txyewy	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\MicrosoftWindows.Client.CBS_120.2212.3920.0_x64__cw5n1h2txyewy\ActivatableClassId\InputApp.AppX654gddqdhxd9smyt91r9s0dr975jqnh9.mca	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0322-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2E3BD64B-6A82-4DA0-B49E-92A8B4BD59F4}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0313-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0072-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0379-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\ToolboxBitmap32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002098B-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000209CE-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.TemplateMacroEnabled.12\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.cda\shell\AddToPlaylistVLC\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E6DD0F1D-9C5C-46C5-A289-A948999BF062}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0116-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244A3-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51973C55-CB0C-11D0-B5C9-00A0244A0E7A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.obt\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0095-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020812-0000-0000-C000-000000000046}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\printto\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PolicyCache\Microsoft.AccountsControl_cw5n1h2txyewy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0047-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7CF3EC7F-AC62-4CD6-BB30-39A464CB52CB}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\EntityDataProvider.EntityDataProvider\CurVer	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3062547-43D8-4DC2-B18E-E1460FF2C422}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0312-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{16C96DBE-E683-4BAB-9358-58C539857DE2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\text\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79EAC9D6-BAFA-11CE-8C82-00AA004BA90B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D3F22039-E3CF-4FC4-9A30-426A46056B8C}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FCCB82A4-40EF-3DE0-B972-4A14EBDC2B08}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C03BB-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0363-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0118-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0278-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0284-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{305104B5-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{44D14FEA-48E8-37D1-8446-AF942183D346}\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0241-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C077C822-476C-11D2-B73C-0000F87572EF}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{fc0a0b0f-4dcc-5257-bc61-3435e302ce1f}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.aac	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020900-0000-0000-C000-000000000046}\TreatAs	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\AppXbemgape21yns3k5pd4ah40jz06yq6xrk\Shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{982B1162-3DD7-4618-AF89-0C272D5D06D8}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A3CCEDF3-2DE2-11D0-86F4-00A0C913F750}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B722BCCA-4E68-101B-A2BC-00AA00404770}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0041-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0088-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0108-ABCDEFFEDCBA}	reg.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
1492	reg.exe
5012	reg.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	2392	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 4108	424	cmd.exe	86
PID 424 wrote to memory of 4108	424	cmd.exe	86
PID 424 wrote to memory of 4240	424	cmd.exe	87
PID 424 wrote to memory of 4240	424	cmd.exe	87
PID 424 wrote to memory of 2916	424	cmd.exe	88
PID 424 wrote to memory of 2916	424	cmd.exe	88
PID 424 wrote to memory of 4400	424	cmd.exe	89
PID 424 wrote to memory of 4400	424	cmd.exe	89
PID 424 wrote to memory of 1492	424	cmd.exe	7584
PID 424 wrote to memory of 1492	424	cmd.exe	7584
PID 424 wrote to memory of 5012	424	cmd.exe	7028
PID 424 wrote to memory of 5012	424	cmd.exe	7028

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\AntivirusDefender-main\AntivirusDefender3.2.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\system32\mountvol.exe
  mountvol x: /s
  2⤵
  PID:4108
- C:\Windows\system32\icacls.exe
  icacls x:
  2⤵
  - Modifies file permissions
  PID:4240
- C:\Windows\system32\icacls.exe
  icacls c:
  2⤵
  - Modifies file permissions
  PID:2916
- C:\Windows\system32\reg.exe
  reg delete HKCR /f
  2⤵
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Modifies registry class
  PID:4400
- C:\Windows\system32\reg.exe
  reg delete HKCU /f
  2⤵
  - Manipulates Digital Signatures
  - Modifies Installed Components in the registry
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Modifies registry key
  PID:1492
- C:\Windows\system32\reg.exe
  reg delete HKLM /f
  2⤵
  - Manipulates Digital Signatures
  - Modifies Installed Components in the registry
  - Modifies system executable filetype association
  - Registers COM server for autorun
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Modifies registry key
  PID:5012
- C:\Windows\system32\reg.exe
  reg delete HKU /f
  2⤵
  PID:1384
- C:\Windows\system32\reg.exe
  reg delete HKCC /f
  2⤵
  PID:3668

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
1⤵
PID:2216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:5012

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f4 00000084
1⤵
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2392-0-0x00000166C4B40000-0x00000166C4B50000-memory.dmp

Filesize
64KB

Download
memory/2392-16-0x00000166C4C40000-0x00000166C4C50000-memory.dmp

Filesize
64KB

Download
memory/2392-32-0x00000166CCFB0000-0x00000166CCFB1000-memory.dmp

Filesize
4KB

Download
memory/2392-34-0x00000166CCFE0000-0x00000166CCFE1000-memory.dmp

Filesize
4KB

Download
memory/2392-36-0x00000166CD0F0000-0x00000166CD0F1000-memory.dmp

Filesize
4KB

Download
memory/2392-35-0x00000166CCFE0000-0x00000166CCFE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads