Malware Analysis Report

2025-01-18 22:28

Sample ID 240503-sada2sce86
Target clippy.png
SHA256 94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7
Tags
adware evasion persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94108bed7f7a12a203282b5cfd8e1c85127f5888a434d2b8bf2c558ffda032c7

Threat Level: Known bad

The file clippy.png was found to be: Known bad.

Malicious Activity Summary

adware evasion persistence stealer

Adds autorun key to be loaded by Explorer.exe on startup

Modifies firewall policy service

Modifies security service

Manipulates Digital Signatures

Modifies Installed Components in the registry

Registers new Print Monitor

Sets file execution options in registry

Registers COM server for autorun

Modifies system executable filetype association

Maps connected drives based on registry

Adds Run key to start application

Installs/modifies Browser Helper Object

Resource Forking

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Modifies registry key

Runs regedit.exe

Suspicious behavior: LoadsDriver

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-03 14:54

Signatures

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:17

Platform

debian9-mipsel-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:16

Platform

win7-20240215-en

Max time kernel

519s

Max time network

421s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\clippy.png

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\MpsSvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security C:\Windows\system32\reg.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{1A6631C0-3EA2-11D1-AE01-006097C6A9AA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.20 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{1A6631C0-3EA2-11D1-AE01-006097C6A9AA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2002 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1A610570-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\Ldap C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.25 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.11 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A

Registers new Print Monitor

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe C:\Windows\system32\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print C:\Windows\system32\reg.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0036-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0051-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E170-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0082-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E101-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE39F3D7-1B13-11D0-887F-00A0C90F2744}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0049-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12DCE806-EA8A-46AA-88DF-C4486EDB78E3}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4693FF15-B962-420A-9E5D-176F7D4B8321}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0025-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0084-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0061-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075731E-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E4356-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DCA8D857-1A63-4045-8F36-8809EB093D04}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C815-3CFD-11D1-98BC-006008197D41}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0059-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0033-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0019-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0032-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573F0-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C811-3CFD-11D1-98BC-006008197D41}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1A8766A0-62CE-11CF-A5D6-28DB04C10000}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0094-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209F4-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E955-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0042-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1C4367A8-EAEE-4C23-9582-4A229DF2403E}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0032-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7DFFDF1-BD1F-450A-B98D-96B6D30BA4C1}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0024-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0028-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0043-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075737B-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757326-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{12DCE806-EA8A-46AA-88DF-C4486EDB78E3}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0053-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E174-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0048-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS C:\Windows\system32\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\system32\reg.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7B9379D2-E1E4-11D0-8444-00401C6075AA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\PICTS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6C68955E-F965-4249-8E18-F0977B1D2899} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7A12547F-B772-4F2D-BE36-CE5D0FA886A1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6s.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{BF3FF9A2-AC03-40a1-BA0F-F31076325AA7} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CHECK_SIG C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{7778AA60-698A-41D9-9BF0-7AB41045AA7F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{01E198E3-24FF-4602-9944-65E7B323296D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8936033C-4A50-11D1-98A4-00A0C90F27C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wma C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\International C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{288F1523-FAC4-11CE-B16F-00AA0060D93D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\CompatibilityViewDomains C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9590092D-8811-11CF-8075-444553540000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\HTTP C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7eb01fb2-f185-445a-94e4-ec4e1ba2202c} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4c.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{73D14237-B9DB-4EFA-A6DD-84350421FB2F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{26fe7361-bd5a-4dcb-b309-c6f42dde661c} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{60178279-6D62-43AF-A336-77925651A4C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8A674B4D-1F63-11D3-B64C-00C04F79498E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{91397D20-1446-11D4-8AF4-0040CA1127B6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3267123E-530D-4E73-9DA7-79F01D86A89F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CC45B0B0-72D8-4652-AE5F-5E3E266BE7ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggestAskUser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00020424-0000-0000-c000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{BF8C499A-AC6E-4F58-82EA-9E5FCC41C34B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\C1637989205DAFC7035F8D43D76CF87FD11E99DB C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9da1d2cb-796d-4bec-bbaa-0aa9ccd80e15} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HIGH_CONTRAST_BACKGROUND_IMAGES C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\P3\Write C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7C8780B2-793F-11D0-94AB-0080C74C7E95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{E1A26BBF-26C0-401D-B82B-5C4CC67457E0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D74CA70F-2236-4BA8-A297-4B2A28C2363C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Default Behaviors C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{22FD7C0A-850C-4A53-9821-0B0915C96139} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3845A174-EB30-11D1-9A23-00A0C879FE5F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\DisableDevTools C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{72770C4F-967D-4517-982B-92D6B9015649} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AB237044-8A3B-42BB-9EE1-9BFA6721D9ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6bf52a52-394a-11d3-b153-00c04f79faa6}-32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BD8-3C52-11D0-9200-848C1D000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9F50E8B1-9530-4DDC-825E-1AF81D47AED6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{00020820-0000-0000-c000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D675E22B-CAE9-11D2-AF7B-00C04F99179F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm76.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{50E5E3D1-C07E-11D0-B9FD-00A0249F6B00} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{510a4910-7f1c-11ce-be57-00aa0051fe20} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\TrackingProtectionLists C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\B9BFD941CE483B77B1BE1941B470848A36AD39DB C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{010E6CBE-FE2B-11D0-B079-006008058A0E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{5d08b586-343a-11d0-ad46-00c04fd8fdff} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\DE9132D488A64BA12FC5570359923764E37A50A6 C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A020BDC2-1562-11D4-80BB-0050DA1C04B5}\1.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{884CCD87-B139-4937-A4BA-4F8E19513FBE}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B4D59D63-7DE7-39BB-BE54-5A3FBDDCC423} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7063F23-7B53-11D3-80C5-00500487878E}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00020803-0000-0000-C000-000000000046}\Conversion\Readable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{48E73304-E1D6-4330-914C-F5F514E3486C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.fky C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.tiff\OpenWithProgids C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{039F7288-798D-4C42-9C72-921F176A16F4}\1.0\0\win32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FEFEEBB-BD5B-4B11-92D5-D2CDEFDBEE58}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C963678-3A51-4B88-8531-98B90B6508F2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{852C7D42-794F-43CD-A18F-CD40E83E67CD} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DD8F80B8-9B80-4E89-9BEC-F12DF35E43B3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2271DCCA-74FC-4414-8FB7-C56B05ACE2D7} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26B-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A69-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ogm C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C7072C3-3AC4-408F-A680-FC5A2F96903E}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3E0AF669-1CD8-3AFC-9F2C-E81C2B810135} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D2431A3D-F112-4A83-97B2-BC3CE3C9B73B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E986-E47C-11CD-8701-00AA003F0F07}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A51-F07E-4CA4-AF6F-BEF486AA4E6F}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CB728B20-F786-11CE-92AD-00AA00A74CD0}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{036FC9B1-59FF-48AF-87BD-5FFEC72639B6}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5F4C30B-5D7F-45B1-A2FF-FB7A95A5C1E0}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FFCCE4C3-04ED-11D4-80B8-0050DA1C04B5}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2AAD260F-AC7C-4226-B40B-FF6E8B5C3BA1}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A7871829-0127-4257-B30D-11D4693E500E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{44EC6F6A-7034-413A-B09F-D35DA14C844B}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BA72E55A-4FF5-48F4-8215-5505F990966F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/x-component C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6F2019BE-9E2E-3886-895B-7DC0D9FF1C5F}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3765F18-F395-4B8C-8E95-DCB3FE8E7EC8}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF8EAAB5-EA07-4301-A290-AA5A7A381C31} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ABB0CA42-F82B-4622-84E4-6903AE90F210} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0002095F-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{942f72e2-b5ce-4e6c-8d76-0519b3f1bff7}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BFD12A4D-D96F-4504-81CB-0FED07AC05BD}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.gadget\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\AuxUserType C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{92D41A53-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{96E0DEE8-C1CA-38A5-A3C9-52DA9B5440EF} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{649E2263-DC09-466F-9D66-3EB133EE8F81}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0E4469B7-D702-42C5-BC00-DB2C906FD244}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2E9-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0006309D-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{504533CB-90F0-4ABA-8164-FA0BA94C00AA}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\opensearchfilefolderresult\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71F7E96D-CCC3-4206-9964-BF0E87641EAB}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DB720590-756B-37F5-A0F1-608D0A6C666B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tp\shell\AddToPlaylistVLC C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLEScript C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E8557FA5-2DA8-4FD8-B9D1-523D3D6E0644} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2946CCCB-31C6-4323-92D4-B418F3E40B77} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F1F37152-1DB1-4901-AD9A-C740F99464B4} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2D363682-561D-4C3A-81C6-F2F82107562A}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Access.Shortcut.Form.1\shell\Preview C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftSolitaireSaveFile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{570358D9-5D96-493C-8738-57B6341B1753} C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2328 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2328 wrote to memory of 800 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\clippy.png

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\reg.exe

reg delete HKLM /f

C:\Windows\system32\CompMgmtLauncher.exe

"C:\Windows\system32\CompMgmtLauncher.exe"

C:\Windows\system32\reg.exe

reg delete /?

C:\Windows\system32\reg.exe

reg delete HKCC /f

Network

N/A

Files

memory/2744-0-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2744-1-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:10

Platform

android-x64-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:46

Platform

macos-20240410-en

Max time kernel

839s

Max time network

1571s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/clippy.png"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/clippy.png"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/clippy.png"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/clippy.png]

/bin/zsh

[/bin/zsh -c /Users/run/clippy.png]

/Users/run/clippy.png

[/Users/run/clippy.png]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CoreAuthentication.agent]

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd

[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountPolicyHelper]

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper

[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.diagnosticd]

/usr/libexec/diagnosticd

[/usr/libexec/diagnosticd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.newsyslog]

/usr/sbin/newsyslog

[/usr/sbin/newsyslog]

Network

Country Destination Domain Proto
AU 40.79.173.41:443 tcp
DE 17.253.79.202:80 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 23.200.147.27:443 tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 gspe21-ssl.ls-apple.com.akadns.net udp
NL 23.209.125.28:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
IE 20.50.80.210:443 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.37.1.157:443 help.apple.com tcp
GB 23.37.1.157:443 help.apple.com tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.77.203:443 gsp-ssl.ls.apple.com tcp
IE 17.57.146.88:5223 tcp
US 8.8.8.8:53 26-courier.push.apple.com udp
US 8.8.8.8:53 lb._dns-sd._udp.0.0.127.10.in-addr.arpa udp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Caches/GeoServices/Resources/altitude-1271.xml

MD5 fc82f60979c70408eead10c3a17cb8a1
SHA1 733136626039ac73ef4033453d53d8ca250cca75
SHA256 780e932d83cdee33ab7c0dd34b329b32653e40222967bf32756bcbdb83d03f3e
SHA512 62a17f74e47b3e76323f86e4cc17ef7c40dc5bf6bb7b5d0062a5bca5c3677bf9f68e3d1717e328cb99a88c4a879ec9861d2a3869f7c4fd8157496e522c3fc4e2

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a60a7bcfc47eacaa66e5e3d701d3ba80
SHA1 7093ffc5beca33187c18461c7ff3259a1781ae35
SHA256 17e96efaf7f2e45e407a3c68fb57b78f09dea6fc1edf3732b888be4a4eadd468
SHA512 58736bd680d6c7a25b8d7db08fd4a258cf761dbaa44a5ece0c2b813ab12c20dc213ab40844dfc780687945cf2459f549f1a38bf3da16c5c332756f3b53e1c3a5

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 5f69e18ecb489c38c4dd3a8a3fa3d74d
SHA1 4c6af48f244033cafde37b2639a4bf07f454296f
SHA256 213c9137168b2d59967cdfb558cc9dd2736dc76def7eff4dd643cfda75de1cc4
SHA512 cbab6fb8d7dd212621e4af63e926f987521c1070c98649b5b68042293092e988a9fc5a6dce961d269d2369ada238e0c8caad6b0bc8d90d2fa2f98138a351a24d

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 95f24d2f9121654acd5a1c44e572082b
SHA1 ea13b61b35ef396ebe42f09e638a39f13b93fd9b
SHA256 2b7b2a1c679a5a0d2465351f35584f1eb6de22160daefb4cba351838f98f155e
SHA512 d1eaa0bd0b245f98a03d24197e02096400abea41f5a36905a41c777bedba15194f3de256c12b4f038e38267147986e8b9dd543189fdc6d1788d3c012bc63270d

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 1340033aca269b30874eafa2ec72adfe
SHA1 e1c0e123ffc93a5f22c906c7206a625a149944d1
SHA256 fb10f63de2c68693f4360c0c8cb0dd64e163dde54ffb9c97932d804df4a4f724
SHA512 587feb19b7dcfc422a0feb360fc1a855a766e518d8a16b0e6b1df509706c0b703270449e5688bcc584002f277981d6f1edbed996abdd81b8a402ba968c2d08e6

/Users/run/Library/Caches/GeoServices/Experiments.pbd

MD5 cbe2aa238267d080eaa29b5876cb62dc
SHA1 f3c18af136ed791c3aebd1a4a758743b8620fbb0
SHA256 03ffcd5435ec7d73640ccb657a64b56237a1c8a3939ff88d04eb0beea7e4870e
SHA512 a66d55808ad1585f2a307b75e2300d8da3f8e25346239f38a845ca937ada7bccf5e29a0e22fc2436bcbbdd1b6a1de84e7bfbf67e266835d241937e9f4389db15

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 54ac2dfc3277cc71d095814696c9d295
SHA1 8f0d1dfbdff79cd6d57bc961c6c3fd097ba48893
SHA256 c538c601d32e3052f7b1abeba70b33930f59b71d07abeb63578e4340334fc4da
SHA512 9c6feb5711798bb03f566cfdce44150d28e9ac7cf6b6668aef9e9293b367b91a00d69db06d07198a7e2e3c8ba161ef2238e143bea6b1957cc9298ce8e9e7009b

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:16

Platform

ubuntu1804-amd64-20240226-en

Max time kernel

0s

Command Line

[/tmp/clippy.png]

Signatures

N/A

Processes

/tmp/clippy.png

[/tmp/clippy.png]

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:16

Platform

debian9-armhf-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:16

Platform

debian9-mipsbe-20240226-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:37

Platform

win10v2004-20240419-en

Max time kernel

1800s

Max time network

1585s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\clippy.png

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\system32\reg.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{7801EBD0-CF4B-11D0-851F-0060979387EA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2005 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules\DEFAULT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllProtectedRootMessageBox\DEFAULT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.12.2.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2007 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllProtectPrompt\DEFAULT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2223 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllProtectedRootMessageBox C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.30 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{7801EBD0-CF4B-11D0-851F-0060979387EA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllProtectPrompt\DEFAULT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.4 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllOpenStoreProv\#16 C:\Windows\system32\reg.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8F5D9E08-71EC-370E-BA96-36E6EF916DF2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A

Registers new Print Monitor

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\system32\reg.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe C:\Windows\system32\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\lnkfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\lnkfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\system32\reg.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0373-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0266-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0072-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0071-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0259-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0360-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0018-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0337-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0080-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0152-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0203-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0381-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0150-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0079-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0360-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0111-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0156-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0229-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0128-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0372-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0040-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0033-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AD1841CF-0EC5-4b59-ACC4-8329EED299F9}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0063-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0165-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0094-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0099-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0023-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0043-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0159-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0060-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0271-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0246-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0044-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0139-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0332-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0394-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0099-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0164-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\system32\reg.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{083863F1-70DE-11d0-BD40-00A0C911CE86} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8B21775E-717D-11CE-AB5B-D41203C10000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CDAF9CEC-F3EC-4B22-ABA3-9726713560F8} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{4A5BE5EE-CFAD-11D9-8FAD-0007E9AA247E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\TabProcessGrowth C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\7 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5z.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{F3834A2B-19CF-4A90-BE1D-ECC410D9DA09} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{11359F4A-B191-42D7-905A-594F8CF0387B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F7-45CA-11D2-831F-00A0244D2298} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7F1602-D44C-11d0-A7D9-AE3D17000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{992cffa0-f557-101a-88ec-00dd010ccc48} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD8C2179-1B4A-4951-B432-5DE3D1507142} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{DCC70A83-E184-40A3-906B-779AF5E941C4} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6p.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{ABBA001B-3075-11D6-88A4-00B0D0200F88} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\PREFETCH_PRERENDER C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9B2719DD-B696-11D0-A489-00C04FD91AC0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{BE4191FB-59EF-4825-AEFC-109727951E42} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4efe2452-168a-11d1-bc76-00c04fb9453b} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7F1232EE-44D7-4494-AB8B-CC61B10E21A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\33 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B375275F-4705-4D2C-88C1-A891105B9ABA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{70f641fd-9ffc-4d5b-a4dc-962af4ed7999} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D8089245-3211-40F6-819B-9E5E92CD61A2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5FBAF6E6-C64B-49DB-AB1B-F93C607EBC71} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\23 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28953661-0231-41DB-8986-21FF4388EE9B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4F1E5B1A-2A80-42CA-8532-2D05CB959537} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{54274112-7A5E-11d2-875F-00A0C93C09B3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{208DD6A3-E12B-4755-9607-2E39EF84CFC5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BE6-3C52-11D0-9200-848C1D000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\Window_Title_CN C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0ECD9B64-23AA-11D0-B351-00A0C9055D8E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{261F6572-578B-40A7-B72E-61B7261D9F0C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Roaming\SearchSuggestion C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4a.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0DDF3B5C-E692-11D1-AB06-00AA00BDD685} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{54274112-7A5E-11d2-875F-00A0C93C09B3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\INTERNATIONAL\IDN_INTRANET C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A08D67-9464-4E73-A549-2CC208AC60D3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6i.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{49C47CE5-9BA4-11D0-8212-00C04FC32C45} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm4o.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6D940280-9F11-11CE-83FD-02608C3EC08A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C3DFA998-A486-11d4-AA25-00C04F72DAEB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\1629BFB58E16192F41A50816D8448C301989E007 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{2318C2B1-4965-11D4-9B18-009027A5CD4F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\F14D6E86C5FEC67242111D83EEA3214170C09FF6 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1F7DD4F3-CAC3-11D0-A35B-00AA00BDCDFD} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{37de7045-5056-456f-8409-c871e0f8b0e0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9CDE7341-3C20-11D0-A330-00AA00B92C03} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f1e-c551-11d3-89b9-0000f81fe221} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{78A9B22E-E0F4-11D0-B5DA-00C0F00AD7F8} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYNOTDEFAULTBROWSER C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.divx\shell\PlayWithVLC\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002E170-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CF4F55F4-8F87-4D47-80BB-5808164BB3F8}\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECFBDB5E-ACD2-4530-AD79-4560B7FF055C}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\iso_8859-2 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2811B866-578B-37F2-B7FB-927DD993AB19}\15.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\anifile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0086-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0069-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{162E354B-486D-4488-B052-81CE8B34FF5D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0127-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0395-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208D0-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\Protocol C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0064-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0227-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{850AF9D6-7309-40B5-BDB8-786C106B2153} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{92D41A76-F07E-4CA4-AF6F-BEF486AA4E6F}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65C78325-1031-491E-8FB6-EF9991AFE363}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Windows.Photos_8wekyb3d8bbwe!App\windows.fileTypeAssoci C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0031-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.f4v\shell\AddToPlaylistVLC\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\InprocServer32\15.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\Implemented Categories C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EAE50EB0-4A62-11CE-BED6-00AA00611080} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A44179A4-E0F6-403B-AF8D-D080F425A451}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0034-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0072-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC489AD4-23C4-4F4B-990F-45A51C7C0C4F}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\OOBERequestHandler.OOBERequestHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.mp4\shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0149-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0011-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0230-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0170-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0316-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9B4CD3E8-4981-101B-9CA8-9240CE2738AE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3F4F9726-2972-4DD4-AB7C-D119F36803B0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000209B2-0000-0000-C000-000000000046}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C63BD250-BCAA-11CE-B64D-00AA004CD6D8}\11.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000083-0000-0010-8000-00AA006D2EA4}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mk3d\OpenWithProgIds C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\AppXde74bfzw9j31bzhcvsrxsyjnhhbq66cs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F1130DDF-680C-5594-A2EC-ABCB0C521143}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0058-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0066-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9BDAC276-BE24-4F04-BB22-11469B28A496} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4063e791-da2d-5e4c-9113-5b6ba0a7c595}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0334-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0285-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0047-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\themepackfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{40B92C37-5745-4872-96CE-24D0BE89763A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0913-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000244B6-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{305104AF-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PolicyCache\Microsoft.BioEnrollment_cw5n1h2txyewy C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 4312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 5036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 208 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 3664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3320 wrote to memory of 2148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\clippy.png

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\reg.exe

reg del hcku

C:\Windows\system32\reg.exe

reg /j

C:\Windows\system32\reg.exe

reg /?

C:\Windows\system32\reg.exe

reg delete 'hcku'

C:\Windows\system32\reg.exe

reg delete /?

C:\Windows\system32\reg.exe

reg delete HKLM /va

C:\Windows\system32\reg.exe

reg delete HKCR /va

C:\Windows\system32\reg.exe

reg deleete HCKR

C:\Windows\system32\reg.exe

reg delete HCKR /f

C:\Windows\system32\reg.exe

reg delete HKCR /f

C:\Windows\system32\reg.exe

reg delete * /f

C:\Windows\system32\reg.exe

reg delete HKCU /f

C:\Windows\system32\reg.exe

reg delete HKLM

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 211.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:09

Platform

android-x86-arm-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-03 14:54

Reported

2024-05-03 17:16

Platform

android-x64-arm64-20240221-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A