Overview
overview
10Static
static
10The-MALWAR...2aed41
windows10-ltsc 2021-x64
3The-MALWAR...b54692
windows10-ltsc 2021-x64
3The-MALWAR...00f6c1
windows10-ltsc 2021-x64
3The-MALWAR...ka.exe
windows10-ltsc 2021-x64
7The-MALWAR...te.apk
windows10-ltsc 2021-x64
3The-MALWAR...en.apk
windows10-ltsc 2021-x64
3The-MALWAR...4a.apk
windows10-ltsc 2021-x64
3The-MALWAR...if.exe
windows10-ltsc 2021-x64
10The-MALWAR...il.exe
windows10-ltsc 2021-x64
8The-MALWAR...at.exe
windows10-ltsc 2021-x64
3The-MALWAR...an.exe
windows10-ltsc 2021-x64
The-MALWAR...sa.doc
windows10-ltsc 2021-x64
1The-MALWAR...er.com
windows10-ltsc 2021-x64
The-MALWAR...98.exe
windows10-ltsc 2021-x64
3The-MALWAR...aj.exe
windows10-ltsc 2021-x64
7The-MALWAR...jB.exe
windows10-ltsc 2021-x64
7The-MALWAR...om.exe
windows10-ltsc 2021-x64
6The-MALWAR...1C.exe
windows10-ltsc 2021-x64
5The-MALWAR...90.exe
windows10-ltsc 2021-x64
9The-MALWAR...6a.exe
windows10-ltsc 2021-x64
9The-MALWAR...it.exe
windows10-ltsc 2021-x64
3The-MALWAR...ng.exe
windows10-ltsc 2021-x64
7The-MALWAR....a.exe
windows10-ltsc 2021-x64
10The-MALWAR...il.vbs
windows10-ltsc 2021-x64
10The-MALWAR...1A.exe
windows10-ltsc 2021-x64
8The-MALWAR...as.exe
windows10-ltsc 2021-x64
6The-MALWAR...te.exe
windows10-ltsc 2021-x64
7The-MALWAR....a.exe
windows10-ltsc 2021-x64
3The-MALWAR...le.exe
windows10-ltsc 2021-x64
3The-MALWAR...us.exe
windows10-ltsc 2021-x64
10The-MALWAR...er.exe
windows10-ltsc 2021-x64
7The-MALWAR...ff.exe
windows10-ltsc 2021-x64
3Analysis
-
max time kernel
1800s -
max time network
1224s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
13-12-2024 18:01
Static task
static1
macroupxaspackv2macro_on_actiongeforcehoststealerguestdarkcometnjratmodiloaderremcosrevengeratwipelock
19 signatures
Behavioral task
behavioral1
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.6fa938770e83ef2e177e8adf4a2ea3d2d5b26107c30f9d85c3d1a557db2aed41
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
5 signatures
1800 seconds
Behavioral task
behavioral2
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.ac3467a04eeb552d92651af1187bdc795100ea77a7a1ac755b4681c654b54692
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral3
Sample
The-MALWARE-Repo-master/Trojan/XCSSETMacMalware/TrojanSpy.MacOS.XCSSET.A.d11a549e6bc913c78673f4e142e577f372311404766be8a3153792de9f00f6c1
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral4
Sample
The-MALWARE-Repo-master/Trojan/Zika.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
13 signatures
1800 seconds
Behavioral task
behavioral5
Sample
The-MALWARE-Repo-master/Trojan/elite.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral6
Sample
The-MALWARE-Repo-master/Trojan/mobelejen.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral7
Sample
The-MALWARE-Repo-master/Trojan/vi4a.apk
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral8
Sample
The-MALWARE-Repo-master/Virus/Floxif/Floxif.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
12 signatures
1800 seconds
Behavioral task
behavioral9
Sample
The-MALWARE-Repo-master/Virus/Gnil/Gnil.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
5 signatures
1800 seconds
Behavioral task
behavioral10
Sample
The-MALWARE-Repo-master/Virus/Mabezat/Mabezat.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
Behavioral task
behavioral11
Sample
The-MALWARE-Repo-master/Virus/MadMan.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral12
Sample
The-MALWARE-Repo-master/Virus/Melissa.doc
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
4 signatures
1800 seconds
Behavioral task
behavioral13
Sample
The-MALWARE-Repo-master/Virus/Walker.com
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
0 signatures
1800 seconds
Behavioral task
behavioral14
Sample
The-MALWARE-Repo-master/Virus/WinNuke.98.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
Behavioral task
behavioral15
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpaj.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
7 signatures
1800 seconds
Behavioral task
behavioral16
Sample
The-MALWARE-Repo-master/Virus/Xpaj/xpajB.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
7 signatures
1800 seconds
Behavioral task
behavioral17
Sample
The-MALWARE-Repo-master/Worm/Bezilom.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
4 signatures
1800 seconds
Behavioral task
behavioral18
Sample
The-MALWARE-Repo-master/Worm/Blaster/607B60AD512C50B7D71DCCC057E85F1C.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral19
Sample
The-MALWARE-Repo-master/Worm/Blaster/8676210e6246948201aa014db471de90.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
3 signatures
1800 seconds
Behavioral task
behavioral20
Sample
The-MALWARE-Repo-master/Worm/Blaster/8a17f336f86e81f04d8e66fa23f9b36a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
9 signatures
1800 seconds
Behavioral task
behavioral21
Sample
The-MALWARE-Repo-master/Worm/Blaster/DComExploit.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
Behavioral task
behavioral22
Sample
The-MALWARE-Repo-master/Worm/Bumerang.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
6 signatures
1800 seconds
Behavioral task
behavioral23
Sample
The-MALWARE-Repo-master/Worm/Fagot.a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
31 signatures
1800 seconds
Behavioral task
behavioral24
Sample
The-MALWARE-Repo-master/Worm/HeadTail.vbs
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
7 signatures
1800 seconds
Behavioral task
behavioral25
Sample
The-MALWARE-Repo-master/Worm/Heap41A.exe
Resource
win10ltsc2021-20241023-en
windows10-ltsc 2021-x64
10 signatures
1800 seconds
Behavioral task
behavioral26
Sample
The-MALWARE-Repo-master/Worm/Mantas.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
5 signatures
1800 seconds
Behavioral task
behavioral27
Sample
The-MALWARE-Repo-master/Worm/NadIote/Nadlote.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
14 signatures
1800 seconds
Behavioral task
behavioral28
Sample
The-MALWARE-Repo-master/Worm/Netres.a.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
Behavioral task
behavioral29
Sample
The-MALWARE-Repo-master/Worm/Nople.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
Behavioral task
behavioral30
Sample
The-MALWARE-Repo-master/Worm/Vobfus/Vobus.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
9 signatures
1800 seconds
Behavioral task
behavioral31
Sample
The-MALWARE-Repo-master/rogues/AdwereCleaner.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
8 signatures
1800 seconds
Behavioral task
behavioral32
Sample
The-MALWARE-Repo-master/rogues/SpySheriff.exe
Resource
win10ltsc2021-20241211-en
windows10-ltsc 2021-x64
1 signatures
1800 seconds
General
-
Target
The-MALWARE-Repo-master/Worm/Fagot.a.exe
-
Size
373KB
-
MD5
30cdab5cf1d607ee7b34f44ab38e9190
-
SHA1
d4823f90d14eba0801653e8c970f47d54f655d36
-
SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f
-
SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3
-
SSDEEP
6144:Bjrk71gCl5D0nIMpAP40ShG4TmvgFNwUQs4zTBrgDYZJPSLJXaUtjk10he1:S79l5DixAPzwjegFNwVJzTLPSLJXT
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagot.a.exe -
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe" Fagot.a.exe -
Modifies firewall policy service 3 TTPs 25 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\AutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords\Addresses\NonAutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm\DynamicKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\TenantRestrictions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\NonAutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\Mdm Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedInterfaces\IfIso Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords\Addresses\AutoResolve Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DynamicKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\Logging Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging Fagot.a.exe -
Modifies security service 2 TTPs 12 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\SERVICES\MPSSVC\PARAMETERS\ACSERVICE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\PortKeywords Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Security Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Security Fagot.a.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 26 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E92B03AB-B707-11d2-9CBD-0000F87A369E} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4BC71D-A88B-4943-BB3D-AF9C0E7D4387} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6EADE66-0000-0000-484E-7E8A45000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9381D8F2-0288-11D0-9501-00AA00B911A5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5fd399c0-a70a-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45ea75a0-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23A20C3C-2ADD-4A80-AFB4-C146F8847D79} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{de5aed00-a4bf-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6BAF60B-6E91-453F-BFF9-D3789CFEFCDD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{630b1da0-b465-11d1-9948-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25FFAAD0-F4A3-4164-95FF-4461E9F35D51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C028AF8-F614-47B3-82DA-BA94E41B1089} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6fab99d0-bab8-11d1-994a-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{990CB269-A600-38D0-B7D1-FBD392495F13} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A604D2C-E968-429B-8327-62B5CE52126D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4f645220-306d-11d2-995d-00c04f98bbc9} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3af36230-a269-11d1-b5bf-0000f8051515} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components Fagot.a.exe -
Boot or Logon Autostart Execution: Port Monitors 1 TTPs 13 IoCs
Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Ports Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\WSPrint\OfflinePorts Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\Adapters\IPP Fagot.a.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 48 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe -
Manipulates Digital Signatures 1 TTPs 64 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.64.1.1!7 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2130 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CertDllLogMismatchPinRules Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2004 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.12 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.30 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{CF78C6DE-64A2-4799-B506-89ADFF5D16D6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{603BCC1F-4B59-4E08-B724-D2C6297EF351} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{1629F04E-2799-4DB5-8FE5-ACE10F17EBAB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\trust Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{64B9D180-8DA2-11CF-8736-00AA00A485EB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2001 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{C689AABA-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{0F5F58B3-AADE-4B9A-A434-95742D92ECEB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{603BCC1F-4B59-4E08-B724-D2C6297EF351} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{0AC5DF4B-CE07-4DE2-B76E-23C839A09FD1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{D1D04F0C-9ABA-430D-B0E4-D7E96ACCE66C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{06C9E010-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2\{1A610570-38CE-11D4-A2A3-00104BD35090} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSealedDigest\{DE351A43-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\2.5.29.32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.10 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData\{5598CFF1-68DB-4340-B57F-1CACF88C9A51} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.26 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps\{C689AAB8-8E78-11D0-8C47-00C04FC295EE} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetCaps Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{31D1ADC1-D329-11D1-8ED8-0080C76516C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{D41E4F1F-A407-11D1-8BC9-00C04FA30A41} Fagot.a.exe -
Boot or Logon Autostart Execution: Print Processors 1 TTPs 2 IoCs
Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation.
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\winprint Fagot.a.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 7 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend Fagot.a.exe -
Modifies system executable filetype association 2 TTPs 54 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers Fagot.a.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Fagot.a.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SystemSettings.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosrec.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mshta.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msfeedssync.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runtimebroker.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ie4uinit.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoadfsb.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe Fagot.a.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects Fagot.a.exe -
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum Fagot.a.exe -
Modifies WinLogon 2 TTPs 13 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{fbf687e6-f063-4d9f-9f4f-fd9a26acdd5f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{cdeafc3d-948d-49dd-ab12-e578ba4af7aa} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861} Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\DefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AltDefaultUserName = "COCK_SUCKING_FAGGOT" Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{FB2CA36D-0B40-4307-821B-A13B252DE56C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{8A28E2C5-8D06-49A4-A08C-632DAA493E17} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7933F41E-56F8-41d6-A31C-4148A711EE93} Fagot.a.exe -
Drops file in System32 directory 24 IoCs
description ioc Process File created C:\windows\SysWOW64\chcp.exe Fagot.a.exe File created C:\windows\SysWOW64\dumprep.exe Fagot.a.exe File created C:\windows\SysWOW64\imapi.exe Fagot.a.exe File created C:\windows\SysWOW64\chkntfs.exe Fagot.a.exe File created C:\windows\SysWOW64\shutdown.exe Fagot.a.exe File created C:\windows\SysWOW64\ntkrnlpa.exe Fagot.a.exe File created C:\windows\SysWOW64\alg.exe Fagot.a.exe File created C:\windows\SysWOW64\bootok.exe Fagot.a.exe File created C:\windows\SysWOW64\services.exe Fagot.a.exe File created C:\windows\SysWOW64\wuauclt.exe Fagot.a.exe File created C:\windows\SysWOW64\logon.exe Fagot.a.exe File created C:\windows\SysWOW64\MDM.exe Fagot.a.exe File created C:\windows\SysWOW64\recover.exe Fagot.a.exe File created C:\windows\SysWOW64\win.exe Fagot.a.exe File created C:\windows\SysWOW64\wowexec.exe Fagot.a.exe File created C:\Windows\SysWOW64\userinit32.exe Fagot.a.exe File created C:\Windows\SysWOW64\dllhost32.exe Fagot.a.exe File created C:\WINDOWS\SysWOW64\userinit.exe Fagot.a.exe File created C:\windows\SysWOW64\autochk.exe Fagot.a.exe File created C:\windows\SysWOW64\ctfmon.exe Fagot.a.exe File created C:\windows\SysWOW64\progman.exe Fagot.a.exe File created C:\windows\SysWOW64\regedit.exe Fagot.a.exe File created C:\windows\SysWOW64\ntoskrnl.exe Fagot.a.exe File created C:\windows\SysWOW64\systray.exe Fagot.a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\NOTEPAD.EXE Fagot.a.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh Fagot.a.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Fagot.a.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Storport Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties Fagot.a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A Fagot.a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Device Parameters\Storport Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters Fagot.a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Fagot.a.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor Fagot.a.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 Fagot.a.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses Fagot.a.exe Key deleted \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 Fagot.a.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 Fagot.a.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{931a8c29-3ea9-494d-91e7-22e9a9247687} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{85bbd920-42a0-1069-a2e4-08002b30309d} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0006F071-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{22BF413B-C6D2-4D91-82A9-A0F997BA588C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\ThirdPartyCookies Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AutoComplete Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{8BCB5337-EC01-4E38-840C-A964F174255B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{B34B19F4-7EBE-46CB-807C-746E72EBB4B6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5DFB2651-9668-11D0-B17B-00C04FC2A0CA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{15D6504A-5494-499C-886C-973C9E53B9F1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{1F7DD4F2-CAC3-11D0-A35B-00AA00BDCDFD} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3050F67D-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3050f4d8-98b5-11cf-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\AutocompleteFormData Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\MULTIMEDIA\AUTOIMAGERESIZE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{974E1D88-BADF-4C80-8594-A59039C992EA} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{777D0B4C-75C9-4874-ABFF-80B4BE8DC532} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C63344D8-70D3-4032-9B32-7A3CAD5091A5} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{25B0F91C-D23D-11D0-9B85-00C04FC2F51D} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5k.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C1908682-7B2C-4AB0-B98E-183649A0BF84} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E500-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\487B786451026BAEFD474B8758C058D538EC35CB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AECF5D2E-7A18-4DD2-BDCD-29B6F615B448} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{81361146-FAF9-11D3-B0D3-00C04F612FF1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{6B7F1602-D44C-11d0-A7D9-AE3D17000000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3BEE4890-4FE9-4A37-8C1E-5E7E12791C1F} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\UnattendBackup\ShowCompatibilityViewButton Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm6p.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm52.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{C832BE8F-4B89-4579-A217-DB92E7A27915} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\8335CB2F7E042A1DF46954B65C073A7BF43B2EC3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{AF868304-AB0B-11D0-876A-00C04FC29D46} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\Restriction Policies\Hashes\D94FDFCFFF998D72EB4D83F0B5715710D86A62F2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7l.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{812954F9-FAA2-4aee-A9E7-3C4FDE2166A6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D249A1AD-C6F6-4286-A17C-693CBA0AE492} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm5p.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{4B106874-DD36-11D0-8B44-00A024DD9EFF} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{43F8F289-7A20-11D0-8F06-00C04FC295E1} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{28AB0005-E845-4FFA-AA9B-F4665236141C} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\cnmsm7a.dll Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{A411D7F4-8D11-43EF-BDE4-AA921666388A} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\SSLREV Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{9590092D-8811-11CF-8075-444553540000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{9030D464-4C02-4ABF-8ECC-5164760863C6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extension Compatibility\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{DD8C2179-1B4A-4951-B432-5DE3D1507142} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{8DBC7A04-B478-41D5-BE05-5545D565B59C} Fagot.a.exe Key created \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\Software\Microsoft\Internet Explorer\Main Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Plugins\Extension Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DD993BDC-06E0-4131-B889-DD3B9AEBE253} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8E1F80F4-953F-41E7-8460-E64AE5BE4ED3} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{69AD90EF-1C20-11d1-8801-00C04FC29D46} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3A04E10E-0171-40AA-BC41-69014E5DA261} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{01E04581-4EEE-11d0-BFE9-00AA005B4383} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest Fagot.a.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4084745894-3294430273-2212167662-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com" Fagot.a.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.gif\ShellEx\ContextMenuHandlers\ShellImagePreview Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\csISOLatin5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.rc2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3050F5A3-98B5-11CF-BB82-00AA00BDCE0B}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2828a982-d849-5fc9-84ce-f9a4b3b4d341} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WinForms.Control.Host.V3\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\OneNoteDesktop\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset\csKOI8R Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Template.8\shell\Print\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Macrosheet\shell\ViewProtected Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9FDBF962-061C-44E8-ACFE-779A37343F90}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A894040-247E-4AFF-BB08-3489E9905235} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VisShe.CVisioFileFilter.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.wmp\PersistentHandler Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m4p Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-mmsys\shell\open\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B5ADE81E-0E61-4FE1-81C6-C333E4FFE0F1}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{da4e3da0-d07d-11d0-bd50-00a0c911ce86}\Instance\{AD809C00-7B88-11D0-A5D6-28DB04C10000} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F317-98B5-11CF-BB82-00AA00BDCE0B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5852F5EC-8BF4-11D4-A245-0080C6F74284}\TypeLib Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.asf\shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DA0BABDC-1184-4108-AED3-20CB6DF92864} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBCD7263-B415-40F6-942A-4A9A8599B708} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.oga\shell\AddToPlaylistVLC\command Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.xsl Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.fif Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C71DCE2B-B87F-37A9-89ED-F1145955BCD6}\2.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Forms.TabStrip.1 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Sheet.8\shell\New Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\NetServer\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ms-word\shell\open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.cdxml Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0368-0000-0000-C000-000000000046} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.tif\ShellEx\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{773B6CF3-4435-343F-BA19-8F0B7D78CC67}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.spx\shell Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogv\shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.3g2\shellex\ContextMenuHandlers Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60DE844B-38B1-4D87-AFE1-8CF49677D3B0} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{29ECD774-75AE-11D2-B74E-0000F87572EF}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B1F5A6AB-437D-319F-8B38-0E087D112FEA}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DE340971DE772245A5E405C95D4127F Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.rmi\OpenWithProgIds Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\explorer.exe Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{128C2DA6-2BC0-44C0-B3F6-4EC22E647964}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0000050B-0000-0010-8000-00AA006D2EA4}\InprocServer32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VLC.tts\shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Package2\protocol Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F6F94D22-78C2-11D2-8FFE-00C04FA38314} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7FAC3690-46D1-49CD-8793-5690439DDC8B} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1D7188A6-04DC-3846-BC97-A3D406F1E611}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\ms-print-addprinter Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E93527E9-EA10-5AA7-B8AA-FEA866294704} Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F0B4F6AD-5E09-4CB1-B763-EC390CBDE51D}\MiscStatus Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{79C569A5-0A9F-3922-BC4D-908835FFED05}\15.0.0.0 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0324-0000-0000-C000-000000000046}\ProxyStubClsid32 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Windows.PackagedApplicationCommand\Shell\Open Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\DeviceDisplayObject\InterfaceClass\{4F40006F-B933-4550-B532-2B58CEE614D3}\Commands Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-powerpoint.addin.macroEnabled.12 Fagot.a.exe -
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\7E04DE896A3E666D00E687D33FFAD93BE83D349E Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\18F7C1FCC3090203FD5BAA2F861A754976C8DD25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\06F1AA330B927B753A40E68CDF22E34BCBEF3352 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\D559A586669B08F46A30A133F8A9ED3D038E2EA8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\245C97DF7514E7CF2DF8BE72AE957B9E04741E85 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\109F1CAED645BB78B3EA2B94C0697C740733031C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\8A334AA8052DD244A647306A76B8178FA215F344 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CDD4EEAE6000AC7F40C3802C171E30148030C072 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\7F88CD7223F3C813818C994614A89C99FA3B5247 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\2C85006A1A028BCC349DF23C474724C055FDE8B6 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A43489159A520F0D93D032CCAF37E7FE20A8B419 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F43288AD272F3103B6FB1428485EA3014C0BCFE Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\D73F0C22273FA4C717A3A735F7E992F31190F010 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs\A377D1B1C0538833035211F4083D00FECC414DAB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92B46C76E13054E104F230517E6E504D43AB10B5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\51501FBFCE69189D609CFAF140C576755DCC1FDF Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3B1EFD3A66EA28B16697394703A72CA340A05BD5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\9E78FB9F9527D859700D303DFA589B3073951DCB Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\FEE449EE0E3965A5246F000E87FDE2A065FD89D4 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates\B68D8F953E551914324E557E6164D68B9926650C Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates\11194FAB14616ED8259FB94DCD17CE99DAB04CDD Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs\27748148BBE67A43CDBFEC6C3784862CE134E6EA Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates\A4B37F4F6DE956922273D5CB8E7E0AAFB7033B90 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates\6CA22E5501CC80885FF281DD8B3338E89398EE18 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\31F9FC8BA3805986B721EA7295C65B3A44534274 Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates\CE97FCF4ABACBFC662AF418EA1D4862F951D3D5D Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\BE36A4562FB2EE05DBB3D32323ADF445084ED656 Fagot.a.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe 3544 Fagot.a.exe -
Suspicious behavior: LoadsDriver 64 IoCs
pid Process 240 Process not Found 4788 Process not Found 3908 Process not Found 4472 Process not Found 4740 Process not Found 1320 Process not Found 8 Process not Found 1280 Process not Found 1476 Process not Found 1092 Process not Found 3616 Process not Found 648 Process not Found 568 Process not Found 4620 Process not Found 1732 Process not Found 4912 Process not Found 3364 Process not Found 1332 Process not Found 1644 Process not Found 3856 Process not Found 4540 Process not Found 1224 Process not Found 2040 Process not Found 3628 Process not Found 1640 Process not Found 1012 Process not Found 3900 Process not Found 1980 Process not Found 4564 Process not Found 1840 Process not Found 2924 Process not Found 1112 Process not Found 2576 Process not Found 116 Process not Found 3144 Process not Found 4808 Process not Found 2424 Process not Found 3036 Process not Found 3104 Process not Found 4852 Process not Found 4944 Process not Found 2492 Process not Found 1488 Process not Found 1976 Process not Found 3980 Process not Found 2404 Process not Found 956 Process not Found 1556 Process not Found 1616 Process not Found 4136 Process not Found 3644 Process not Found 696 Process not Found 3056 Process not Found 3804 Process not Found 2236 Process not Found 4348 Process not Found 1964 Process not Found 756 Process not Found 4192 Process not Found 4244 Process not Found 876 Process not Found 1760 Process not Found 1560 Process not Found 4676 Process not Found -
System policy modification 1 TTPs 14 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard\ExceptionFormats Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI\Clipboard Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Servicing Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection\Users Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop Fagot.a.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\UIPI Fagot.a.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Fagot.a.exe"C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master\Worm\Fagot.a.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Boot or Logon Autostart Execution: Active Setup
- Boot or Logon Autostart Execution: Port Monitors
- Event Triggered Execution: Image File Execution Options Injection
- Manipulates Digital Signatures
- Boot or Logon Autostart Execution: Print Processors
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Indicator Removal: Clear Persistence
- Installs/modifies Browser Helper Object
- Maps connected drives based on registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Browser Extensions
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
7Active Setup
1Port Monitors
1Print Processors
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
1Clear Persistence
1Modify Registry
13Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1