{"id":14434,"date":"2025-06-24T12:45:44","date_gmt":"2025-06-24T12:45:44","guid":{"rendered":"\/cybersecurity-blog\/?p=14434"},"modified":"2025-06-27T05:35:16","modified_gmt":"2025-06-27T05:35:16","slug":"how-to-spot-malware-registry-abuse","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/","title":{"rendered":"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0"},"content":{"rendered":"\n<p>When malware infiltrates a system, it doesn\u2019t always make noise. In fact, some of the most dangerous threats operate quietly embedding themselves deep within the system and ensuring they come back even after a reboot. One of the most common ways they achieve this is by abusing the Windows Registry.&nbsp;<\/p>\n\n\n\n<p>In this article, we\u2019ll walk through how registry abuse works, the signs to watch out for, and how security analysts can catch it using interactive sandboxes, such as&nbsp;<a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What Is Registry Abuse in Malware?&nbsp;<\/h2>\n\n\n\n<p>The Windows Registry is an important part of the operating system. It stores configuration settings that determine how Windows behaves, how software runs, and even how users interact with the system. From startup routines to driver settings and user preferences, the registry touches almost every part of the <a href=\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">OS<\/a>.&nbsp;<\/p>\n\n\n\n<p>As it\u2019s central, the registry is also a target for malware authors. By modifying registry keys and values, malware can silently manipulate system behavior to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stay persistent<\/strong>&nbsp;by adding itself to autorun keys, it ensures execution every time the system boots.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Hide from users<\/strong>&nbsp;disabling Task Manager, hiding file extensions, or suppressing warnings to avoid detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Weaken security<\/strong>&nbsp;turning off Windows Defender or blocking updates to bypass protection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control user behavior<\/strong>&nbsp;redirecting browser traffic, setting fake proxies, or hijacking default apps.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">The Fastest Way to Spot Registry Abuse inside ANY.RUN Sandbox&nbsp;<\/h2>\n\n\n\n<p>Traditional security tools often miss subtle but critical signs of registry abuse, especially when malware hides behind scripts or legitimate-looking processes. &nbsp;<\/p>\n\n\n\n<p>By running suspicious files or links inside <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s interactive sandbox<\/a>, analysts can observe real-time registry changes as they happen, without waiting for static scans to catch up.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Why It\u2019s So Effective:&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Instant visibility<\/strong>&nbsp;into registry modifications, autorun key changes, and process behaviors&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Behavior-based detection<\/strong>, not just signatures; perfect for catching new or obfuscated threats&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Clear labeling and process tree<\/strong>&nbsp;that highlight when a script or binary tampers with the registry&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Integrated threat intelligence<\/strong>&nbsp;tags (e.g., <a href=\"https:\/\/any.run\/malware-trends\/formbook\/\" target=\"_blank\" rel=\"noreferrer noopener\">FormBook<\/a>) to identify malware families quickly&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Interactive control<\/strong>, so you can simulate real user actions that trigger registry abuse (like opening a file or clicking a button)&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Real-World Examples of Registry Abuse in Malware&nbsp;<\/h2>\n\n\n\n<p>Now, let\u2019s look at how malware abuses the registry in practice and how ANY.RUN makes it easy to detect.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1. Persistence via Autorun Key Modification&nbsp;<\/h3>\n\n\n\n<p>This sample shows how the malware (BootstrapperNew.exe) abuses the registry to ensure it launches automatically every time the system boots; a classic persistence mechanism.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/f7abb78a-2e62-4f00-b693-6a57349d7412\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-1024x566.png\" alt=\"\" class=\"wp-image-14438\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-1024x566.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-270x149.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440-740x409.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image-\u2014-\u043a\u0440\u0443\u043f\u043d\u044b\u0439-\u0440\u0430\u0437\u043c\u0435\u0440.png 1280w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>As shown in the analysis, the malware modifies the following registry key:&nbsp;<\/p>\n\n\n\n<p><em>HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/em>&nbsp;<\/p>\n\n\n\n<p>It adds a new value:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: BootstrapperNew&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Value: C:\\Users\\admin\\AppData\\Roaming\\Windows\\BootstrapperNew.exe&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Operation: Write&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Type: REG_NONE&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>You can check all these details by checking the \u201cBootstrapperNew.exe\u201d process from the right part of the screen.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect evasive malware and see exactly what it does on the system <br> with <span class=\"highlight\">ANY.RUN&#8217;s Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"http:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=registry_abuse&#038;utm_term=240625&#038;utm_content=linktoregistration#register\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-1024x567.png\" alt=\"\" class=\"wp-image-14439\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-1536x851.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-2048x1135.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image2-6-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>BootstrapperNew.exe process with its details demonstrated inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Click on the tactic to get all the details:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"614\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-1024x614.png\" alt=\"\" class=\"wp-image-14440\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-1024x614.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-300x180.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-768x461.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-370x222.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-270x162.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6-740x444.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image3-6.png 1050w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Modification of the mentioned registry key<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This modification triggers Windows to execute the malicious file at every user login, giving the attacker a reliable foothold on the system.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN also flags this behavior with the <a href=\"https:\/\/any.run\/cybersecurity-blog\/mitre-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">MITRE ATT&amp;CK<\/a> sub-technique T1547.001 (Registry Run Keys \/ Startup Folder), clearly highlighting the persistence mechanism used. The visual <a href=\"https:\/\/any.run\/cybersecurity-blog\/advanced-process-details\/\" target=\"_blank\" rel=\"noreferrer noopener\">process tree<\/a> further confirms the execution flow, registry operation, and background network activity.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"713\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-1024x713.png\" alt=\"\" class=\"wp-image-14441\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-1024x713.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-300x209.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-768x535.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-370x258.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-270x188.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8-740x516.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image4-8.png 1424w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE ATT&amp;CK technique discovered inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>With static detection tools, this behavior might go unnoticed. But in ANY.RUN\u2019s sandbox, the threat is immediately identified, tagged, and visually traceable in real time, from registry edit to scheduled task creation.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">2. FormBook Stealer Using Registry for Stealth&nbsp;<\/h3>\n\n\n\n<p>In this example, the malware identified as&nbsp;<strong>FormBook<\/strong>&nbsp;manipulates the Windows Registry to aid in&nbsp;<strong>stealth and persistence<\/strong>.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/2469f1df-326d-4945-ac6a-40876a65341f\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<p>Right after execution, FormBook writes a new registry entry under:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Key: HKEY_CURRENT_USER\\SOFTWARE\\Softina&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: MMM-Vkusnaa&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Value: 19.06.2025&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"602\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-1024x602.png\" alt=\"\" class=\"wp-image-14442\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-1024x602.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-768x452.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6-740x435.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image5-6.png 1054w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Formbook detected with modified registry key<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Custom registry values like this aren\u2019t random.&nbsp;They&#8217;re typically placed in obscure subkeys (SOFTWARE\\Softina&nbsp;in this case) to avoid detection and logging by standard monitoring tools, &nbsp;but in ANY.RUN\u2019s sandbox, it\u2019s instantly visible and tied to MITRE technique&nbsp;<strong>T1112: Modify Registry<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"385\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-1024x385.png\" alt=\"\" class=\"wp-image-14443\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-1024x385.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-300x113.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-768x289.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-1536x577.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-2048x770.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-370x139.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-270x101.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image6-7-740x278.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE technique&nbsp;T1112: Modify Registry inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">3. System Profiling Through Registry Access&nbsp;<\/h3>\n\n\n\n<p>Some malware doesn\u2019t act immediately. Instead, it quietly profiles the environment to decide&nbsp;<strong>how (or whether)<\/strong>&nbsp;to execute. That\u2019s exactly what we see in this sample, where the malware queries the registry to gather detailed system information.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/e91514b7-c9c8-4848-b35d-aded2a819ec1\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<p>One of the first actions taken is a read operation targeting:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Key: HKEY_LOCAL_MACHINE\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Name: ProcessorNameString&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"660\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-1024x660.png\" alt=\"\" class=\"wp-image-14444\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-1024x660.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-300x193.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-768x495.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-370x239.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-270x174.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7-740x477.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image7-7.png 1058w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Malware reading CPU info exposed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This query fetches&nbsp;<strong>CPU information<\/strong>, such as model name and vendor. While this might seem benign, it plays a crucial role in&nbsp;<strong>anti-analysis<\/strong>&nbsp;and&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/five-common-malware-evasion-techniques\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>evasion tactics<\/strong><\/a>.&nbsp;<\/p>\n\n\n\n<p>Why malware reads CPU info:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Environment validation<\/strong>: Malware may use CPU data to check if it\u2019s running on a real machine or a virtual one (e.g., commonly used by sandboxes or researchers).&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tailored payloads<\/strong>: Some threats adapt their behavior based on system specs, avoiding execution if they detect low-end CPUs or virtual environments.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fingerprinting the target<\/strong>: CPU info is often collected alongside other system data to create a unique victim profile.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>But this is just the beginning. According to the MITRE ATT&amp;CK technique&nbsp;<strong>T1012: Query Registry<\/strong>, this sample retrieves a wide range of values:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"570\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-1024x570.png\" alt=\"\" class=\"wp-image-14445\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-1024x570.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-300x167.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-768x428.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-370x206.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9-740x412.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image8-9.png 1426w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>MITRE ATT&amp;CK technique&nbsp;T1012: Query Registry with a wide range of values<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Proxy configuration: Determines whether the system uses a proxy and may hijack it&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Machine GUID: A unique identifier, useful for tracking infected hosts&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Installed software (50 reads): Likely for reconnaissance or to check for security tools&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Internet Explorer security settings: May suggest preparation for exploit delivery via browser&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>System language &amp; locale: Used to avoid infecting machines in certain countries&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Computer name &amp; Windows product ID: Adds more detail to the fingerprint&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Software policy settings: Used to detect restrictions or protections enabled by admins&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>This shows how malware can treat the registry as a rich source of system intelligence. Each value queried helps build a clearer picture of the host environment, guiding the next malicious action.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nFollow along a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">4. Suspicious Registry Modification via REG.EXE&nbsp;<\/h3>\n\n\n\n<p>This sample involves a process (_virlock.exe) that uses&nbsp;reg.exe, a legitimate Windows utility, to modify the registry. This kind of activity isn\u2019t inherently malicious, but in the context of malware execution, it often signals&nbsp;stealthy post-infection behavior.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/9d5111af-571c-418a-804f-fd710230ceb8\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<p>Shortly after execution, the malware launches a command: reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced \/v HideFileExt \/t REG_DWORD \/d 1&nbsp;<\/p>\n\n\n\n<p>This command modifies the registry to&nbsp;hide file extensions for known file types, a well-documented trick used by malware to&nbsp;disguise malicious executables&nbsp;(e.g.,&nbsp;invoice.pdf.exe&nbsp;appears as&nbsp;invoice.pdf).&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"541\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-1024x541.png\" alt=\"\" class=\"wp-image-14446\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-1024x541.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-300x159.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-768x406.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-370x196.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-270x143.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7-740x391.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/image9-7.png 1056w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Registry modification details demonstrated inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Why it\u2019s suspicious:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>This change is frequently used in&nbsp;<a href=\"https:\/\/any.run\/cybersecurity-blog\/what-is-a-social-engineering-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>social engineering attacks<\/strong><\/a>, where victims are tricked into running malware that looks like a harmless document.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The behavior is executed via&nbsp;reg.exe, which is a&nbsp;living-off-the-land binary (LOLBIN); a legitimate tool abused by attackers to avoid detection.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ANY.RUN flags this activity under&nbsp;<strong>T1112: Modify Registry<\/strong>, and classifies it as a&nbsp;<strong>Warning \/ Unusual Activity<\/strong>.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"529\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-1024x529.png\" alt=\"\" class=\"wp-image-14447\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-1024x529.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-300x155.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-768x396.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-370x191.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-270x139.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3-740x382.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagea-3.png 1422w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>T1112: Modify Registry inside MITRE ATT&amp;CK section<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This case is a good reminder that not all registry abuse is about persistence. Some changes are purely meant to&nbsp;deceive the user, reduce visibility, or mask malicious actions.&nbsp;<\/p>\n\n\n\n<p>With ANY.RUN\u2019s behavioral analysis, this tactic becomes immediately visible, showing&nbsp;which registry key was changed, how, when, and by what process, including full command-line context.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">5. Script-Based Registry Modification&nbsp;<\/h3>\n\n\n\n<p>In this sample, we see a Windows Script Host process (wscript.exe) modifying the registry, not through a typical executable, but via script-based interaction. This kind of behavior is&nbsp;harder to detect, especially if you&#8217;re relying on traditional static analysis.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/cacf817f-0bf9-4cfe-8358-25b26112282d\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=registry_abuse&amp;utm_term=240625&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n\n<p>Thanks to&nbsp;ANY.RUN\u2019s <a href=\"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\" target=\"_blank\" rel=\"noreferrer noopener\">Script Tracer<\/a>, we can observe the exact call and parameters used:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Key: HKCU\\Software\\OJXVOPIitLTnYNg\\donn\\segment2&nbsp; &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Value: (Hex-encoded string payload)&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Process: wscript.exe&nbsp; &nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Operation: RegWrite via WshShell3&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"313\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-1024x313.png\" alt=\"\" class=\"wp-image-14448\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-1024x313.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-300x92.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-768x235.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-1536x470.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-2048x626.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-370x113.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-270x83.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imageb-2-740x226.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN\u2019s Script Tracer observing calls and parameters<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This script creates a new key and writes what appears to be&nbsp;an obfuscated or encoded payload&nbsp;into the registry; a technique commonly used to:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Store secondary payloads or shellcode&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Evade file-based detection mechanisms&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Delay execution&nbsp;until a later stage (fileless persistence)&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The registry key name (OJXVOPIitLTnYNg) is randomly generated and meaningless, a common trait of&nbsp;<strong>obfuscated malware activity<\/strong>.&nbsp;<\/p>\n\n\n\n<p>We can see how the script writes a long block of hexadecimal content, which may later be decoded and executed, without ever dropping a traditional file on disk.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"365\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-1024x365.png\" alt=\"\" class=\"wp-image-14449\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-1024x365.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-300x107.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-768x273.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-1536x547.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-2048x729.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-370x132.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-270x96.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imagec-5-740x263.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Long block of hexadecimal content displayed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>These modifications fall under MITRE ATT&amp;CK technique&nbsp;<strong>T1112: Modify Registry<\/strong>, and ANY.RUN labels this behavior as&nbsp;<strong>Dangerous (13 instances)<\/strong>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-1024x547.png\" alt=\"\" class=\"wp-image-14450\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-1024x547.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-300x160.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-768x410.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-370x198.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-270x144.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2-740x395.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/06\/imaged-2.png 1422w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The technique \u201cModify Registry\u201d with all its details inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Without behavioral analysis, this kind of registry manipulation would be nearly invisible,&nbsp;but with&nbsp;Script Tracer, security analysts can follow every step the script takes, down to the exact method calls and values.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Spotting Registry Abuse is Easy with ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Registry modifications are a common and powerful tactic used by malware to stay hidden, persist through reboots, and weaken your defenses. But with the right tools, these threats become much easier to spot, investigate, and respond to.&nbsp;<\/p>\n\n\n\n<p>ANY.RUN\u2019s interactive sandbox doesn\u2019t just show you what malware is doing, it&nbsp;<strong>visually breaks down every behavior<\/strong>, from registry edits to process injection and data exfiltration, in real time.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster threat detection<\/strong>&nbsp;<br>Catch malicious registry changes and system tampering before damage is done; no need to wait for traditional tools to catch up.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improved incident response<\/strong>&nbsp;<br>With clear visual evidence and behavior chains, your team can respond to threats with greater accuracy and speed.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced investigation time<\/strong>&nbsp;<br>Analysts can immediately see what\u2019s been changed, what triggered the behavior, and which malware family is involved.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stronger defenses across the board<\/strong>&nbsp;<br>By identifying how threats abuse the registry, you can harden your endpoints, update rules, and block similar attacks in the future.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Better collaboration and reporting<\/strong>&nbsp;<br>Export detailed analysis reports, share IOCs with teams, and make smarter security decisions faster.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>See how ANY.RUN\u2019s interactive sandbox reveals the behavior behind modern threats in real time, and with full context.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\" target=\"_blank\" rel=\"noreferrer noopener\">Access all capabilities of ANY.RUN\u2019s Interactive Sandbox with a 14-day trial<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When malware infiltrates a system, it doesn\u2019t always make noise. In fact, some of the most dangerous threats operate quietly embedding themselves deep within the system and ensuring they come back even after a reboot. One of the most common ways they achieve this is by abusing the Windows Registry.&nbsp; In this article, we\u2019ll walk [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":14452,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34,40],"class_list":["post-14434","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0 - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Get actionable tips and see examples on how to spot malicious registry activities of malware.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0\",\"datePublished\":\"2025-06-24T12:45:44+00:00\",\"dateModified\":\"2025-06-27T05:35:16+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/\"},\"wordCount\":1992,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Cybersecurity Lifehacks\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/\",\"name\":\"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0 - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-06-24T12:45:44+00:00\",\"dateModified\":\"2025-06-27T05:35:16+00:00\",\"description\":\"Get actionable tips and see examples on how to spot malicious registry activities of malware.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Lifehacks\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","description":"Get actionable tips and see examples on how to spot malicious registry activities of malware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0","datePublished":"2025-06-24T12:45:44+00:00","dateModified":"2025-06-27T05:35:16+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/"},"wordCount":1992,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis","malware behavior"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/","url":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/","name":"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0 - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-06-24T12:45:44+00:00","dateModified":"2025-06-27T05:35:16+00:00","description":"Get actionable tips and see examples on how to spot malicious registry activities of malware.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/how-to-spot-malware-registry-abuse\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"How to Spot Registry Abuse by Malware: Examples in ANY.RUN Sandbox\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14434"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=14434"}],"version-history":[{"count":8,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14434\/revisions"}],"predecessor-version":[{"id":14494,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/14434\/revisions\/14494"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/14452"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=14434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=14434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=14434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}