892043f3b79d937ac74943bee419135aaf64370b627313c4efd0919bcdbace62

Modify Registry

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2172 sc.exe
3220 sc.exe
684 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
2172	sc.exe
3220	sc.exe
684	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 15 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4580	timeout.exe
5104	timeout.exe
3104	timeout.exe
3904	timeout.exe
1456	timeout.exe
1212	timeout.exe
4708	timeout.exe
2728	timeout.exe
1208	timeout.exe
1056	timeout.exe
4144	timeout.exe
3808	timeout.exe
4920	timeout.exe
4208	timeout.exe
3536	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3744 taskkill.exe

pid	process
3744	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "247"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TYPELIB	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\PROXYSTUBCLSID32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\SHELL\OPEN\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\OPEN\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN64	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas	setup.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exesetup.exe

pid	process
3100	powershell.exe
3100	powershell.exe
3100	powershell.exe
768	powershell.exe
768	powershell.exe
4048	setup.exe
4048	setup.exe
4048	setup.exe
4048	setup.exe
4048	setup.exe
4048	setup.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

taskkill.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeWMIC.exesetup.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeShutdownPrivilege	1848	powercfg.exe
Token: SeCreatePagefilePrivilege	1848	powercfg.exe
Token: SeShutdownPrivilege	3752	powercfg.exe
Token: SeCreatePagefilePrivilege	3752	powercfg.exe
Token: SeShutdownPrivilege	4808	powercfg.exe
Token: SeCreatePagefilePrivilege	4808	powercfg.exe
Token: SeShutdownPrivilege	2992	powercfg.exe
Token: SeCreatePagefilePrivilege	2992	powercfg.exe
Token: SeShutdownPrivilege	2000	powercfg.exe
Token: SeCreatePagefilePrivilege	2000	powercfg.exe
Token: SeShutdownPrivilege	3220	powercfg.exe
Token: SeCreatePagefilePrivilege	3220	powercfg.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4872	WMIC.exe
Token: SeSecurityPrivilege	4872	WMIC.exe
Token: SeTakeOwnershipPrivilege	4872	WMIC.exe
Token: SeLoadDriverPrivilege	4872	WMIC.exe
Token: SeSystemProfilePrivilege	4872	WMIC.exe
Token: SeSystemtimePrivilege	4872	WMIC.exe
Token: SeProfSingleProcessPrivilege	4872	WMIC.exe
Token: SeIncBasePriorityPrivilege	4872	WMIC.exe
Token: SeCreatePagefilePrivilege	4872	WMIC.exe
Token: SeBackupPrivilege	4872	WMIC.exe
Token: SeRestorePrivilege	4872	WMIC.exe
Token: SeShutdownPrivilege	4872	WMIC.exe
Token: SeDebugPrivilege	4872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4872	WMIC.exe
Token: SeRemoteShutdownPrivilege	4872	WMIC.exe
Token: SeUndockPrivilege	4872	WMIC.exe
Token: SeManageVolumePrivilege	4872	WMIC.exe
Token: 33	4872	WMIC.exe
Token: 34	4872	WMIC.exe
Token: 35	4872	WMIC.exe
Token: 36	4872	WMIC.exe
Token: SeBackupPrivilege	4048	setup.exe
Token: SeRestorePrivilege	4048	setup.exe
Token: SeShutdownPrivilege	2692	shutdown.exe
Token: SeRemoteShutdownPrivilege	2692	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

2256 LogonUI.exe

pid	process
2256	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2672 wrote to memory of 1532	2672	cmd.exe	cmd.exe
PID 2672 wrote to memory of 1532	2672	cmd.exe	cmd.exe
PID 1532 wrote to memory of 2464	1532	cmd.exe	chcp.com
PID 1532 wrote to memory of 2464	1532	cmd.exe	chcp.com
PID 2672 wrote to memory of 2180	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2180	2672	cmd.exe	chcp.com
PID 2672 wrote to memory of 2784	2672	cmd.exe	cmd.exe
PID 2672 wrote to memory of 2784	2672	cmd.exe	cmd.exe
PID 2784 wrote to memory of 3744	2784	cmd.exe	taskkill.exe
PID 2784 wrote to memory of 3744	2784	cmd.exe	taskkill.exe
PID 2784 wrote to memory of 3100	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 3100	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 4144	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 4144	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 1848	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 1848	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 3752	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 3752	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 4808	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 4808	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 2992	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 2992	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 2000	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 2000	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 3220	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 3220	2784	cmd.exe	powercfg.exe
PID 2784 wrote to memory of 3104	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 3104	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 3808	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 3808	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 3904	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 3904	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 768	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 768	2784	cmd.exe	powershell.exe
PID 2784 wrote to memory of 4920	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 4920	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 1456	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 1456	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 4208	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 4208	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 2728	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 2728	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 4084	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 4084	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 4964	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 4964	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 3820	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 3820	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 3984	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 3984	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 2408	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 2408	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 3972	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 3972	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 4620	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 4620	2784	cmd.exe	bcdedit.exe
PID 2784 wrote to memory of 4708	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 4708	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 1208	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 1208	2784	cmd.exe	timeout.exe
PID 2784 wrote to memory of 3616	2784	cmd.exe	cmd.exe
PID 2784 wrote to memory of 3616	2784	cmd.exe	cmd.exe
PID 3616 wrote to memory of 4872	3616	cmd.exe	WMIC.exe
PID 3616 wrote to memory of 4872	3616	cmd.exe	WMIC.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\system32\chcp.com
chcp
3⤵
PID:2464

C:\Windows\system32\chcp.com
chcp 708
2⤵
PID:2180

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4144

C:\Windows\system32\powercfg.exe
powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6 IDLE ON.pow" 01001011-0100-1111-0101-001188888884
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1848

C:\Windows\system32\powercfg.exe
powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6.pow" 01001011-0100-1111-0101-001188888883
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\system32\powercfg.exe
powercfg /s 01001011-0100-1111-0101-001188888884
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\powercfg.exe
powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2992

C:\Windows\system32\powercfg.exe
powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\system32\powercfg.exe
powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3104

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3808

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-AppxPackage -AllUsers *WindowsStore* | Remove-AppxPackage"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4920

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1456

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4208

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2728

C:\Windows\system32\bcdedit.exe
bcdedit /timeout 10
3⤵
- Modifies boot configuration data using bcdedit
PID:4084

C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick Yes
3⤵
- Modifies boot configuration data using bcdedit
PID:4964

C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick Yes
3⤵
- Modifies boot configuration data using bcdedit
PID:3820

C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy Legacy
3⤵
- Modifies boot configuration data using bcdedit
PID:3984

C:\Windows\system32\bcdedit.exe
bcdedit /set quietboot On
3⤵
- Modifies boot configuration data using bcdedit
PID:2408

C:\Windows\system32\bcdedit.exe
bcdedit /set x2apicpolicy Disable
3⤵
- Modifies boot configuration data using bcdedit
PID:3972

C:\Windows\system32\bcdedit.exe
bcdedit /set nx OptIn
3⤵
- Modifies boot configuration data using bcdedit
PID:4620

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4708

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
3⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_networkadapter get GUID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\findstr.exe
findstr "{"
4⤵
PID:1016

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A2F6F4A-4DC4-41EF-A7A2-479C06CEC140}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
3⤵
PID:3496

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A2F6F4A-4DC4-41EF-A7A2-479C06CEC140}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
3⤵
PID:3224

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{3A2F6F4A-4DC4-41EF-A7A2-479C06CEC140}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
3⤵
PID:3540

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1212

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
3⤵
PID:3680

C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
3⤵
PID:1684

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F
3⤵
PID:4604

C:\Windows\system32\sc.exe
sc delete nvagent
3⤵
- Launches sc.exe
PID:2172

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*
3⤵
PID:3768

C:\Windows\system32\where.exe
where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*
4⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --uninstall --system-level --verbose-logging --force-uninstall
3⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70fbf5460,0x7ff70fbf5470,0x7ff70fbf5480
4⤵
PID:4060

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4048" "1700" "1668" "1696" "0" "0" "0" "0" "0" "0" "0" "0"
4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4092

C:\Windows\system32\sc.exe
sc delete edgeupdate
3⤵
- Launches sc.exe
PID:3220

C:\Windows\system32\sc.exe
sc delete edgeupdatem
3⤵
- Launches sc.exe
PID:684

C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4580

C:\Windows\system32\shutdown.exe
shutdown -r -f -t 7 -c "Please wait until your PC restarts..."
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:5104

C:\Windows\system32\timeout.exe
timeout /t 4 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1056

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3968855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

Modify Existing Service

T1031

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

4

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop