892043f3b79d937ac74943bee419135aaf64370b627313c4efd0919bcdbace62

Modify Registry

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

3604 sc.exe
2380 sc.exe
4908 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3604	sc.exe
2380	sc.exe
4908	sc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Delays execution with timeout.exe 15 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
3476	timeout.exe
3724	timeout.exe
3092	timeout.exe
1556	timeout.exe
3092	timeout.exe
4232	timeout.exe
4844	timeout.exe
2376	timeout.exe
3776	timeout.exe
1256	timeout.exe
4916	timeout.exe
2532	timeout.exe
3056	timeout.exe
3968	timeout.exe
3308	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3576 taskkill.exe

pid	process
3576	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe

Modifies registry class 64 IoCs

Processes:

setup.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TYPELIB	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN64	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\SHELL\OPEN\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\OPEN\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\PROXYSTUBCLSID32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEMHT\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID	setup.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exesetup.exe

pid	process
2900	powershell.exe
2900	powershell.exe
2900	powershell.exe
1752	powershell.exe
1752	powershell.exe
3928	setup.exe
3928	setup.exe
3928	setup.exe
3928	setup.exe
3928	setup.exe
3928	setup.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

taskkill.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exeWMIC.exesetup.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeShutdownPrivilege	4008	powercfg.exe
Token: SeCreatePagefilePrivilege	4008	powercfg.exe
Token: SeShutdownPrivilege	3412	powercfg.exe
Token: SeCreatePagefilePrivilege	3412	powercfg.exe
Token: SeShutdownPrivilege	1872	powercfg.exe
Token: SeCreatePagefilePrivilege	1872	powercfg.exe
Token: SeShutdownPrivilege	3308	powercfg.exe
Token: SeCreatePagefilePrivilege	3308	powercfg.exe
Token: SeShutdownPrivilege	1092	powercfg.exe
Token: SeCreatePagefilePrivilege	1092	powercfg.exe
Token: SeShutdownPrivilege	756	powercfg.exe
Token: SeCreatePagefilePrivilege	756	powercfg.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe
Token: 34	3200	WMIC.exe
Token: 35	3200	WMIC.exe
Token: 36	3200	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe
Token: 34	3200	WMIC.exe
Token: 35	3200	WMIC.exe
Token: 36	3200	WMIC.exe
Token: SeBackupPrivilege	3928	setup.exe
Token: SeRestorePrivilege	3928	setup.exe
Token: SeShutdownPrivilege	4348	shutdown.exe
Token: SeRemoteShutdownPrivilege	4348	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

4008 LogonUI.exe

pid	process
4008	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4152 wrote to memory of 2692	4152	cmd.exe	cmd.exe
PID 4152 wrote to memory of 2692	4152	cmd.exe	cmd.exe
PID 2692 wrote to memory of 4552	2692	cmd.exe	chcp.com
PID 2692 wrote to memory of 4552	2692	cmd.exe	chcp.com
PID 4152 wrote to memory of 1268	4152	cmd.exe	chcp.com
PID 4152 wrote to memory of 1268	4152	cmd.exe	chcp.com
PID 4152 wrote to memory of 1516	4152	cmd.exe	cmd.exe
PID 4152 wrote to memory of 1516	4152	cmd.exe	cmd.exe
PID 1516 wrote to memory of 3576	1516	cmd.exe	taskkill.exe
PID 1516 wrote to memory of 3576	1516	cmd.exe	taskkill.exe
PID 1516 wrote to memory of 2900	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 2900	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 3724	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3724	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 4008	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 4008	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 3412	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 3412	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 1872	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 1872	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 3308	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 3308	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 1092	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 1092	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 756	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 756	1516	cmd.exe	powercfg.exe
PID 1516 wrote to memory of 4844	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 4844	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3056	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3056	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3092	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3092	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 1752	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 1752	1516	cmd.exe	powershell.exe
PID 1516 wrote to memory of 3476	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3476	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 2376	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 2376	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 1556	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 1556	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3092	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3092	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3540	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3540	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 4748	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 4748	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 4532	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 4532	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3232	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3232	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3904	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3904	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 4584	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 4584	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3420	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3420	1516	cmd.exe	bcdedit.exe
PID 1516 wrote to memory of 3776	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3776	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3968	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 3968	1516	cmd.exe	timeout.exe
PID 1516 wrote to memory of 4012	1516	cmd.exe	cmd.exe
PID 1516 wrote to memory of 4012	1516	cmd.exe	cmd.exe
PID 4012 wrote to memory of 3200	4012	cmd.exe	WMIC.exe
PID 4012 wrote to memory of 3200	4012	cmd.exe	WMIC.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp
2⤵
- Suspicious use of WriteProcessMemory
PID:2692

C:\Windows\system32\chcp.com
chcp
3⤵
PID:4552

C:\Windows\system32\chcp.com
chcp 708
2⤵
PID:1268

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2 (2).bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\system32\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3724

C:\Windows\system32\powercfg.exe
powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6 IDLE ON.pow" 01001011-0100-1111-0101-001188888884
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\system32\powercfg.exe
powercfg /import "C:\KernelOS-Modules\KernelOS Performance v6.pow" 01001011-0100-1111-0101-001188888883
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3412

C:\Windows\system32\powercfg.exe
powercfg /s 01001011-0100-1111-0101-001188888884
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1872

C:\Windows\system32\powercfg.exe
powercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\system32\powercfg.exe
powercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\powercfg.exe
powercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4844

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3056

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe "Get-AppxPackage -AllUsers *WindowsStore* | Remove-AppxPackage"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3476

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2376

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1556

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3092

C:\Windows\system32\bcdedit.exe
bcdedit /timeout 10
3⤵
- Modifies boot configuration data using bcdedit
PID:3540

C:\Windows\system32\bcdedit.exe
bcdedit /set useplatformtick Yes
3⤵
- Modifies boot configuration data using bcdedit
PID:4748

C:\Windows\system32\bcdedit.exe
bcdedit /set disabledynamictick Yes
3⤵
- Modifies boot configuration data using bcdedit
PID:4532

C:\Windows\system32\bcdedit.exe
bcdedit /set bootmenupolicy Legacy
3⤵
- Modifies boot configuration data using bcdedit
PID:3232

C:\Windows\system32\bcdedit.exe
bcdedit /set quietboot On
3⤵
- Modifies boot configuration data using bcdedit
PID:3904

C:\Windows\system32\bcdedit.exe
bcdedit /set x2apicpolicy Disable
3⤵
- Modifies boot configuration data using bcdedit
PID:4584

C:\Windows\system32\bcdedit.exe
bcdedit /set nx OptIn
3⤵
- Modifies boot configuration data using bcdedit
PID:3420

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3776

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"
3⤵
- Suspicious use of WriteProcessMemory
PID:4012

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_networkadapter get GUID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\findstr.exe
findstr "{"
4⤵
PID:4576

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{193A5E5D-199E-4B17-9305-E22E12F0F3A9}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f
3⤵
PID:4220

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{193A5E5D-199E-4B17-9305-E22E12F0F3A9}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f
3⤵
PID:1752

C:\Windows\system32\reg.exe
reg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{193A5E5D-199E-4B17-9305-E22E12F0F3A9}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f
3⤵
PID:1972

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1256

C:\Windows\system32\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
3⤵
PID:1880

C:\Windows\system32\reg.exe
REG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F
3⤵
PID:4936

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F
3⤵
PID:1184

C:\Windows\system32\sc.exe
sc delete nvagent
3⤵
- Launches sc.exe
PID:3604

C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*
3⤵
PID:3600

C:\Windows\system32\where.exe
where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*
4⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --uninstall --system-level --verbose-logging --force-uninstall
3⤵
- Modifies Installed Components in the registry
- Registers COM server for autorun
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7eb0f5460,0x7ff7eb0f5470,0x7ff7eb0f5480
4⤵
PID:2780

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3928" "1692" "1536" "1696" "0" "0" "0" "0" "0" "0" "0" "0"
4⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:576

C:\Windows\system32\sc.exe
sc delete edgeupdate
3⤵
- Launches sc.exe
PID:2380

C:\Windows\system32\sc.exe
sc delete edgeupdatem
3⤵
- Launches sc.exe
PID:4908

C:\Windows\system32\timeout.exe
timeout /t 10 /nobreak
3⤵
- Delays execution with timeout.exe
PID:4916

C:\Windows\system32\shutdown.exe
shutdown -r -f -t 7 -c "Please wait until your PC restarts..."
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\system32\timeout.exe
timeout /t 3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2532

C:\Windows\system32\timeout.exe
timeout /t 4 /nobreak
3⤵
- Delays execution with timeout.exe
PID:3308

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3960055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3

Modify Existing Service

T1031

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

4

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop