b6fab3f62e29a08e0ca648b84a99e8144e80e320c626175e995d9b1ac78d7b1f

Modify Registry

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 2 IoCs

pid	Process
4560	setup.exe
2692	setup.exe

Loads dropped DLL 4 IoCs

pid	Process
2324	Remove-Edge.exe
2324	Remove-Edge.exe
2324	Remove-Edge.exe
2324	Remove-Edge.exe

Registers COM server for autorun 1 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	setup.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\PROXYSTUBCLSID32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TYPELIB	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN64	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\OPEN\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\DEFAULTICON	setup.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4560	setup.exe
4560	setup.exe
4560	setup.exe
4560	setup.exe
4560	setup.exe
4560	setup.exe
4408	powershell.exe
4408	powershell.exe
1880	powershell.exe
1880	powershell.exe
5112	powershell.exe
5112	powershell.exe
936	powershell.exe
936	powershell.exe
1520	powershell.exe
1520	powershell.exe
3276	powershell.exe
3276	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	3000	svchost.exe
Token: SeBackupPrivilege	4560	setup.exe
Token: SeRestorePrivilege	4560	setup.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	3276	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4560	setup.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2324	1792	Remove-Edge.exe	86
PID 1792 wrote to memory of 2324	1792	Remove-Edge.exe	86
PID 1792 wrote to memory of 2324	1792	Remove-Edge.exe	86
PID 2324 wrote to memory of 4560	2324	Remove-Edge.exe	87
PID 2324 wrote to memory of 4560	2324	Remove-Edge.exe	87
PID 4560 wrote to memory of 2692	4560	setup.exe	88
PID 4560 wrote to memory of 2692	4560	setup.exe	88
PID 2324 wrote to memory of 4408	2324	Remove-Edge.exe	94
PID 2324 wrote to memory of 4408	2324	Remove-Edge.exe	94
PID 2324 wrote to memory of 4408	2324	Remove-Edge.exe	94
PID 4560 wrote to memory of 4404	4560	setup.exe	95
PID 4560 wrote to memory of 4404	4560	setup.exe	95
PID 2324 wrote to memory of 1880	2324	Remove-Edge.exe	97
PID 2324 wrote to memory of 1880	2324	Remove-Edge.exe	97
PID 2324 wrote to memory of 1880	2324	Remove-Edge.exe	97
PID 2324 wrote to memory of 5112	2324	Remove-Edge.exe	98
PID 2324 wrote to memory of 5112	2324	Remove-Edge.exe	98
PID 2324 wrote to memory of 5112	2324	Remove-Edge.exe	98
PID 2324 wrote to memory of 936	2324	Remove-Edge.exe	99
PID 2324 wrote to memory of 936	2324	Remove-Edge.exe	99
PID 2324 wrote to memory of 936	2324	Remove-Edge.exe	99
PID 2324 wrote to memory of 1520	2324	Remove-Edge.exe	100
PID 2324 wrote to memory of 1520	2324	Remove-Edge.exe	100
PID 2324 wrote to memory of 1520	2324	Remove-Edge.exe	100
PID 2324 wrote to memory of 3276	2324	Remove-Edge.exe	101
PID 2324 wrote to memory of 3276	2324	Remove-Edge.exe	101
PID 2324 wrote to memory of 3276	2324	Remove-Edge.exe	101
PID 2324 wrote to memory of 2724	2324	Remove-Edge.exe	104
PID 2324 wrote to memory of 2724	2324	Remove-Edge.exe	104
PID 2324 wrote to memory of 2724	2324	Remove-Edge.exe	104
PID 2324 wrote to memory of 3700	2324	Remove-Edge.exe	106
PID 2324 wrote to memory of 3700	2324	Remove-Edge.exe	106
PID 2324 wrote to memory of 3700	2324	Remove-Edge.exe	106
PID 2324 wrote to memory of 3676	2324	Remove-Edge.exe	105
PID 2324 wrote to memory of 3676	2324	Remove-Edge.exe	105
PID 2324 wrote to memory of 3676	2324	Remove-Edge.exe	105

C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
  "C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\_MEI17922\setup.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI17922\setup.exe --uninstall --system-level --force-uninstall
    3⤵
    - Modifies Installed Components in the registry
    - Checks computer location settings
    - Executes dropped EXE
    - Registers COM server for autorun
    - Drops desktop.ini file(s)
    - Installs/modifies Browser Helper Object
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Users\Admin\AppData\Local\Temp\_MEI17922\setup.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI17922\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI17922\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x21c,0x220,0x224,0x1f4,0x228,0x7ff6020deb10,0x7ff6020deb20,0x7ff6020deb30
      4⤵
      Executes dropped EXE
      PID:2692
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4560" "2120" "1960" "2124" "0" "0" "0" "0" "0" "0" "0" "0"
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      PID:4404
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe 2>$null"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe -AllUsers 2>$null"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe 2>$null"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\ProgramData\Microsoft\EdgeUpdate""
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /query /fo csv
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f
    3⤵
    PID:3700

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe
1⤵
PID:5088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery