Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-03-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
KernelOS21H2.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
KernelOS21H2.bat
Resource
win10v2004-20240226-en
Errors
General
-
Target
KernelOS21H2.bat
-
Size
38KB
-
MD5
bcd25445d0d143defaefeb34257baf60
-
SHA1
1baf57d0ac9db658f642d50b2c61b818b9036924
-
SHA256
6e7280bbd4c2ae300182de2507317fe1ab100404df897f06650190dd45e7f773
-
SHA512
40b9c6809559293430134276d36c0bc7e7d36e256dfeb2f9cc75a88650241b32e771b6bb1ea12823ce7aa0e89cd81ac0acf73737cbd69d9051398817f8fbf56f
-
SSDEEP
768:lTOLfw09oGDbfrdAUY5eCNldf2BWt9vOjfEv+/ZcbXmB9ofdfv3h8f+q1wqk:hku
Malware Config
Signatures
-
Modifies boot configuration data using bcdedit 7 IoCs
pid Process 3568 bcdedit.exe 3916 bcdedit.exe 4152 bcdedit.exe 4192 bcdedit.exe 4084 bcdedit.exe 4444 bcdedit.exe 3628 bcdedit.exe -
Stops running service(s) 3 TTPs
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\RESILI~1\msedge_200_percent.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\vk_swiftshader.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\D3DCOM~1.DLL cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\vulkan-1.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\Locales\en-US.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\oneds.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\vulkan-1.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\msedge.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\ffmpeg.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\Locales\en-US.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\MSEDGE~1.DLL cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\RESILI~1\msedge_200_percent.pak.DATA cmd.exe File opened for modification C:\Program Files\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\telclient.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\TELCLI~1.DLL cmd.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\msedge_200_percent.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\RESILI~1\msedge_100_percent.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\RESILI~1\Locales\en-US.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\v8_context_snapshot.bin cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\vk_swiftshader.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\RESILI~1\resources.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\resources.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\vulkan-1.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\INSTAL~1\setup.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\v8_context_snapshot.bin cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\INSTAL~1\setup.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\telclient.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\libGLESv2.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\msedge.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\resources.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\icudtl.dat cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\msedge_200_percent.pak cmd.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\ffmpeg.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\icudtl.dat cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\Locales\en-US.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\LIBGLE~1.DLL cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\ffmpeg.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\RESILI~1\icudtl.dat.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\libEGL.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\libGLESv2.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\d3dcompiler_47.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\RESILI~1\resources.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\d3dcompiler_47.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\msedge_elf.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\libEGL.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\msedge_100_percent.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\icudtl.dat cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\INSTAL~1\setup.exe cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EDGEWE~1\APPLIC~1\122023~1.52\RESILI~1\msedge_100_percent.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\V8_CON~1.BIN cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\msedge_elf.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\oneds.dll cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\RESILI~1\Locales\en-US.pak.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\MSEDGE~1.PAK cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\MSEDGE~2.PAK cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\RESOUR~1.PAK cmd.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\msedge_100_percent.pak cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\RESILI~1\icudtl.dat.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\APPLIC~1\122023~1.52\RESILI~1\v8_context_snapshot.bin.DATA cmd.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122023~1.52\libEGL.dll cmd.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3692 sc.exe 4876 sc.exe 844 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 15 IoCs
pid Process 3432 timeout.exe 4936 timeout.exe 4136 timeout.exe 3448 timeout.exe 1696 timeout.exe 680 timeout.exe 208 timeout.exe 4032 timeout.exe 332 timeout.exe 928 timeout.exe 380 timeout.exe 4564 timeout.exe 2316 timeout.exe 2556 timeout.exe 4760 timeout.exe -
Kills process with taskkill 1 IoCs
pid Process 3084 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" LogonUI.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 1712 powershell.exe 3508 powershell.exe 3508 powershell.exe 3508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 59 IoCs
description pid Process Token: SeDebugPrivilege 3084 taskkill.exe Token: SeDebugPrivilege 1712 powershell.exe Token: SeShutdownPrivilege 4408 powercfg.exe Token: SeCreatePagefilePrivilege 4408 powercfg.exe Token: SeShutdownPrivilege 4268 powercfg.exe Token: SeCreatePagefilePrivilege 4268 powercfg.exe Token: SeShutdownPrivilege 4356 powercfg.exe Token: SeCreatePagefilePrivilege 4356 powercfg.exe Token: SeShutdownPrivilege 1556 powercfg.exe Token: SeCreatePagefilePrivilege 1556 powercfg.exe Token: SeShutdownPrivilege 2812 powercfg.exe Token: SeCreatePagefilePrivilege 2812 powercfg.exe Token: SeShutdownPrivilege 5012 powercfg.exe Token: SeCreatePagefilePrivilege 5012 powercfg.exe Token: SeDebugPrivilege 3508 powershell.exe Token: SeIncreaseQuotaPrivilege 2956 WMIC.exe Token: SeSecurityPrivilege 2956 WMIC.exe Token: SeTakeOwnershipPrivilege 2956 WMIC.exe Token: SeLoadDriverPrivilege 2956 WMIC.exe Token: SeSystemProfilePrivilege 2956 WMIC.exe Token: SeSystemtimePrivilege 2956 WMIC.exe Token: SeProfSingleProcessPrivilege 2956 WMIC.exe Token: SeIncBasePriorityPrivilege 2956 WMIC.exe Token: SeCreatePagefilePrivilege 2956 WMIC.exe Token: SeBackupPrivilege 2956 WMIC.exe Token: SeRestorePrivilege 2956 WMIC.exe Token: SeShutdownPrivilege 2956 WMIC.exe Token: SeDebugPrivilege 2956 WMIC.exe Token: SeSystemEnvironmentPrivilege 2956 WMIC.exe Token: SeRemoteShutdownPrivilege 2956 WMIC.exe Token: SeUndockPrivilege 2956 WMIC.exe Token: SeManageVolumePrivilege 2956 WMIC.exe Token: 33 2956 WMIC.exe Token: 34 2956 WMIC.exe Token: 35 2956 WMIC.exe Token: 36 2956 WMIC.exe Token: SeIncreaseQuotaPrivilege 2956 WMIC.exe Token: SeSecurityPrivilege 2956 WMIC.exe Token: SeTakeOwnershipPrivilege 2956 WMIC.exe Token: SeLoadDriverPrivilege 2956 WMIC.exe Token: SeSystemProfilePrivilege 2956 WMIC.exe Token: SeSystemtimePrivilege 2956 WMIC.exe Token: SeProfSingleProcessPrivilege 2956 WMIC.exe Token: SeIncBasePriorityPrivilege 2956 WMIC.exe Token: SeCreatePagefilePrivilege 2956 WMIC.exe Token: SeBackupPrivilege 2956 WMIC.exe Token: SeRestorePrivilege 2956 WMIC.exe Token: SeShutdownPrivilege 2956 WMIC.exe Token: SeDebugPrivilege 2956 WMIC.exe Token: SeSystemEnvironmentPrivilege 2956 WMIC.exe Token: SeRemoteShutdownPrivilege 2956 WMIC.exe Token: SeUndockPrivilege 2956 WMIC.exe Token: SeManageVolumePrivilege 2956 WMIC.exe Token: 33 2956 WMIC.exe Token: 34 2956 WMIC.exe Token: 35 2956 WMIC.exe Token: 36 2956 WMIC.exe Token: SeShutdownPrivilege 5048 shutdown.exe Token: SeRemoteShutdownPrivilege 5048 shutdown.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1192 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1180 wrote to memory of 5084 1180 cmd.exe 99 PID 1180 wrote to memory of 5084 1180 cmd.exe 99 PID 5084 wrote to memory of 5068 5084 cmd.exe 100 PID 5084 wrote to memory of 5068 5084 cmd.exe 100 PID 1180 wrote to memory of 2004 1180 cmd.exe 101 PID 1180 wrote to memory of 2004 1180 cmd.exe 101 PID 1180 wrote to memory of 4284 1180 cmd.exe 102 PID 1180 wrote to memory of 4284 1180 cmd.exe 102 PID 4284 wrote to memory of 3084 4284 cmd.exe 104 PID 4284 wrote to memory of 3084 4284 cmd.exe 104 PID 4284 wrote to memory of 1712 4284 cmd.exe 106 PID 4284 wrote to memory of 1712 4284 cmd.exe 106 PID 4284 wrote to memory of 2316 4284 cmd.exe 107 PID 4284 wrote to memory of 2316 4284 cmd.exe 107 PID 4284 wrote to memory of 4408 4284 cmd.exe 109 PID 4284 wrote to memory of 4408 4284 cmd.exe 109 PID 4284 wrote to memory of 4268 4284 cmd.exe 110 PID 4284 wrote to memory of 4268 4284 cmd.exe 110 PID 4284 wrote to memory of 4356 4284 cmd.exe 111 PID 4284 wrote to memory of 4356 4284 cmd.exe 111 PID 4284 wrote to memory of 1556 4284 cmd.exe 112 PID 4284 wrote to memory of 1556 4284 cmd.exe 112 PID 4284 wrote to memory of 2812 4284 cmd.exe 113 PID 4284 wrote to memory of 2812 4284 cmd.exe 113 PID 4284 wrote to memory of 5012 4284 cmd.exe 114 PID 4284 wrote to memory of 5012 4284 cmd.exe 114 PID 4284 wrote to memory of 208 4284 cmd.exe 115 PID 4284 wrote to memory of 208 4284 cmd.exe 115 PID 4284 wrote to memory of 928 4284 cmd.exe 117 PID 4284 wrote to memory of 928 4284 cmd.exe 117 PID 4284 wrote to memory of 4936 4284 cmd.exe 118 PID 4284 wrote to memory of 4936 4284 cmd.exe 118 PID 4284 wrote to memory of 3508 4284 cmd.exe 121 PID 4284 wrote to memory of 3508 4284 cmd.exe 121 PID 4284 wrote to memory of 2556 4284 cmd.exe 124 PID 4284 wrote to memory of 2556 4284 cmd.exe 124 PID 4284 wrote to memory of 380 4284 cmd.exe 129 PID 4284 wrote to memory of 380 4284 cmd.exe 129 PID 4284 wrote to memory of 4760 4284 cmd.exe 130 PID 4284 wrote to memory of 4760 4284 cmd.exe 130 PID 4284 wrote to memory of 4032 4284 cmd.exe 132 PID 4284 wrote to memory of 4032 4284 cmd.exe 132 PID 4284 wrote to memory of 3568 4284 cmd.exe 133 PID 4284 wrote to memory of 3568 4284 cmd.exe 133 PID 4284 wrote to memory of 3916 4284 cmd.exe 134 PID 4284 wrote to memory of 3916 4284 cmd.exe 134 PID 4284 wrote to memory of 4152 4284 cmd.exe 135 PID 4284 wrote to memory of 4152 4284 cmd.exe 135 PID 4284 wrote to memory of 4192 4284 cmd.exe 136 PID 4284 wrote to memory of 4192 4284 cmd.exe 136 PID 4284 wrote to memory of 4084 4284 cmd.exe 137 PID 4284 wrote to memory of 4084 4284 cmd.exe 137 PID 4284 wrote to memory of 4444 4284 cmd.exe 138 PID 4284 wrote to memory of 4444 4284 cmd.exe 138 PID 4284 wrote to memory of 3628 4284 cmd.exe 139 PID 4284 wrote to memory of 3628 4284 cmd.exe 139 PID 4284 wrote to memory of 4136 4284 cmd.exe 140 PID 4284 wrote to memory of 4136 4284 cmd.exe 140 PID 4284 wrote to memory of 332 4284 cmd.exe 145 PID 4284 wrote to memory of 332 4284 cmd.exe 145 PID 4284 wrote to memory of 4724 4284 cmd.exe 146 PID 4284 wrote to memory of 4724 4284 cmd.exe 146 PID 4724 wrote to memory of 2956 4724 cmd.exe 147 PID 4724 wrote to memory of 2956 4724 cmd.exe 147
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KernelOS21H2.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp2⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\system32\chcp.comchcp3⤵PID:5068
-
-
-
C:\Windows\system32\chcp.comchcp 7082⤵PID:2004
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\KernelOS21H2.bat" "2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\system32\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy -ExecutionPolicy Unrestricted"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:2316
-
-
C:\Windows\system32\powercfg.exepowercfg /import "C:\KernelOS-Modules\KernelOS Performance v6 IDLE ON.pow" 01001011-0100-1111-0101-0011888888843⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408
-
-
C:\Windows\system32\powercfg.exepowercfg /import "C:\KernelOS-Modules\KernelOS Performance v6.pow" 01001011-0100-1111-0101-0011888888833⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268
-
-
C:\Windows\system32\powercfg.exepowercfg /s 01001011-0100-1111-0101-0011888888843⤵
- Suspicious use of AdjustPrivilegeToken
PID:4356
-
-
C:\Windows\system32\powercfg.exepowercfg -delete 381b4222-f694-41f0-9685-ff5bb260df2e3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556
-
-
C:\Windows\system32\powercfg.exepowercfg -delete 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2812
-
-
C:\Windows\system32\powercfg.exepowercfg -delete a1841308-3541-4fab-bc81-f71556f20b4a3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:208
-
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak3⤵
- Delays execution with timeout.exe
PID:928
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:4936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe "Get-AppxPackage -AllUsers *WindowsStore* | Remove-AppxPackage"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:2556
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:380
-
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:4760
-
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:4032
-
-
C:\Windows\system32\bcdedit.exebcdedit /timeout 103⤵
- Modifies boot configuration data using bcdedit
PID:3568
-
-
C:\Windows\system32\bcdedit.exebcdedit /set useplatformtick Yes3⤵
- Modifies boot configuration data using bcdedit
PID:3916
-
-
C:\Windows\system32\bcdedit.exebcdedit /set disabledynamictick Yes3⤵
- Modifies boot configuration data using bcdedit
PID:4152
-
-
C:\Windows\system32\bcdedit.exebcdedit /set bootmenupolicy Legacy3⤵
- Modifies boot configuration data using bcdedit
PID:4192
-
-
C:\Windows\system32\bcdedit.exebcdedit /set quietboot On3⤵
- Modifies boot configuration data using bcdedit
PID:4084
-
-
C:\Windows\system32\bcdedit.exebcdedit /set x2apicpolicy Disable3⤵
- Modifies boot configuration data using bcdedit
PID:4444
-
-
C:\Windows\system32\bcdedit.exebcdedit /set nx OptIn3⤵
- Modifies boot configuration data using bcdedit
PID:3628
-
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:4136
-
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wmic path win32_networkadapter get GUID | findstr "{"3⤵
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\System32\Wbem\WMIC.exewmic path win32_networkadapter get GUID4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\system32\findstr.exefindstr "{"4⤵PID:3432
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97E84A7E-2850-4D88-B8BE-B019231C671A}" /v "TcpAckFrequency" /t REG_DWORD /d "1" /f3⤵PID:680
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97E84A7E-2850-4D88-B8BE-B019231C671A}" /v "TcpDelAckTicks" /t REG_DWORD /d "0" /f3⤵PID:3132
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97E84A7E-2850-4D88-B8BE-B019231C671A}" /v "TCPNoDelay" /t REG_DWORD /d "1" /f3⤵PID:2004
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:1696
-
-
C:\Windows\system32\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F3⤵PID:4828
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3" /V "1806" /T "REG_DWORD" /D "0000000000" /F3⤵PID:3644
-
-
C:\Windows\system32\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Security" /V "DisableSecuritySettingsCheck" /T "REG_DWORD" /D "00000001" /F3⤵PID:2832
-
-
C:\Windows\system32\sc.exesc delete nvagent3⤵
- Launches sc.exe
PID:4876
-
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
PID:4564
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c where /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*3⤵PID:4760
-
C:\Windows\system32\where.exewhere /r "C:\Program Files (x86)\Microsoft\Edge\Application" *setup.exe*4⤵PID:2268
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe" --uninstall --system-level --verbose-logging --force-uninstall3⤵
- Drops file in Program Files directory
PID:1888 -
C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x228,0x22c,0x230,0x204,0x234,0x7ff6b95399a8,0x7ff6b95399b4,0x7ff6b95399c04⤵
- Drops file in Program Files directory
PID:4552
-
-
-
C:\Windows\system32\sc.exesc delete edgeupdate3⤵
- Launches sc.exe
PID:844
-
-
C:\Windows\system32\sc.exesc delete edgeupdatem3⤵
- Launches sc.exe
PID:3692
-
-
C:\Windows\system32\timeout.exetimeout /t 10 /nobreak3⤵
- Delays execution with timeout.exe
PID:3448
-
-
C:\Windows\system32\shutdown.exeshutdown -r -f -t 7 -c "Please wait until your PC restarts..."3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
PID:3432
-
-
C:\Windows\system32\timeout.exetimeout /t 4 /nobreak3⤵
- Delays execution with timeout.exe
PID:680
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1404 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:2504
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3915055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1192
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d136d3411d4aa688242c53cafb993aa6
SHA11a81cc78e3ca445d5a5193e49ddce26d5e25179f
SHA25600ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397
SHA512282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1
-
Filesize
64B
MD5235a8eb126d835efb2e253459ab8b089
SHA1293fbf68e6726a5a230c3a42624c01899e35a89f
SHA2565ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82