0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Windows security bypass 2 TTPs 5 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\svc	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Security Center\svc	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\EE1599070C8F0CE80000EE14AAF71198 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\EE1599070C8F0CE80000EE14AAF71198 = "C:\\ProgramData\\EE1599070C8F0CE80000EE14AAF71198\\EE1599070C8F0CE80000EE14AAF71198.exe"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2208	400	WerFault.exe	81
4624	400	WerFault.exe	81
428	400	WerFault.exe	81
4200	400	WerFault.exe	81
3492	400	WerFault.exe	81
1940	400	WerFault.exe	81
2448	400	WerFault.exe	81
4024	400	WerFault.exe	81
2496	400	WerFault.exe	81
5088	400	WerFault.exe	81
4128	400	WerFault.exe	81
3260	400	WerFault.exe	81
1384	400	WerFault.exe	81
4520	400	WerFault.exe	81
3596	400	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
400	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe

C:\Users\Admin\AppData\Local\Temp\0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe
"C:\Users\Admin\AppData\Local\Temp\0aebc5fbcd4336c298b379ec45d03767877e0c90e01ae4a404b0285cc01f4247.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 536
  2⤵
  - Program crash
  PID:2208
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 672
  2⤵
  - Program crash
  PID:4624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 712
  2⤵
  - Program crash
  PID:428
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 720
  2⤵
  - Program crash
  PID:4200
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 668
  2⤵
  - Program crash
  PID:3492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 796
  2⤵
  - Program crash
  PID:1940
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 668
  2⤵
  - Program crash
  PID:2448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 820
  2⤵
  - Program crash
  PID:4024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1012
  2⤵
  - Program crash
  PID:2496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1040
  2⤵
  - Program crash
  PID:5088
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1040
  2⤵
  - Program crash
  PID:4128
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1160
  2⤵
  - Program crash
  PID:3260
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 1492
  2⤵
  - Program crash
  PID:1384
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 832
  2⤵
  - Program crash
  PID:4520
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 872
  2⤵
  - Program crash
  PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 400 -ip 400
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 400 -ip 400
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 400 -ip 400
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 400 -ip 400
1⤵
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 400 -ip 400
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 400 -ip 400
1⤵
PID:2836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 400 -ip 400
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 400 -ip 400
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 400 -ip 400
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 400 -ip 400
1⤵
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 400 -ip 400
1⤵
PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 400 -ip 400
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 400 -ip 400
1⤵
PID:4960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 400 -ip 400
1⤵
PID:3672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 400 -ip 400
1⤵
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry