e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Windows security bypass 2 TTPs 5 IoCs

Disabling Security Tools

T1089

Modify Registry

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

Disabling Security Tools

T1089

Modify Registry

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Security Center\svc	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\svc	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\43469812FB1959900000434654D15E48 = "C:\\ProgramData\\43469812FB1959900000434654D15E48\\43469812FB1959900000434654D15E48.exe"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

pid	process
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

pid	process
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

pid	process
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

pid	process
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
992	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe

C:\Users\Admin\AppData\Local\Temp\e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe
"C:\Users\Admin\AppData\Local\Temp\e6d31067e6f6c2f0f250e081e73018ba07a7542288f8c0ed4f7075d6b21132ac.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

Credential Access

Discovery

System Information Discovery