5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Windows security bypass 2 TTPs 5 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Disables taskbar notifications via registry modification
evasion

Windows security modification 2 TTPs 8 IoCs

Disabling Security Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Security Center\svc	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\svc	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\DisableAntiSpyware = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\0652A38ED8E3E6F3000006529D40EBA3 = "C:\\ProgramData\\0652A38ED8E3E6F3000006529D40EBA3\\0652A38ED8E3E6F3000006529D40EBA3.exe"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2748	3584	WerFault.exe	79
2076	3584	WerFault.exe	79
4224	3584	WerFault.exe	79
4664	3584	WerFault.exe	79
3024	3584	WerFault.exe	79
4032	3584	WerFault.exe	79
1684	3584	WerFault.exe	79
400	3584	WerFault.exe	79
1424	3584	WerFault.exe	79
3548	3584	WerFault.exe	79
616	3584	WerFault.exe	79
4272	3584	WerFault.exe	79
2632	3584	WerFault.exe	79
2052	3584	WerFault.exe	79
3148	3584	WerFault.exe	79

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
3584	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe

C:\Users\Admin\AppData\Local\Temp\5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe
"C:\Users\Admin\AppData\Local\Temp\5e743fa549ed109e4b27c9fd01ac14629b7a6306db377b9a6f7f09ca954bde0b.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 548
  2⤵
  - Program crash
  PID:2748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 684
  2⤵
  - Program crash
  PID:2076
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 708
  2⤵
  - Program crash
  PID:4224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 724
  2⤵
  - Program crash
  PID:4664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 780
  2⤵
  - Program crash
  PID:3024
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 768
  2⤵
  - Program crash
  PID:4032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 820
  2⤵
  - Program crash
  PID:1684
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 856
  2⤵
  - Program crash
  PID:400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1020
  2⤵
  - Program crash
  PID:1424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1044
  2⤵
  - Program crash
  PID:3548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1112
  2⤵
  - Program crash
  PID:616
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1304
  2⤵
  - Program crash
  PID:4272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 828
  2⤵
  - Program crash
  PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1480
  2⤵
  - Program crash
  PID:2052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 592
  2⤵
  - Program crash
  PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3584 -ip 3584
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3584 -ip 3584
1⤵
PID:3828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3584 -ip 3584
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3584 -ip 3584
1⤵
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3584 -ip 3584
1⤵
PID:2732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3584 -ip 3584
1⤵
PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3584 -ip 3584
1⤵
PID:4616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3584 -ip 3584
1⤵
PID:3908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3584 -ip 3584
1⤵
PID:2424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3584 -ip 3584
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3584 -ip 3584
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3584 -ip 3584
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3584 -ip 3584
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3584 -ip 3584
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3584 -ip 3584
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

Modify Registry