description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

resource	yara_rule
behavioral1/memory/1036-0-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral1/memory/1036-2-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral1/memory/1036-3-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral1/memory/1036-4-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral1/memory/1036-5-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral1/memory/1036-37-0x0000000180000000-0x0000000180033000-memory.dmp	upx
behavioral1/memory/1036-47-0x0000000180000000-0x0000000180033000-memory.dmp	upx

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	dac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	dac.exe

description	pid	process
Token: SeShutdownPrivilege	1036	dac.exe
Token: 33	2628	mmc.exe
Token: SeIncBasePriorityPrivilege	2628	mmc.exe
Token: 33	2628	mmc.exe
Token: SeIncBasePriorityPrivilege	2628	mmc.exe
Token: 33	1976	mmc.exe
Token: SeIncBasePriorityPrivilege	1976	mmc.exe
Token: 33	1976	mmc.exe
Token: SeIncBasePriorityPrivilege	1976	mmc.exe
Token: 33	2404	mmc.exe
Token: SeIncBasePriorityPrivilege	2404	mmc.exe
Token: 33	2404	mmc.exe
Token: SeIncBasePriorityPrivilege	2404	mmc.exe

description	pid	process	target process
PID 2628 wrote to memory of 2500	2628	mmc.exe	netsh.exe
PID 2628 wrote to memory of 2500	2628	mmc.exe	netsh.exe
PID 2628 wrote to memory of 2500	2628	mmc.exe	netsh.exe
PID 1976 wrote to memory of 2472	1976	mmc.exe	netsh.exe
PID 1976 wrote to memory of 2472	1976	mmc.exe	netsh.exe
PID 1976 wrote to memory of 2472	1976	mmc.exe	netsh.exe
PID 1036 wrote to memory of 2756	1036	dac.exe	cmd.exe
PID 1036 wrote to memory of 2756	1036	dac.exe	cmd.exe
PID 1036 wrote to memory of 2756	1036	dac.exe	cmd.exe
PID 2756 wrote to memory of 1164	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 1164	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 1164	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 1040	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 1040	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 1040	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 2892	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 2892	2756	cmd.exe	reg.exe
PID 2756 wrote to memory of 2892	2756	cmd.exe	reg.exe
PID 1036 wrote to memory of 296	1036	dac.exe	cmd.exe
PID 1036 wrote to memory of 296	1036	dac.exe	cmd.exe
PID 1036 wrote to memory of 296	1036	dac.exe	cmd.exe
PID 2404 wrote to memory of 2040	2404	mmc.exe	AliWorkbench.exe
PID 2404 wrote to memory of 2040	2404	mmc.exe	AliWorkbench.exe
PID 2404 wrote to memory of 2040	2404	mmc.exe	AliWorkbench.exe
PID 2404 wrote to memory of 2040	2404	mmc.exe	AliWorkbench.exe

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads