description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	000.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	000.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	000.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	000.exe

description	ioc	Process
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe

pid	Process
2704	taskkill.exe
4872	taskkill.exe
2908	taskkill.exe
4436	taskkill.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "3"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1168293393-3419776239-306423207-1000\{94F0C3A5-4AC7-4836-83AA-BAC0E06C37A4}	000.exe

description	pid	Process
Token: SeShutdownPrivilege	3888	000.exe
Token: SeCreatePagefilePrivilege	3888	000.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeShutdownPrivilege	3888	000.exe
Token: SeCreatePagefilePrivilege	3888	000.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	2704	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3792	WMIC.exe
Token: SeSecurityPrivilege	3792	WMIC.exe
Token: SeTakeOwnershipPrivilege	3792	WMIC.exe
Token: SeLoadDriverPrivilege	3792	WMIC.exe
Token: SeSystemProfilePrivilege	3792	WMIC.exe
Token: SeSystemtimePrivilege	3792	WMIC.exe
Token: SeProfSingleProcessPrivilege	3792	WMIC.exe
Token: SeIncBasePriorityPrivilege	3792	WMIC.exe
Token: SeCreatePagefilePrivilege	3792	WMIC.exe
Token: SeBackupPrivilege	3792	WMIC.exe
Token: SeRestorePrivilege	3792	WMIC.exe
Token: SeShutdownPrivilege	3792	WMIC.exe
Token: SeDebugPrivilege	3792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3792	WMIC.exe
Token: SeRemoteShutdownPrivilege	3792	WMIC.exe
Token: SeUndockPrivilege	3792	WMIC.exe
Token: SeManageVolumePrivilege	3792	WMIC.exe
Token: 33	3792	WMIC.exe
Token: 34	3792	WMIC.exe
Token: 35	3792	WMIC.exe
Token: 36	3792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	528	WMIC.exe
Token: SeSecurityPrivilege	528	WMIC.exe
Token: SeTakeOwnershipPrivilege	528	WMIC.exe
Token: SeLoadDriverPrivilege	528	WMIC.exe
Token: SeSystemProfilePrivilege	528	WMIC.exe
Token: SeSystemtimePrivilege	528	WMIC.exe
Token: SeProfSingleProcessPrivilege	528	WMIC.exe
Token: SeIncBasePriorityPrivilege	528	WMIC.exe
Token: SeCreatePagefilePrivilege	528	WMIC.exe
Token: SeBackupPrivilege	528	WMIC.exe
Token: SeRestorePrivilege	528	WMIC.exe
Token: SeShutdownPrivilege	528	WMIC.exe
Token: SeDebugPrivilege	528	WMIC.exe
Token: SeSystemEnvironmentPrivilege	528	WMIC.exe

description	pid	Process	procid_target
PID 3888 wrote to memory of 4920	3888	000.exe	84
PID 3888 wrote to memory of 4920	3888	000.exe	84
PID 4920 wrote to memory of 2908	4920	cmd.exe	86
PID 4920 wrote to memory of 2908	4920	cmd.exe	86
PID 4920 wrote to memory of 4436	4920	cmd.exe	88
PID 4920 wrote to memory of 4436	4920	cmd.exe	88
PID 4920 wrote to memory of 2704	4920	cmd.exe	89
PID 4920 wrote to memory of 2704	4920	cmd.exe	89
PID 4920 wrote to memory of 4872	4920	cmd.exe	90
PID 4920 wrote to memory of 4872	4920	cmd.exe	90
PID 4920 wrote to memory of 1056	4920	cmd.exe	91
PID 4920 wrote to memory of 1056	4920	cmd.exe	91
PID 1056 wrote to memory of 4604	1056	net.exe	92
PID 1056 wrote to memory of 4604	1056	net.exe	92
PID 4920 wrote to memory of 3792	4920	cmd.exe	93
PID 4920 wrote to memory of 3792	4920	cmd.exe	93
PID 4920 wrote to memory of 528	4920	cmd.exe	94
PID 4920 wrote to memory of 528	4920	cmd.exe	94
PID 4920 wrote to memory of 3208	4920	cmd.exe	95
PID 4920 wrote to memory of 3208	4920	cmd.exe	95

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.