description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "ffe.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3su13cgaw5335i.exe	1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\3su13cgaw5335i.exe\DisableExceptionChainValidation	1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Search = "C:\\ProgramData\\SearchEngine.exe"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\3su13cgaw5335i.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\3su13cgaw5335i.exe\""	explorer.exe

pid	process
1416	1.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

pid	process
268	2.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe
2560	explorer.exe

description	pid	process
Token: SeDebugPrivilege	268	2.exe
Token: SeDebugPrivilege	1416	1.exe
Token: SeRestorePrivilege	1416	1.exe
Token: SeBackupPrivilege	1416	1.exe
Token: SeLoadDriverPrivilege	1416	1.exe
Token: SeCreatePagefilePrivilege	1416	1.exe
Token: SeShutdownPrivilege	1416	1.exe
Token: SeTakeOwnershipPrivilege	1416	1.exe
Token: SeChangeNotifyPrivilege	1416	1.exe
Token: SeCreateTokenPrivilege	1416	1.exe
Token: SeMachineAccountPrivilege	1416	1.exe
Token: SeSecurityPrivilege	1416	1.exe
Token: SeAssignPrimaryTokenPrivilege	1416	1.exe
Token: SeCreateGlobalPrivilege	1416	1.exe
Token: 33	1416	1.exe
Token: SeDebugPrivilege	2560	explorer.exe
Token: SeRestorePrivilege	2560	explorer.exe
Token: SeBackupPrivilege	2560	explorer.exe
Token: SeLoadDriverPrivilege	2560	explorer.exe
Token: SeCreatePagefilePrivilege	2560	explorer.exe
Token: SeShutdownPrivilege	2560	explorer.exe
Token: SeTakeOwnershipPrivilege	2560	explorer.exe
Token: SeChangeNotifyPrivilege	2560	explorer.exe
Token: SeCreateTokenPrivilege	2560	explorer.exe
Token: SeMachineAccountPrivilege	2560	explorer.exe
Token: SeSecurityPrivilege	2560	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2560	explorer.exe
Token: SeCreateGlobalPrivilege	2560	explorer.exe
Token: 33	2560	explorer.exe
Token: SeCreateGlobalPrivilege	1228	Explorer.EXE

description	pid	process	target process
PID 1740 wrote to memory of 268	1740	betab.exe	2.exe
PID 1740 wrote to memory of 268	1740	betab.exe	2.exe
PID 1740 wrote to memory of 268	1740	betab.exe	2.exe
PID 1740 wrote to memory of 268	1740	betab.exe	2.exe
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 268 wrote to memory of 1228	268	2.exe	Explorer.EXE
PID 1740 wrote to memory of 1416	1740	betab.exe	1.exe
PID 1740 wrote to memory of 1416	1740	betab.exe	1.exe
PID 1740 wrote to memory of 1416	1740	betab.exe	1.exe
PID 1740 wrote to memory of 1416	1740	betab.exe	1.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 1416 wrote to memory of 2560	1416	1.exe	explorer.exe
PID 2560 wrote to memory of 1164	2560	explorer.exe	Dwm.exe
PID 2560 wrote to memory of 1164	2560	explorer.exe	Dwm.exe
PID 2560 wrote to memory of 1164	2560	explorer.exe	Dwm.exe
PID 2560 wrote to memory of 1164	2560	explorer.exe	Dwm.exe
PID 2560 wrote to memory of 1164	2560	explorer.exe	Dwm.exe
PID 2560 wrote to memory of 1164	2560	explorer.exe	Dwm.exe
PID 2560 wrote to memory of 1228	2560	explorer.exe	Explorer.EXE
PID 2560 wrote to memory of 1228	2560	explorer.exe	Explorer.EXE
PID 2560 wrote to memory of 1228	2560	explorer.exe	Explorer.EXE
PID 2560 wrote to memory of 1228	2560	explorer.exe	Explorer.EXE
PID 2560 wrote to memory of 1228	2560	explorer.exe	Explorer.EXE
PID 2560 wrote to memory of 1228	2560	explorer.exe	Explorer.EXE
PID 2560 wrote to memory of 1528	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1528	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1528	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1528	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1528	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1528	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1844	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1844	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1844	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1844	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1844	2560	explorer.exe	DllHost.exe
PID 2560 wrote to memory of 1844	2560	explorer.exe	DllHost.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads