description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

pid	Process
568	schtasks.exe
2864	schtasks.exe
2312	schtasks.exe
828	schtasks.exe
2680	schtasks.exe
1644	schtasks.exe
2676	schtasks.exe
2884	schtasks.exe
2828	schtasks.exe
2632	schtasks.exe
2720	schtasks.exe
2620	schtasks.exe
1816	schtasks.exe
2632	schtasks.exe
2872	schtasks.exe
2892	schtasks.exe
2884	schtasks.exe
2964	schtasks.exe
2160	schtasks.exe
2816	schtasks.exe
1528	schtasks.exe
2912	schtasks.exe
2716	schtasks.exe
2076	schtasks.exe
1188	schtasks.exe
2784	schtasks.exe
896	schtasks.exe
2928	schtasks.exe
1432	schtasks.exe
3044	schtasks.exe
2772	schtasks.exe
592	schtasks.exe
348	schtasks.exe
2996	schtasks.exe
2768	schtasks.exe
2684	schtasks.exe
1672	schtasks.exe
2264	schtasks.exe
2792	schtasks.exe
2520	schtasks.exe
2076	schtasks.exe
2060	schtasks.exe
2604	schtasks.exe
2456	schtasks.exe
628	schtasks.exe
2328	schtasks.exe
592	schtasks.exe
1560	schtasks.exe
2548	schtasks.exe
692	schtasks.exe
2596	schtasks.exe
1984	schtasks.exe
556	schtasks.exe
2832	schtasks.exe
2640	schtasks.exe
2964	schtasks.exe
1400	schtasks.exe
2176	schtasks.exe
2128	schtasks.exe
3056	schtasks.exe
2692	schtasks.exe
2344	schtasks.exe
724	schtasks.exe
1680	schtasks.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2688	WMIC.exe
Token: SeSecurityPrivilege	2688	WMIC.exe
Token: SeTakeOwnershipPrivilege	2688	WMIC.exe
Token: SeLoadDriverPrivilege	2688	WMIC.exe
Token: SeSystemProfilePrivilege	2688	WMIC.exe
Token: SeSystemtimePrivilege	2688	WMIC.exe
Token: SeProfSingleProcessPrivilege	2688	WMIC.exe
Token: SeIncBasePriorityPrivilege	2688	WMIC.exe
Token: SeCreatePagefilePrivilege	2688	WMIC.exe
Token: SeBackupPrivilege	2688	WMIC.exe
Token: SeRestorePrivilege	2688	WMIC.exe
Token: SeShutdownPrivilege	2688	WMIC.exe
Token: SeDebugPrivilege	2688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2688	WMIC.exe
Token: SeRemoteShutdownPrivilege	2688	WMIC.exe
Token: SeUndockPrivilege	2688	WMIC.exe
Token: SeManageVolumePrivilege	2688	WMIC.exe
Token: 33	2688	WMIC.exe
Token: 34	2688	WMIC.exe
Token: 35	2688	WMIC.exe

description	pid	Process	procid_target
PID 1076 wrote to memory of 2692	1076	cmd.exe	31
PID 1076 wrote to memory of 2692	1076	cmd.exe	31
PID 1076 wrote to memory of 2692	1076	cmd.exe	31
PID 1076 wrote to memory of 2392	1076	cmd.exe	32
PID 1076 wrote to memory of 2392	1076	cmd.exe	32
PID 1076 wrote to memory of 2392	1076	cmd.exe	32
PID 1076 wrote to memory of 2004	1076	cmd.exe	33
PID 1076 wrote to memory of 2004	1076	cmd.exe	33
PID 1076 wrote to memory of 2004	1076	cmd.exe	33
PID 2004 wrote to memory of 1680	2004	net.exe	34
PID 2004 wrote to memory of 1680	2004	net.exe	34
PID 2004 wrote to memory of 1680	2004	net.exe	34
PID 1076 wrote to memory of 1620	1076	cmd.exe	35
PID 1076 wrote to memory of 1620	1076	cmd.exe	35
PID 1076 wrote to memory of 1620	1076	cmd.exe	35
PID 1076 wrote to memory of 2524	1076	cmd.exe	36
PID 1076 wrote to memory of 2524	1076	cmd.exe	36
PID 1076 wrote to memory of 2524	1076	cmd.exe	36
PID 1076 wrote to memory of 2688	1076	cmd.exe	37
PID 1076 wrote to memory of 2688	1076	cmd.exe	37
PID 1076 wrote to memory of 2688	1076	cmd.exe	37
PID 1076 wrote to memory of 2800	1076	cmd.exe	41
PID 1076 wrote to memory of 2800	1076	cmd.exe	41
PID 1076 wrote to memory of 2800	1076	cmd.exe	41
PID 1076 wrote to memory of 2716	1076	cmd.exe	42
PID 1076 wrote to memory of 2716	1076	cmd.exe	42
PID 1076 wrote to memory of 2716	1076	cmd.exe	42
PID 1076 wrote to memory of 2740	1076	cmd.exe	43
PID 1076 wrote to memory of 2740	1076	cmd.exe	43
PID 1076 wrote to memory of 2740	1076	cmd.exe	43
PID 1076 wrote to memory of 2056	1076	cmd.exe	44
PID 1076 wrote to memory of 2056	1076	cmd.exe	44
PID 1076 wrote to memory of 2056	1076	cmd.exe	44
PID 1076 wrote to memory of 3056	1076	cmd.exe	45
PID 1076 wrote to memory of 3056	1076	cmd.exe	45
PID 1076 wrote to memory of 3056	1076	cmd.exe	45
PID 1076 wrote to memory of 2768	1076	cmd.exe	46
PID 1076 wrote to memory of 2768	1076	cmd.exe	46
PID 1076 wrote to memory of 2768	1076	cmd.exe	46
PID 1076 wrote to memory of 2908	1076	cmd.exe	47
PID 1076 wrote to memory of 2908	1076	cmd.exe	47
PID 1076 wrote to memory of 2908	1076	cmd.exe	47
PID 1076 wrote to memory of 2632	1076	cmd.exe	48
PID 1076 wrote to memory of 2632	1076	cmd.exe	48
PID 1076 wrote to memory of 2632	1076	cmd.exe	48
PID 1076 wrote to memory of 2896	1076	cmd.exe	49
PID 1076 wrote to memory of 2896	1076	cmd.exe	49
PID 1076 wrote to memory of 2896	1076	cmd.exe	49
PID 1076 wrote to memory of 2772	1076	cmd.exe	50
PID 1076 wrote to memory of 2772	1076	cmd.exe	50
PID 1076 wrote to memory of 2772	1076	cmd.exe	50
PID 1076 wrote to memory of 2664	1076	cmd.exe	51
PID 1076 wrote to memory of 2664	1076	cmd.exe	51
PID 1076 wrote to memory of 2664	1076	cmd.exe	51
PID 1076 wrote to memory of 2604	1076	cmd.exe	52
PID 1076 wrote to memory of 2604	1076	cmd.exe	52
PID 1076 wrote to memory of 2604	1076	cmd.exe	52
PID 1076 wrote to memory of 2460	1076	cmd.exe	53
PID 1076 wrote to memory of 2460	1076	cmd.exe	53
PID 1076 wrote to memory of 2460	1076	cmd.exe	53
PID 1076 wrote to memory of 2684	1076	cmd.exe	54
PID 1076 wrote to memory of 2684	1076	cmd.exe	54
PID 1076 wrote to memory of 2684	1076	cmd.exe	54
PID 1076 wrote to memory of 2344	1076	cmd.exe	55

pid	Process
1784	attrib.exe
348	attrib.exe
2844	attrib.exe
2896	attrib.exe
1692	attrib.exe
1516	attrib.exe
2032	attrib.exe
2800	attrib.exe
2260	attrib.exe
1760	attrib.exe
976	attrib.exe
1528	attrib.exe
1624	attrib.exe
2712	attrib.exe
2644	attrib.exe
3040	attrib.exe
1096	attrib.exe
2552	attrib.exe
1928	attrib.exe
2464	attrib.exe
2640	attrib.exe
2460	attrib.exe
2900	attrib.exe
2016	attrib.exe
3052	attrib.exe
2788	attrib.exe
916	attrib.exe
2836	attrib.exe
3028	attrib.exe
2980	attrib.exe
2956	attrib.exe
2468	attrib.exe
1512	attrib.exe
916	attrib.exe
1680	attrib.exe
2664	attrib.exe
1248	attrib.exe
2344	attrib.exe
3052	attrib.exe
2720	attrib.exe
1328	attrib.exe
3024	attrib.exe
568	attrib.exe
2708	attrib.exe
1872	attrib.exe
1648	attrib.exe
1028	attrib.exe
2900	attrib.exe
1552	attrib.exe
2252	attrib.exe
1816	attrib.exe
1104	attrib.exe
2152	attrib.exe
2664	attrib.exe
2960	attrib.exe
560	attrib.exe
3024	attrib.exe
2140	attrib.exe
536	attrib.exe
2384	attrib.exe
1648	attrib.exe
2260	attrib.exe
1148	attrib.exe
2976	attrib.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads