description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	Process
2800	schtasks.exe
5088	schtasks.exe
1420	schtasks.exe
5104	schtasks.exe
4316	schtasks.exe
4444	schtasks.exe
4492	schtasks.exe
4024	schtasks.exe
1772	schtasks.exe
1664	schtasks.exe
4404	schtasks.exe
3928	schtasks.exe
3796	schtasks.exe
4392	schtasks.exe
196	schtasks.exe
1268	schtasks.exe
760	schtasks.exe
4524	schtasks.exe
596	schtasks.exe
2764	schtasks.exe
5004	schtasks.exe
5060	schtasks.exe
4448	schtasks.exe
3452	schtasks.exe
4648	schtasks.exe
3780	schtasks.exe
2892	schtasks.exe
4828	schtasks.exe
4356	schtasks.exe
4984	schtasks.exe
3776	schtasks.exe
4112	schtasks.exe
616	schtasks.exe
2916	schtasks.exe
2820	schtasks.exe
4508	schtasks.exe
4688	schtasks.exe
2968	schtasks.exe
1576	schtasks.exe
4844	schtasks.exe
3744	schtasks.exe
3924	schtasks.exe
2172	schtasks.exe
3488	schtasks.exe
2120	schtasks.exe
1104	schtasks.exe
3672	schtasks.exe
1992	schtasks.exe
1696	schtasks.exe
3948	schtasks.exe
4860	schtasks.exe
2860	schtasks.exe
1108	schtasks.exe
4948	schtasks.exe
2296	schtasks.exe
3920	schtasks.exe
1672	schtasks.exe
424	schtasks.exe
2180	schtasks.exe
672	schtasks.exe
4008	schtasks.exe
3460	schtasks.exe
5116	schtasks.exe
2312	schtasks.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4100	WMIC.exe
Token: SeSecurityPrivilege	4100	WMIC.exe
Token: SeTakeOwnershipPrivilege	4100	WMIC.exe
Token: SeLoadDriverPrivilege	4100	WMIC.exe
Token: SeSystemProfilePrivilege	4100	WMIC.exe
Token: SeSystemtimePrivilege	4100	WMIC.exe
Token: SeProfSingleProcessPrivilege	4100	WMIC.exe
Token: SeIncBasePriorityPrivilege	4100	WMIC.exe
Token: SeCreatePagefilePrivilege	4100	WMIC.exe
Token: SeBackupPrivilege	4100	WMIC.exe
Token: SeRestorePrivilege	4100	WMIC.exe
Token: SeShutdownPrivilege	4100	WMIC.exe
Token: SeDebugPrivilege	4100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4100	WMIC.exe
Token: SeRemoteShutdownPrivilege	4100	WMIC.exe
Token: SeUndockPrivilege	4100	WMIC.exe
Token: SeManageVolumePrivilege	4100	WMIC.exe
Token: 33	4100	WMIC.exe
Token: 34	4100	WMIC.exe
Token: 35	4100	WMIC.exe
Token: 36	4100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4100	WMIC.exe
Token: SeSecurityPrivilege	4100	WMIC.exe
Token: SeTakeOwnershipPrivilege	4100	WMIC.exe
Token: SeLoadDriverPrivilege	4100	WMIC.exe
Token: SeSystemProfilePrivilege	4100	WMIC.exe
Token: SeSystemtimePrivilege	4100	WMIC.exe
Token: SeProfSingleProcessPrivilege	4100	WMIC.exe
Token: SeIncBasePriorityPrivilege	4100	WMIC.exe
Token: SeCreatePagefilePrivilege	4100	WMIC.exe
Token: SeBackupPrivilege	4100	WMIC.exe
Token: SeRestorePrivilege	4100	WMIC.exe
Token: SeShutdownPrivilege	4100	WMIC.exe
Token: SeDebugPrivilege	4100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4100	WMIC.exe
Token: SeRemoteShutdownPrivilege	4100	WMIC.exe
Token: SeUndockPrivilege	4100	WMIC.exe
Token: SeManageVolumePrivilege	4100	WMIC.exe
Token: 33	4100	WMIC.exe
Token: 34	4100	WMIC.exe
Token: 35	4100	WMIC.exe
Token: 36	4100	WMIC.exe

description	pid	Process	procid_target
PID 3936 wrote to memory of 4724	3936	cmd.exe	75
PID 3936 wrote to memory of 4724	3936	cmd.exe	75
PID 3936 wrote to memory of 4524	3936	cmd.exe	76
PID 3936 wrote to memory of 4524	3936	cmd.exe	76
PID 3936 wrote to memory of 4288	3936	cmd.exe	77
PID 3936 wrote to memory of 4288	3936	cmd.exe	77
PID 4288 wrote to memory of 1576	4288	net.exe	78
PID 4288 wrote to memory of 1576	4288	net.exe	78
PID 3936 wrote to memory of 5068	3936	cmd.exe	79
PID 3936 wrote to memory of 5068	3936	cmd.exe	79
PID 3936 wrote to memory of 428	3936	cmd.exe	80
PID 3936 wrote to memory of 428	3936	cmd.exe	80
PID 3936 wrote to memory of 4100	3936	cmd.exe	81
PID 3936 wrote to memory of 4100	3936	cmd.exe	81
PID 3936 wrote to memory of 5060	3936	cmd.exe	85
PID 3936 wrote to memory of 5060	3936	cmd.exe	85
PID 3936 wrote to memory of 4948	3936	cmd.exe	86
PID 3936 wrote to memory of 4948	3936	cmd.exe	86
PID 3936 wrote to memory of 3668	3936	cmd.exe	87
PID 3936 wrote to memory of 3668	3936	cmd.exe	87
PID 3936 wrote to memory of 1268	3936	cmd.exe	88
PID 3936 wrote to memory of 1268	3936	cmd.exe	88
PID 3936 wrote to memory of 3156	3936	cmd.exe	89
PID 3936 wrote to memory of 3156	3936	cmd.exe	89
PID 3936 wrote to memory of 3488	3936	cmd.exe	90
PID 3936 wrote to memory of 3488	3936	cmd.exe	90
PID 3936 wrote to memory of 1732	3936	cmd.exe	91
PID 3936 wrote to memory of 1732	3936	cmd.exe	91
PID 3936 wrote to memory of 1308	3936	cmd.exe	92
PID 3936 wrote to memory of 1308	3936	cmd.exe	92
PID 3936 wrote to memory of 3852	3936	cmd.exe	93
PID 3936 wrote to memory of 3852	3936	cmd.exe	93
PID 3936 wrote to memory of 4404	3936	cmd.exe	94
PID 3936 wrote to memory of 4404	3936	cmd.exe	94
PID 3936 wrote to memory of 1452	3936	cmd.exe	95
PID 3936 wrote to memory of 1452	3936	cmd.exe	95
PID 3936 wrote to memory of 4984	3936	cmd.exe	96
PID 3936 wrote to memory of 4984	3936	cmd.exe	96
PID 3936 wrote to memory of 4924	3936	cmd.exe	97
PID 3936 wrote to memory of 4924	3936	cmd.exe	97
PID 3936 wrote to memory of 5012	3936	cmd.exe	98
PID 3936 wrote to memory of 5012	3936	cmd.exe	98
PID 3936 wrote to memory of 4976	3936	cmd.exe	99
PID 3936 wrote to memory of 4976	3936	cmd.exe	99
PID 3936 wrote to memory of 4668	3936	cmd.exe	100
PID 3936 wrote to memory of 4668	3936	cmd.exe	100
PID 3936 wrote to memory of 2860	3936	cmd.exe	101
PID 3936 wrote to memory of 2860	3936	cmd.exe	101
PID 3936 wrote to memory of 3796	3936	cmd.exe	102
PID 3936 wrote to memory of 3796	3936	cmd.exe	102
PID 3936 wrote to memory of 424	3936	cmd.exe	103
PID 3936 wrote to memory of 424	3936	cmd.exe	103
PID 3936 wrote to memory of 1884	3936	cmd.exe	104
PID 3936 wrote to memory of 1884	3936	cmd.exe	104
PID 3936 wrote to memory of 872	3936	cmd.exe	105
PID 3936 wrote to memory of 872	3936	cmd.exe	105
PID 3936 wrote to memory of 4844	3936	cmd.exe	106
PID 3936 wrote to memory of 4844	3936	cmd.exe	106
PID 3936 wrote to memory of 3328	3936	cmd.exe	107
PID 3936 wrote to memory of 3328	3936	cmd.exe	107
PID 3936 wrote to memory of 5088	3936	cmd.exe	108
PID 3936 wrote to memory of 5088	3936	cmd.exe	108
PID 3936 wrote to memory of 4588	3936	cmd.exe	109
PID 3936 wrote to memory of 4588	3936	cmd.exe	109

pid	Process
4188	attrib.exe
4024	attrib.exe
4576	attrib.exe
3276	attrib.exe
2872	attrib.exe
672	attrib.exe
2764	attrib.exe
3732	attrib.exe
1724	attrib.exe
4192	attrib.exe
3932	attrib.exe
1712	attrib.exe
3564	attrib.exe
4976	attrib.exe
1260	attrib.exe
2488	attrib.exe
4224	attrib.exe
4884	attrib.exe
4768	attrib.exe
424	attrib.exe
1336	attrib.exe
2212	attrib.exe
428	attrib.exe
3668	attrib.exe
4876	attrib.exe
3464	attrib.exe
4792	attrib.exe
1552	attrib.exe
1452	attrib.exe
3596	attrib.exe
4352	attrib.exe
3680	attrib.exe
3924	attrib.exe
5060	attrib.exe
1456	attrib.exe
4928	attrib.exe
4476	attrib.exe
3340	attrib.exe
1576	attrib.exe
1512	attrib.exe
3852	attrib.exe
4120	attrib.exe
2064	attrib.exe
2864	attrib.exe
4656	attrib.exe
4524	attrib.exe
5004	attrib.exe
4316	attrib.exe
5092	attrib.exe
4880	attrib.exe
1740	attrib.exe
1308	attrib.exe
3176	attrib.exe
4612	attrib.exe
2796	attrib.exe
3320	attrib.exe
3752	attrib.exe
1260	attrib.exe
4328	attrib.exe
3156	attrib.exe
1732	attrib.exe
872	attrib.exe
3328	attrib.exe
2128	attrib.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads