description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

pid	Process
4828	schtasks.exe
2168	schtasks.exe
3636	schtasks.exe
4880	schtasks.exe
2432	schtasks.exe
2008	schtasks.exe
2676	schtasks.exe
3904	schtasks.exe
3528	schtasks.exe
2272	schtasks.exe
392	schtasks.exe
3724	schtasks.exe
4536	schtasks.exe
1592	schtasks.exe
4308	schtasks.exe
2492	schtasks.exe
2368	schtasks.exe
3868	schtasks.exe
1960	schtasks.exe
1252	schtasks.exe
2184	schtasks.exe
4368	schtasks.exe
1532	schtasks.exe
1948	schtasks.exe
2504	schtasks.exe
3620	schtasks.exe
1632	schtasks.exe
1336	schtasks.exe
60	schtasks.exe
4828	schtasks.exe
2912	schtasks.exe
4908	schtasks.exe
2520	schtasks.exe
1632	schtasks.exe
752	schtasks.exe
3088	schtasks.exe
4884	schtasks.exe
2132	schtasks.exe
1060	schtasks.exe
2512	schtasks.exe
2284	schtasks.exe
1036	schtasks.exe
2544	schtasks.exe
3536	schtasks.exe
2632	schtasks.exe
4276	schtasks.exe
5084	schtasks.exe
4580	schtasks.exe
848	schtasks.exe
4636	schtasks.exe
4376	schtasks.exe
4976	schtasks.exe
64	schtasks.exe
4444	schtasks.exe
4236	schtasks.exe
3932	schtasks.exe
1572	schtasks.exe
2564	schtasks.exe
3104	schtasks.exe
3200	schtasks.exe
3832	schtasks.exe
680	schtasks.exe
3496	schtasks.exe
1248	schtasks.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1204	WMIC.exe
Token: SeSecurityPrivilege	1204	WMIC.exe
Token: SeTakeOwnershipPrivilege	1204	WMIC.exe
Token: SeLoadDriverPrivilege	1204	WMIC.exe
Token: SeSystemProfilePrivilege	1204	WMIC.exe
Token: SeSystemtimePrivilege	1204	WMIC.exe
Token: SeProfSingleProcessPrivilege	1204	WMIC.exe
Token: SeIncBasePriorityPrivilege	1204	WMIC.exe
Token: SeCreatePagefilePrivilege	1204	WMIC.exe
Token: SeBackupPrivilege	1204	WMIC.exe
Token: SeRestorePrivilege	1204	WMIC.exe
Token: SeShutdownPrivilege	1204	WMIC.exe
Token: SeDebugPrivilege	1204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1204	WMIC.exe
Token: SeRemoteShutdownPrivilege	1204	WMIC.exe
Token: SeUndockPrivilege	1204	WMIC.exe
Token: SeManageVolumePrivilege	1204	WMIC.exe
Token: 33	1204	WMIC.exe
Token: 34	1204	WMIC.exe
Token: 35	1204	WMIC.exe
Token: 36	1204	WMIC.exe

description	pid	Process	procid_target
PID 3408 wrote to memory of 3432	3408	cmd.exe	83
PID 3408 wrote to memory of 3432	3408	cmd.exe	83
PID 3408 wrote to memory of 2648	3408	cmd.exe	84
PID 3408 wrote to memory of 2648	3408	cmd.exe	84
PID 3408 wrote to memory of 2904	3408	cmd.exe	85
PID 3408 wrote to memory of 2904	3408	cmd.exe	85
PID 2904 wrote to memory of 4388	2904	net.exe	86
PID 2904 wrote to memory of 4388	2904	net.exe	86
PID 3408 wrote to memory of 2448	3408	cmd.exe	87
PID 3408 wrote to memory of 2448	3408	cmd.exe	87
PID 3408 wrote to memory of 1272	3408	cmd.exe	88
PID 3408 wrote to memory of 1272	3408	cmd.exe	88
PID 3408 wrote to memory of 1204	3408	cmd.exe	89
PID 3408 wrote to memory of 1204	3408	cmd.exe	89
PID 3408 wrote to memory of 2880	3408	cmd.exe	93
PID 3408 wrote to memory of 2880	3408	cmd.exe	93
PID 3408 wrote to memory of 848	3408	cmd.exe	94
PID 3408 wrote to memory of 848	3408	cmd.exe	94
PID 3408 wrote to memory of 2548	3408	cmd.exe	95
PID 3408 wrote to memory of 2548	3408	cmd.exe	95
PID 3408 wrote to memory of 2004	3408	cmd.exe	96
PID 3408 wrote to memory of 2004	3408	cmd.exe	96
PID 3408 wrote to memory of 4172	3408	cmd.exe	97
PID 3408 wrote to memory of 4172	3408	cmd.exe	97
PID 3408 wrote to memory of 1572	3408	cmd.exe	98
PID 3408 wrote to memory of 1572	3408	cmd.exe	98
PID 3408 wrote to memory of 1072	3408	cmd.exe	99
PID 3408 wrote to memory of 1072	3408	cmd.exe	99
PID 3408 wrote to memory of 3496	3408	cmd.exe	100
PID 3408 wrote to memory of 3496	3408	cmd.exe	100
PID 3408 wrote to memory of 1632	3408	cmd.exe	101
PID 3408 wrote to memory of 1632	3408	cmd.exe	101
PID 3408 wrote to memory of 2504	3408	cmd.exe	102
PID 3408 wrote to memory of 2504	3408	cmd.exe	102
PID 3408 wrote to memory of 1336	3408	cmd.exe	103
PID 3408 wrote to memory of 1336	3408	cmd.exe	103
PID 3408 wrote to memory of 2492	3408	cmd.exe	104
PID 3408 wrote to memory of 2492	3408	cmd.exe	104
PID 3408 wrote to memory of 2676	3408	cmd.exe	105
PID 3408 wrote to memory of 2676	3408	cmd.exe	105
PID 3408 wrote to memory of 996	3408	cmd.exe	106
PID 3408 wrote to memory of 996	3408	cmd.exe	106
PID 3408 wrote to memory of 4236	3408	cmd.exe	107
PID 3408 wrote to memory of 4236	3408	cmd.exe	107
PID 3408 wrote to memory of 2912	3408	cmd.exe	108
PID 3408 wrote to memory of 2912	3408	cmd.exe	108
PID 3408 wrote to memory of 1388	3408	cmd.exe	109
PID 3408 wrote to memory of 1388	3408	cmd.exe	109
PID 3408 wrote to memory of 2932	3408	cmd.exe	110
PID 3408 wrote to memory of 2932	3408	cmd.exe	110
PID 3408 wrote to memory of 2068	3408	cmd.exe	111
PID 3408 wrote to memory of 2068	3408	cmd.exe	111
PID 3408 wrote to memory of 2240	3408	cmd.exe	112
PID 3408 wrote to memory of 2240	3408	cmd.exe	112
PID 3408 wrote to memory of 4932	3408	cmd.exe	113
PID 3408 wrote to memory of 4932	3408	cmd.exe	113
PID 3408 wrote to memory of 2272	3408	cmd.exe	114
PID 3408 wrote to memory of 2272	3408	cmd.exe	114
PID 3408 wrote to memory of 4316	3408	cmd.exe	115
PID 3408 wrote to memory of 4316	3408	cmd.exe	115
PID 3408 wrote to memory of 3636	3408	cmd.exe	116
PID 3408 wrote to memory of 3636	3408	cmd.exe	116
PID 3408 wrote to memory of 1600	3408	cmd.exe	117
PID 3408 wrote to memory of 1600	3408	cmd.exe	117

pid	Process
4236	attrib.exe
4132	attrib.exe
4480	attrib.exe
1848	attrib.exe
2208	attrib.exe
2708	attrib.exe
2880	attrib.exe
2664	attrib.exe
720	attrib.exe
3452	attrib.exe
3536	attrib.exe
4656	attrib.exe
3004	attrib.exe
3624	attrib.exe
1600	attrib.exe
2248	attrib.exe
532	attrib.exe
2000	attrib.exe
3800	attrib.exe
736	attrib.exe
5028	attrib.exe
2572	attrib.exe
1336	attrib.exe
1132	attrib.exe
3764	attrib.exe
712	attrib.exe
1592	attrib.exe
492	attrib.exe
2584	attrib.exe
4488	attrib.exe
1328	attrib.exe
1828	attrib.exe
4364	attrib.exe
3936	attrib.exe
4160	attrib.exe
1928	attrib.exe
3172	attrib.exe
5116	attrib.exe
4024	attrib.exe
4780	attrib.exe
1440	attrib.exe
4024	attrib.exe
4260	attrib.exe
1600	attrib.exe
2532	attrib.exe
804	attrib.exe
2028	attrib.exe
2756	attrib.exe
3596	attrib.exe
796	attrib.exe
2404	attrib.exe
2208	attrib.exe
4080	attrib.exe
60	attrib.exe
3632	attrib.exe
3352	attrib.exe
3196	attrib.exe
3012	attrib.exe
2884	attrib.exe
4552	attrib.exe
1504	attrib.exe
2592	attrib.exe
1632	attrib.exe
4564	attrib.exe

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads