e76f9265ddc05d553301c57409802543fb265b5e847041578c71b09345792b11

Analysis

max time kernel
149s
max time network
85s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

085a4fe2009740a36e0bf796dc1d2404.exe
Size

72KB
MD5

085a4fe2009740a36e0bf796dc1d2404
SHA1

cb7255f1832a68e9921fd0c88f6dfaa43d90759f
SHA256

e76f9265ddc05d553301c57409802543fb265b5e847041578c71b09345792b11
SHA512

56ef7f345115dc8f7192737457648d156a1635b51b58d023ef19c50a77d32995e0f7312a476566a201821458d9ea697ecee8d062f18112f133f7e1c08986f77c
SSDEEP

768:rDMlHSuJKqyLohGHWhrYfnqQRsyrN9uDoQ0EPEib/WPBs/4NoD:rkHTJKqOhmWq9S9uDo4EP+MoD

Score

8^/10

evasion

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3988	REG.exe
2216	REG.exe
4564	REG.exe
4012	REG.exe
4152	REG.exe
2536	REG.exe
3796	REG.exe
4152	REG.exe
3396	REG.exe
3672	REG.exe
4564	REG.exe
688	REG.exe
2896	REG.exe
996	REG.exe
1572	REG.exe
3700	REG.exe
2536	REG.exe
2892	REG.exe
3344	REG.exe
1408	REG.exe
4456	REG.exe
3176	REG.exe
4808	REG.exe
5056	REG.exe
3528	REG.exe
5036	REG.exe
5052	REG.exe
4352	REG.exe
4012	REG.exe
2604	REG.exe
864	REG.exe
540	REG.exe
3372	REG.exe
1456	REG.exe
4736	REG.exe
3672	REG.exe
2400	REG.exe
4720	REG.exe
4696	REG.exe
3092	REG.exe
924	REG.exe
3964	REG.exe
4524	REG.exe
2328	REG.exe
3368	REG.exe
4792	REG.exe
3188	REG.exe
4040	REG.exe
2684	REG.exe
3204	REG.exe
4360	REG.exe
2280	REG.exe
4440	REG.exe
2220	REG.exe
1840	REG.exe
3064	REG.exe
3980	REG.exe
4708	REG.exe
2892	REG.exe
1408	REG.exe
2404	REG.exe
3504	REG.exe
4144	REG.exe
2636	REG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4328	085a4fe2009740a36e0bf796dc1d2404.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4328 wrote to memory of 4696	4328	085a4fe2009740a36e0bf796dc1d2404.exe	20
PID 4328 wrote to memory of 4696	4328	085a4fe2009740a36e0bf796dc1d2404.exe	20
PID 4328 wrote to memory of 4696	4328	085a4fe2009740a36e0bf796dc1d2404.exe	20
PID 4328 wrote to memory of 4792	4328	085a4fe2009740a36e0bf796dc1d2404.exe	39
PID 4328 wrote to memory of 4792	4328	085a4fe2009740a36e0bf796dc1d2404.exe	39
PID 4328 wrote to memory of 4792	4328	085a4fe2009740a36e0bf796dc1d2404.exe	39
PID 4328 wrote to memory of 3964	4328	085a4fe2009740a36e0bf796dc1d2404.exe	153
PID 4328 wrote to memory of 3964	4328	085a4fe2009740a36e0bf796dc1d2404.exe	153
PID 4328 wrote to memory of 3964	4328	085a4fe2009740a36e0bf796dc1d2404.exe	153
PID 4328 wrote to memory of 4760	4328	085a4fe2009740a36e0bf796dc1d2404.exe	82
PID 4328 wrote to memory of 4760	4328	085a4fe2009740a36e0bf796dc1d2404.exe	82
PID 4328 wrote to memory of 4760	4328	085a4fe2009740a36e0bf796dc1d2404.exe	82
PID 4328 wrote to memory of 3988	4328	085a4fe2009740a36e0bf796dc1d2404.exe	190
PID 4328 wrote to memory of 3988	4328	085a4fe2009740a36e0bf796dc1d2404.exe	190
PID 4328 wrote to memory of 3988	4328	085a4fe2009740a36e0bf796dc1d2404.exe	190
PID 4328 wrote to memory of 4188	4328	085a4fe2009740a36e0bf796dc1d2404.exe	103
PID 4328 wrote to memory of 4188	4328	085a4fe2009740a36e0bf796dc1d2404.exe	103
PID 4328 wrote to memory of 4188	4328	085a4fe2009740a36e0bf796dc1d2404.exe	103
PID 4328 wrote to memory of 4352	4328	085a4fe2009740a36e0bf796dc1d2404.exe	169
PID 4328 wrote to memory of 4352	4328	085a4fe2009740a36e0bf796dc1d2404.exe	169
PID 4328 wrote to memory of 4352	4328	085a4fe2009740a36e0bf796dc1d2404.exe	169
PID 4328 wrote to memory of 3176	4328	085a4fe2009740a36e0bf796dc1d2404.exe	107
PID 4328 wrote to memory of 3176	4328	085a4fe2009740a36e0bf796dc1d2404.exe	107
PID 4328 wrote to memory of 3176	4328	085a4fe2009740a36e0bf796dc1d2404.exe	107
PID 4328 wrote to memory of 2216	4328	085a4fe2009740a36e0bf796dc1d2404.exe	111
PID 4328 wrote to memory of 2216	4328	085a4fe2009740a36e0bf796dc1d2404.exe	111
PID 4328 wrote to memory of 2216	4328	085a4fe2009740a36e0bf796dc1d2404.exe	111
PID 4328 wrote to memory of 3188	4328	085a4fe2009740a36e0bf796dc1d2404.exe	143
PID 4328 wrote to memory of 3188	4328	085a4fe2009740a36e0bf796dc1d2404.exe	143
PID 4328 wrote to memory of 3188	4328	085a4fe2009740a36e0bf796dc1d2404.exe	143
PID 4328 wrote to memory of 1408	4328	085a4fe2009740a36e0bf796dc1d2404.exe	176
PID 4328 wrote to memory of 1408	4328	085a4fe2009740a36e0bf796dc1d2404.exe	176
PID 4328 wrote to memory of 1408	4328	085a4fe2009740a36e0bf796dc1d2404.exe	176
PID 4328 wrote to memory of 2560	4328	085a4fe2009740a36e0bf796dc1d2404.exe	119
PID 4328 wrote to memory of 2560	4328	085a4fe2009740a36e0bf796dc1d2404.exe	119
PID 4328 wrote to memory of 2560	4328	085a4fe2009740a36e0bf796dc1d2404.exe	119
PID 4328 wrote to memory of 2708	4328	085a4fe2009740a36e0bf796dc1d2404.exe	122
PID 4328 wrote to memory of 2708	4328	085a4fe2009740a36e0bf796dc1d2404.exe	122
PID 4328 wrote to memory of 2708	4328	085a4fe2009740a36e0bf796dc1d2404.exe	122
PID 4328 wrote to memory of 3700	4328	085a4fe2009740a36e0bf796dc1d2404.exe	124
PID 4328 wrote to memory of 3700	4328	085a4fe2009740a36e0bf796dc1d2404.exe	124
PID 4328 wrote to memory of 3700	4328	085a4fe2009740a36e0bf796dc1d2404.exe	124

C:\Users\Admin\AppData\Local\Temp\085a4fe2009740a36e0bf796dc1d2404.exe
"C:\Users\Admin\AppData\Local\Temp\085a4fe2009740a36e0bf796dc1d2404.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4328
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4696
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4792
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3964
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4760
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3988
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4188
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4352
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3176
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2216
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3188
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1408
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2560
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2708
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3700
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2404
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4012
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4388
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3988
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:864
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3208
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4704
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4912
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4524
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1408
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2536
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4564
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3796
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:540
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1764
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3092
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4800
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2220
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2892
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4152
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4720
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3372
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4428
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1408
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3544
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4564
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2508
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4092
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5056
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3672
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2604
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3988
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4800
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2328
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2892
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3980
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1284
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2280
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3372
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4324
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3504
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2476
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3096
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4144
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2896
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3344
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3396
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4252
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2684
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4808
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2136
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1092
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:528
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2532
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3384
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2404
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4012
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3068
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1456
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2264
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2968
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2684
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2636
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:688
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4344
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2620
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4064
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2404
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:5056
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4736
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5060
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3204
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4708
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1180
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4152
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3728
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4820
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:628
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3940
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3096
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2896
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1900
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4356
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4736
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1172
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2816
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2164
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3868
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2564
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2832
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:996
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3672
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4736
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5016
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2400
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:752
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3528
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2604
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4720
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3428
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:924
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1840
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1408
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1652
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2356
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2004
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2892
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1664
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5004
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5024
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4384
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2836
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1868
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4040
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3064
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3368
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5092
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:5036
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4252
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1420
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:636
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1700
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3964
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4456
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3744
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3164
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4360
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:5028
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:4788
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:4440
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2536
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:3672
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1572
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:5052
- C:\Windows\SysWOW64\REG.exe
  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...