Analysis
-
max time kernel
127s -
max time network
138s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 05:20
Static task
static1
Behavioral task
behavioral1
Sample
c1c758539076d2ab8613711aca0af67e.jar
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
c1c758539076d2ab8613711aca0af67e.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
c1c758539076d2ab8613711aca0af67e.jar
-
Size
407KB
-
MD5
c1c758539076d2ab8613711aca0af67e
-
SHA1
5a6431b64e7273205c559f1061ef68710154a261
-
SHA256
9f63d276056896914080bacd283c2c0cc4bf2122ae7513bced4f138ca53e8fc2
-
SHA512
e6153e03674da40012d39274c2402677d6a2ccc5f48ee92cc2ccde68198afed387ad72a052752b6d9219ff301e8e223906d51b82855aa393fbdad1af6f34fc9f
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 320 IoCs
Processes:
java.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3020 wrote to memory of 3708 3020 java.exe cmd.exe PID 3020 wrote to memory of 3708 3020 java.exe cmd.exe PID 3020 wrote to memory of 628 3020 java.exe cmd.exe PID 3020 wrote to memory of 628 3020 java.exe cmd.exe PID 628 wrote to memory of 856 628 cmd.exe WMIC.exe PID 628 wrote to memory of 856 628 cmd.exe WMIC.exe PID 3020 wrote to memory of 380 3020 java.exe cmd.exe PID 3020 wrote to memory of 380 3020 java.exe cmd.exe PID 380 wrote to memory of 1164 380 cmd.exe WMIC.exe PID 380 wrote to memory of 1164 380 cmd.exe WMIC.exe PID 3020 wrote to memory of 1428 3020 java.exe attrib.exe PID 3020 wrote to memory of 1428 3020 java.exe attrib.exe PID 3020 wrote to memory of 1660 3020 java.exe attrib.exe PID 3020 wrote to memory of 1660 3020 java.exe attrib.exe PID 3020 wrote to memory of 2004 3020 java.exe attrib.exe PID 3020 wrote to memory of 2004 3020 java.exe attrib.exe PID 3020 wrote to memory of 2060 3020 java.exe attrib.exe PID 3020 wrote to memory of 2060 3020 java.exe attrib.exe PID 3020 wrote to memory of 2076 3020 java.exe attrib.exe PID 3020 wrote to memory of 2076 3020 java.exe attrib.exe PID 3020 wrote to memory of 2136 3020 java.exe attrib.exe PID 3020 wrote to memory of 2136 3020 java.exe attrib.exe PID 3020 wrote to memory of 2624 3020 java.exe attrib.exe PID 3020 wrote to memory of 2624 3020 java.exe attrib.exe PID 3020 wrote to memory of 2184 3020 java.exe attrib.exe PID 3020 wrote to memory of 2184 3020 java.exe attrib.exe PID 3020 wrote to memory of 2520 3020 java.exe cmd.exe PID 3020 wrote to memory of 2520 3020 java.exe cmd.exe PID 2520 wrote to memory of 3496 2520 cmd.exe reg.exe PID 2520 wrote to memory of 3496 2520 cmd.exe reg.exe PID 3020 wrote to memory of 3640 3020 java.exe reg.exe PID 3020 wrote to memory of 3640 3020 java.exe reg.exe PID 3020 wrote to memory of 2776 3020 java.exe reg.exe PID 3020 wrote to memory of 2776 3020 java.exe reg.exe PID 3020 wrote to memory of 748 3020 java.exe taskkill.exe PID 3020 wrote to memory of 748 3020 java.exe taskkill.exe PID 3020 wrote to memory of 3568 3020 java.exe reg.exe PID 3020 wrote to memory of 3568 3020 java.exe reg.exe PID 3020 wrote to memory of 3452 3020 java.exe reg.exe PID 3020 wrote to memory of 3452 3020 java.exe reg.exe PID 2520 wrote to memory of 1756 2520 cmd.exe reg.exe PID 2520 wrote to memory of 1756 2520 cmd.exe reg.exe PID 3020 wrote to memory of 1856 3020 java.exe cmd.exe PID 3020 wrote to memory of 1856 3020 java.exe cmd.exe PID 1856 wrote to memory of 2132 1856 cmd.exe reg.exe PID 1856 wrote to memory of 2132 1856 cmd.exe reg.exe PID 1856 wrote to memory of 2008 1856 cmd.exe reg.exe PID 1856 wrote to memory of 2008 1856 cmd.exe reg.exe PID 3020 wrote to memory of 2448 3020 java.exe cmd.exe PID 3020 wrote to memory of 2448 3020 java.exe cmd.exe PID 2448 wrote to memory of 2108 2448 cmd.exe reg.exe PID 2448 wrote to memory of 2108 2448 cmd.exe reg.exe PID 2448 wrote to memory of 2180 2448 cmd.exe reg.exe PID 2448 wrote to memory of 2180 2448 cmd.exe reg.exe PID 3020 wrote to memory of 2480 3020 java.exe cmd.exe PID 3020 wrote to memory of 2480 3020 java.exe cmd.exe PID 2480 wrote to memory of 1828 2480 cmd.exe reg.exe PID 2480 wrote to memory of 1828 2480 cmd.exe reg.exe PID 2480 wrote to memory of 2124 2480 cmd.exe reg.exe PID 2480 wrote to memory of 2124 2480 cmd.exe reg.exe PID 3020 wrote to memory of 2840 3020 java.exe cmd.exe PID 3020 wrote to memory of 2840 3020 java.exe cmd.exe PID 2840 wrote to memory of 3592 2840 cmd.exe reg.exe PID 2840 wrote to memory of 3592 2840 cmd.exe reg.exe -
Suspicious use of AdjustPrivilegeToken 86 IoCs
Processes:
WMIC.exeWMIC.exedescription pid process Token: SeIncreaseQuotaPrivilege 856 WMIC.exe Token: SeSecurityPrivilege 856 WMIC.exe Token: SeTakeOwnershipPrivilege 856 WMIC.exe Token: SeLoadDriverPrivilege 856 WMIC.exe Token: SeSystemProfilePrivilege 856 WMIC.exe Token: SeSystemtimePrivilege 856 WMIC.exe Token: SeProfSingleProcessPrivilege 856 WMIC.exe Token: SeIncBasePriorityPrivilege 856 WMIC.exe Token: SeCreatePagefilePrivilege 856 WMIC.exe Token: SeBackupPrivilege 856 WMIC.exe Token: SeRestorePrivilege 856 WMIC.exe Token: SeShutdownPrivilege 856 WMIC.exe Token: SeDebugPrivilege 856 WMIC.exe Token: SeSystemEnvironmentPrivilege 856 WMIC.exe Token: SeRemoteShutdownPrivilege 856 WMIC.exe Token: SeUndockPrivilege 856 WMIC.exe Token: SeManageVolumePrivilege 856 WMIC.exe Token: 33 856 WMIC.exe Token: 34 856 WMIC.exe Token: 35 856 WMIC.exe Token: 36 856 WMIC.exe Token: SeIncreaseQuotaPrivilege 856 WMIC.exe Token: SeSecurityPrivilege 856 WMIC.exe Token: SeTakeOwnershipPrivilege 856 WMIC.exe Token: SeLoadDriverPrivilege 856 WMIC.exe Token: SeSystemProfilePrivilege 856 WMIC.exe Token: SeSystemtimePrivilege 856 WMIC.exe Token: SeProfSingleProcessPrivilege 856 WMIC.exe Token: SeIncBasePriorityPrivilege 856 WMIC.exe Token: SeCreatePagefilePrivilege 856 WMIC.exe Token: SeBackupPrivilege 856 WMIC.exe Token: SeRestorePrivilege 856 WMIC.exe Token: SeShutdownPrivilege 856 WMIC.exe Token: SeDebugPrivilege 856 WMIC.exe Token: SeSystemEnvironmentPrivilege 856 WMIC.exe Token: SeRemoteShutdownPrivilege 856 WMIC.exe Token: SeUndockPrivilege 856 WMIC.exe Token: SeManageVolumePrivilege 856 WMIC.exe Token: 33 856 WMIC.exe Token: 34 856 WMIC.exe Token: 35 856 WMIC.exe Token: 36 856 WMIC.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe Token: SeSecurityPrivilege 1164 WMIC.exe Token: SeTakeOwnershipPrivilege 1164 WMIC.exe Token: SeLoadDriverPrivilege 1164 WMIC.exe Token: SeSystemProfilePrivilege 1164 WMIC.exe Token: SeSystemtimePrivilege 1164 WMIC.exe Token: SeProfSingleProcessPrivilege 1164 WMIC.exe Token: SeIncBasePriorityPrivilege 1164 WMIC.exe Token: SeCreatePagefilePrivilege 1164 WMIC.exe Token: SeBackupPrivilege 1164 WMIC.exe Token: SeRestorePrivilege 1164 WMIC.exe Token: SeShutdownPrivilege 1164 WMIC.exe Token: SeDebugPrivilege 1164 WMIC.exe Token: SeSystemEnvironmentPrivilege 1164 WMIC.exe Token: SeRemoteShutdownPrivilege 1164 WMIC.exe Token: SeUndockPrivilege 1164 WMIC.exe Token: SeManageVolumePrivilege 1164 WMIC.exe Token: 33 1164 WMIC.exe Token: 34 1164 WMIC.exe Token: 35 1164 WMIC.exe Token: 36 1164 WMIC.exe Token: SeIncreaseQuotaPrivilege 1164 WMIC.exe -
Loads dropped DLL 1 IoCs
Processes:
java.exepid process 3020 java.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 748 taskkill.exe 1620 taskkill.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe reg.exe -
Checks for installed software on the system 1 TTPs 38 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Key queried \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key enumerated \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName reg.exe Key value queried \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\DisplayName reg.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName reg.exe Key queried \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\DisplayName reg.exe Key opened \REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall reg.exe Key opened \REGISTRY\MACHINE\software\WOW6432Node\microsoft\windows\currentversion\uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName reg.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\uninstall reg.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName reg.exe Key enumerated \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName reg.exe Key opened \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\software\microsoft\windows\currentversion\uninstall reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}\DisplayName reg.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 3020 java.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 2004 attrib.exe 2060 attrib.exe 2076 attrib.exe 2136 attrib.exe 2624 attrib.exe 2184 attrib.exe 1428 attrib.exe 1660 attrib.exe -
Adds Run entry to start application 2 TTPs 4 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\QHlTGqb = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\WSDUo\\rfIqA.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\QHlTGqb = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\WSDUo\\rfIqA.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe -
Drops desktop.ini file(s) 4 IoCs
Processes:
java.exeattrib.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\WSDUo\Desktop.ini java.exe File created C:\Users\Admin\WSDUo\Desktop.ini java.exe File opened for modification C:\Users\Admin\WSDUo\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\WSDUo\Desktop.ini attrib.exe -
Drops file in System32 directory 2 IoCs
Processes:
java.exedescription ioc process File created C:\Windows\System32\vEVIV java.exe File opened for modification C:\Windows\System32\vEVIV java.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\c1c758539076d2ab8613711aca0af67e.jar1⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
PID:3020 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:3708
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:856 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164 -
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1428 -
C:\Windows\SYSTEM32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1660 -
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\WSDUo\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
PID:2004 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\WSDUo\Desktop.ini2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
PID:2060 -
C:\Windows\SYSTEM32\attrib.exeattrib -s -r C:\Users\Admin\WSDUo2⤵
- Views/modifies file attributes
PID:2076 -
C:\Windows\SYSTEM32\attrib.exeattrib +s +r C:\Users\Admin\WSDUo2⤵
- Views/modifies file attributes
PID:2136 -
C:\Windows\SYSTEM32\attrib.exeattrib +h C:\Users\Admin\WSDUo2⤵
- Views/modifies file attributes
PID:2624 -
C:\Windows\SYSTEM32\attrib.exeattrib +h +s +r C:\Users\Admin\WSDUo\rfIqA.class2⤵
- Views/modifies file attributes
PID:2184 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
PID:3496 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
PID:1756 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
PID:3640 -
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:748 -
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:2776
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:3568
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
- Sets file execution options in registry
PID:3452 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:643⤵
- Checks for installed software on the system
PID:2132 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall\OneDriveSetup.exe" /reg:323⤵
- Checks for installed software on the system
PID:2008 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
- Checks for installed software on the system
PID:2108 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
- Checks for installed software on the system
PID:2180 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵
- Checks for installed software on the system
PID:1828 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:2124
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:3592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:3348
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:472
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:3640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:996
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1620 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1748
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:2176
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:2700
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1556
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:748
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:3936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:2180
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:2708
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:1828
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1168
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:792
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:3996
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:3976
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:64
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:2132
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:2148
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:492
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:2484
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:3848
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:1716
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:2708
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1192
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1316
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:2452
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵
- Checks for installed software on the system
PID:1400 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:2148
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:752
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵
- Checks for installed software on the system
PID:3388 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:3348
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:1192
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:3496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:1604
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:2516
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:643⤵
- Checks for installed software on the system
PID:1584 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\ProPlusRetail - en-us" /reg:323⤵PID:492
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:3844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:1584
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:2808
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:1432
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵
- Checks for installed software on the system
PID:3496 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:4112
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4132
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:4172
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:4192
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4212
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵
- Checks for installed software on the system
PID:4248 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:4268
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4288
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵
- Checks for installed software on the system
PID:4324 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:4344
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4364
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:643⤵
- Checks for installed software on the system
PID:4400 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F86418066F0}" /reg:323⤵PID:4420
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4440
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵
- Checks for installed software on the system
PID:4476 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:4496
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4516
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵
- Checks for installed software on the system
PID:4552 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:4572
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵
- Checks for installed software on the system
PID:4628 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:4648
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4664
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:643⤵
- Checks for installed software on the system
PID:4700 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180660}" /reg:323⤵PID:4728
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4748
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:643⤵
- Checks for installed software on the system
PID:4784 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-007E-0000-1000-0000000FF1CE}" /reg:323⤵PID:4804
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4824
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:643⤵
- Checks for installed software on the system
PID:4860 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0000-1000-0000000FF1CE}" /reg:323⤵PID:4880
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4900
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:643⤵
- Checks for installed software on the system
PID:4936 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90160000-008C-0409-1000-0000000FF1CE}" /reg:323⤵PID:4956
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵
- Checks for installed software on the system
PID:5008 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:5036
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:5056
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵
- Checks for installed software on the system
PID:5092 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:5112
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4104
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵
- Checks for installed software on the system
PID:4140 -
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:4200
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4220
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:4272
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵
- Checks for installed software on the system
PID:4304 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4352
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:4404
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:4424
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4456
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:4508
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:4556
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4576
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:4640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:4648
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4704
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:4756
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:4796
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4816
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:4860
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:4908
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4948
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:5016
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:5008
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:5064
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:4108
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:4176
-
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4140
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:643⤵PID:4296
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{4A03706F-666A-4037-7777-5F2748764D10}" /reg:323⤵
- Checks for installed software on the system
PID:4340 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4412
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:643⤵PID:4424
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}" /reg:323⤵
- Checks for installed software on the system
PID:4560 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4552
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:4680
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵
- Checks for installed software on the system
PID:4648 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4800
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:4868
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵
- Checks for installed software on the system
PID:4944 -
C:\Windows\SYSTEM32\cmd.execmd.exe2⤵PID:4908
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:5040
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵
- Checks for installed software on the system
PID:5108