a54cc3766dc4b1270fb203d8a6fe237952c640c7a116c2bbc948026323d5642b

Analysis

max time kernel
604s
max time network
621s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-04-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

update.exe
Size

164.7MB
MD5

e797f43c14812e2d2a8635cb208b1b4a
SHA1

e47dfbd6b0c44e8bdc51eb201f6227c5ee9fb22f
SHA256

934d4dbacab813549ae7d96c1278d84c0fdeecf09cd920ff9c24f5074605fc10
SHA512

29398f346a81cca87e3ccf25b8b7bb49a0700d181b4d5643ed3bc017187a3ec86e8942cc8b2090fb6fe86d751c03bc163dae32b904168334ba29c3231bb99c52
SSDEEP

1572864:Dtc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:V+CHrJIgIsV

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

update.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation update.exe
Loads dropped DLL 2 IoCs

Processes:

update.exe

pid process

4804 update.exe
4804 update.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

28 raw.githubusercontent.com
29 raw.githubusercontent.com
40 raw.githubusercontent.com
25 raw.githubusercontent.com
26 raw.githubusercontent.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ipinfo.io
10 ipinfo.io

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	update.exe

flow	ioc
28	raw.githubusercontent.com
29	raw.githubusercontent.com
40	raw.githubusercontent.com
25	raw.githubusercontent.com
26	raw.githubusercontent.com

flow	ioc
9	ipinfo.io
10	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

update.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	update.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6008 WMIC.exe

pid	process
6008	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
7988	tasklist.exe
6580	tasklist.exe
7220	tasklist.exe
5340	tasklist.exe
8576	tasklist.exe
8168	tasklist.exe
332	tasklist.exe
2460	tasklist.exe
6428	tasklist.exe
7252	tasklist.exe
7048	tasklist.exe
6960	tasklist.exe
6708	tasklist.exe
6436	tasklist.exe
6996	tasklist.exe
6804	tasklist.exe
6592	tasklist.exe
4920	tasklist.exe
5744	tasklist.exe
5440	tasklist.exe
6912	tasklist.exe
6880	tasklist.exe
6820	tasklist.exe
6128	tasklist.exe
7964	tasklist.exe
5172	tasklist.exe
4180	tasklist.exe
6612	tasklist.exe
7400	tasklist.exe
6444	tasklist.exe
6420	tasklist.exe
7400	tasklist.exe
7008	tasklist.exe
6756	tasklist.exe
7588	tasklist.exe
6696	tasklist.exe
7096	tasklist.exe
6828	tasklist.exe
6764	tasklist.exe
64	tasklist.exe
3376	tasklist.exe
7196	tasklist.exe
7752	tasklist.exe
4932	tasklist.exe
6396	tasklist.exe
6600	tasklist.exe
6680	tasklist.exe
7128	tasklist.exe
7308	tasklist.exe
8280	tasklist.exe
2468	tasklist.exe
7284	tasklist.exe
6896	tasklist.exe
8820	tasklist.exe
7012	tasklist.exe
4272	tasklist.exe
6588	tasklist.exe
7300	tasklist.exe
7572	tasklist.exe
7056	tasklist.exe
5148	tasklist.exe
8172	tasklist.exe
5356	tasklist.exe
7432	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

update.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeupdate.exe

pid	process
4804	update.exe
4804	update.exe
4804	update.exe
4804	update.exe
4804	update.exe
4804	update.exe
7704	powershell.exe
7704	powershell.exe
7704	powershell.exe
7704	powershell.exe
5816	powershell.exe
5816	powershell.exe
5816	powershell.exe
5816	powershell.exe
6132	powershell.exe
6132	powershell.exe
7100	powershell.exe
7100	powershell.exe
6132	powershell.exe
6132	powershell.exe
8844	powershell.exe
8844	powershell.exe
7100	powershell.exe
8844	powershell.exe
7100	powershell.exe
7100	powershell.exe
6132	powershell.exe
8844	powershell.exe
9264	powershell.exe
9264	powershell.exe
9264	powershell.exe
9264	powershell.exe
9140	powershell.exe
9140	powershell.exe
9140	powershell.exe
9140	powershell.exe
10932	update.exe
10932	update.exe
10932	update.exe
10932	update.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

update.exetasklist.exeWMIC.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeShutdownPrivilege	4804	update.exe
Token: SeCreatePagefilePrivilege	4804	update.exe
Token: SeDebugPrivilege	1028	tasklist.exe
Token: SeShutdownPrivilege	4804	update.exe
Token: SeCreatePagefilePrivilege	4804	update.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: 36	792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	792	WMIC.exe
Token: SeSecurityPrivilege	792	WMIC.exe
Token: SeTakeOwnershipPrivilege	792	WMIC.exe
Token: SeLoadDriverPrivilege	792	WMIC.exe
Token: SeSystemProfilePrivilege	792	WMIC.exe
Token: SeSystemtimePrivilege	792	WMIC.exe
Token: SeProfSingleProcessPrivilege	792	WMIC.exe
Token: SeIncBasePriorityPrivilege	792	WMIC.exe
Token: SeCreatePagefilePrivilege	792	WMIC.exe
Token: SeBackupPrivilege	792	WMIC.exe
Token: SeRestorePrivilege	792	WMIC.exe
Token: SeShutdownPrivilege	792	WMIC.exe
Token: SeDebugPrivilege	792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	792	WMIC.exe
Token: SeRemoteShutdownPrivilege	792	WMIC.exe
Token: SeUndockPrivilege	792	WMIC.exe
Token: SeManageVolumePrivilege	792	WMIC.exe
Token: 33	792	WMIC.exe
Token: 34	792	WMIC.exe
Token: 35	792	WMIC.exe
Token: 36	792	WMIC.exe
Token: SeShutdownPrivilege	4804	update.exe
Token: SeCreatePagefilePrivilege	4804	update.exe
Token: SeShutdownPrivilege	4804	update.exe
Token: SeCreatePagefilePrivilege	4804	update.exe
Token: SeDebugPrivilege	6420	tasklist.exe
Token: SeDebugPrivilege	6396	tasklist.exe
Token: SeDebugPrivilege	6616	tasklist.exe
Token: SeDebugPrivilege	6592	tasklist.exe
Token: SeDebugPrivilege	6412	tasklist.exe
Token: SeDebugPrivilege	6436	tasklist.exe
Token: SeDebugPrivilege	6608	tasklist.exe
Token: SeDebugPrivilege	6444	tasklist.exe
Token: SeDebugPrivilege	6664	tasklist.exe
Token: SeDebugPrivilege	6680	tasklist.exe
Token: SeDebugPrivilege	6632	tasklist.exe
Token: SeDebugPrivilege	6568	tasklist.exe
Token: SeDebugPrivilege	6404	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

update.execmd.execmd.exe

description	pid	process	target process
PID 4804 wrote to memory of 4744	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 4744	4804	update.exe	cmd.exe
PID 4744 wrote to memory of 1028	4744	cmd.exe	tasklist.exe
PID 4744 wrote to memory of 1028	4744	cmd.exe	tasklist.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3240	4804	update.exe	update.exe
PID 4804 wrote to memory of 3688	4804	update.exe	update.exe
PID 4804 wrote to memory of 3688	4804	update.exe	update.exe
PID 4804 wrote to memory of 2988	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 2988	4804	update.exe	cmd.exe
PID 2988 wrote to memory of 792	2988	cmd.exe	WMIC.exe
PID 2988 wrote to memory of 792	2988	cmd.exe	WMIC.exe
PID 4804 wrote to memory of 4504	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 4504	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 3620	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 3620	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 4688	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 4688	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 96	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 96	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 1052	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 1052	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 788	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 788	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 1800	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 1800	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 396	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 396	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 2972	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 2972	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 220	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 220	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 2144	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 2144	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 4408	4804	update.exe	cmd.exe
PID 4804 wrote to memory of 4408	4804	update.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1648 --field-trial-handle=1916,i,2460949232917325569,16714867123440851856,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=2024 --field-trial-handle=1916,i,2460949232917325569,16714867123440851856,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4804 get ExecutablePath"
2⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=4804 get ExecutablePath
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4504

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3620

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4688

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:96

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1052

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:788

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1800

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:396

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2972

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:220

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2144

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4408

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4360

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4132

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4952

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3680

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:200

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:6592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3272

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1504

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2888

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2752

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3952

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4460

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4864

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3268

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3344

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1060

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1644

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1884

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2328

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4476

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4176

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5024

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1084

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4060

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4956

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2968

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2612

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4796

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:888

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1628

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1980

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2396

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:964

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2096

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4256

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2864

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4544

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2368

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1020

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:832

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3296

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4356

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1512

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2404

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4928

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:836

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5072

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2904

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4336

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2816

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2184

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1524

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1940

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3056

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3596

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2040

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4280

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2392

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2336

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3276

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3768

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4196

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1624

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4272

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:316

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:840

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3336

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2344

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3032

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1772

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4852

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4456

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5012

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5152

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5168

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5188

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
2⤵
PID:5212

C:\Windows\system32\net.exe
net session
3⤵
PID:6928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:7988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
2⤵
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:5236

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:6888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
PID:5264

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
PID:6724

C:\Windows\system32\more.com
more +1
3⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
PID:8760

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:8412

C:\Windows\system32\more.com
more +1
3⤵
PID:6112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
PID:6724

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:6008

C:\Windows\system32\more.com
more +1
3⤵
PID:5264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
2⤵
PID:8412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
2⤵
PID:7548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5264

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4804 get ExecutablePath"
2⤵
PID:9652

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=4804 get ExecutablePath
3⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:9980

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:9916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:9508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:9760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
2⤵
PID:9596

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
3⤵
PID:9308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
2⤵
PID:7316

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
3⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
2⤵
PID:7696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
3⤵
PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
2⤵
PID:7652

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
3⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
2⤵
PID:7836

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
3⤵
PID:9472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
2⤵
PID:7956

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
3⤵
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
2⤵
PID:7172

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
3⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
2⤵
PID:9608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
3⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
2⤵
PID:1988

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
3⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
2⤵
PID:7120

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
3⤵
PID:4420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
2⤵
PID:1536

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
3⤵
PID:8212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
2⤵
PID:228

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
3⤵
PID:7352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
2⤵
PID:880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
3⤵
PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
2⤵
PID:5580

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
3⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
2⤵
PID:3344

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
3⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
2⤵
PID:1428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
3⤵
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
2⤵
PID:5696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
3⤵
PID:7080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
2⤵
PID:1624

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
3⤵
PID:6640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
2⤵
PID:788

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
3⤵
PID:7348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
2⤵
PID:832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
3⤵
PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
2⤵
PID:6860

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
3⤵
PID:7996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
2⤵
PID:3844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
3⤵
PID:9032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
2⤵
PID:368

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
3⤵
PID:7364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
2⤵
PID:5064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
3⤵
PID:6676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
2⤵
PID:6672

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
3⤵
PID:9004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
2⤵
PID:2020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
3⤵
PID:7780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
2⤵
PID:7036

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
3⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
2⤵
PID:4460

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
3⤵
PID:7344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
2⤵
PID:6904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
3⤵
PID:5944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
2⤵
PID:8404

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
3⤵
PID:6236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
2⤵
PID:8196

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
3⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\fLJpVrEJZ5Kp_tezmp.ps1""
2⤵
PID:7812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\fLJpVrEJZ5Kp_tezmp.ps1"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:6132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5184

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3804

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6064

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8628

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5588

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7220

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6656

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7636

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7340

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7108

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3592

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4892

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6592

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3760

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7640

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4976

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:9652

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6212

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6168

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7776

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7772

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7816

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:800

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5208

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4416

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6956

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:6588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1408

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9700

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4948

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5540

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7240

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6160

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7076

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5080

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:9596

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6492

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1400

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9888

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9624

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6648

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4136

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7056

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:5756

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9716

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:4260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9664

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9868

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9832

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1504

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9228

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7652

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9224

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8340

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7732

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5504

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4388

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4100

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5204

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4928

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:400

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6024

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6016

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9524

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9760

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9592

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:9472

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8252

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9548

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:9040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9792

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6436

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4812

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1980

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2384

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5512

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9300

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4840

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5308

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4360

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9112

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8316

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5476

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2424

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6700

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7716

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:8216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:7172

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:376

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6524

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6044

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:6848

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5564

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:9340

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:5920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
2⤵
PID:8368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
2⤵
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "function Get-AntiVirusProduct {
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:8844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:7100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
2⤵
PID:328

C:\Windows\system32\netsh.exe
netsh wlan show profile
3⤵
PID:9264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
2⤵
PID:4916

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
3⤵
PID:5656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
2⤵
PID:4176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:9264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
2⤵
PID:7528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:9140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:7224

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7708

C:\Users\Admin\AppData\Local\Temp\update.exe
"C:\Users\Admin\AppData\Local\Temp\update.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4352 --field-trial-handle=1916,i,2460949232917325569,16714867123440851856,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:10932

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
5d574dc518025fad52b7886c1bff0e13

SHA1
68217a5f9e9a64ca8fed9eefa4171786a8f9f8f7

SHA256
755c4768f6e384030805284ab88689a325431667e9ab11d9aeaa55e9739742f2

SHA512
21de152e07d269b265dae58d46e8c68a3268b2f78d771d4fc44377a14e0c6e73aadae923dcfd34ce2ef53c2eaa53d4df8f281d9b8a627edee213946c9ef37d13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
069932ed13f9d3d52e892b7e0ee4d031

SHA1
0cb08603087c3949de3c3621ad33fe721ea7f26e

SHA256
a33c284ccb654a42ba5dde7aa38b1b7d682584c8afc0916c883215c6c4ed3c23

SHA512
1260bf69d140e87dd5575ed269ecf5c0a9fa2d292b82bec7946803a70e56ad2abfedddc34897d9c454221ad4360e468506864ec46a5050cd5da541cc30221092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
3577f9fb29db158a5b0f20dd6bffc26b

SHA1
553a3de36824c3a9b4ed2061ef732d60cd2905a4

SHA256
d0d2da828e740b403f42e23fc7777ac20c68d0bb8813b2070e7ec4cfb9cdfe1a

SHA512
a1653b3136894814e8cdc97313c3e4d33f9891e3d5ac92cd5759e281ef9bd5627b602edddab523272df08169378e786a879a29c567e8c88fddd24a04cb6e45a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
75ee7a35b9377a4fa71c5ae69284f092

SHA1
1e5f4358b74c804f70b3e618050d947115676d7b

SHA256
8409ea8d3412889778afd868e4e9ebf30d9ad0530f57f328d3d67c6e31bb1a69

SHA512
3b2224c258c3b0ac18de2590f866c62ae197c4e2d768a62a60f8f5a8739da09195f103a23032158d146a96e29f06100c9f0b802ef9fc1a959f772f5ac0c080c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
602580dcded947321d582c29a275d445

SHA1
63a81bed875b6bf027ee2c4d830440f2995db04d

SHA256
21b2f144e76437061e8a634c7e781898e96b62dc3da8c41c01caeabc78541196

SHA512
97ae2116d9b04225a688273efe66c3f3e16dae5340c34306efbe119fc3c124d6f100f220fd10203ade4a05a92b79210d3655d4331fde69b825d442a9bab6076b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ffc26eb0703174d6966bfd595399224b

SHA1
8a70228ca410a6e012b3cec39357ca61bf070278

SHA256
a51526405f04367d1762c5ffeb74c15634e1f1cfe81146c7135635776e66f6ca

SHA512
861033a1c5e4bed33244062e39f00f88f08bcb4f786d5d8827c5ce7a9640801d1c7366ea209d19dbd220eea7df9cedf0830838151b1e8125bdd8589327e0c407

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_191.zip
Filesize
2KB

MD5
7af4e0488359f27f1e77b55aed417759

SHA1
7fe9de8d02ff08db4d3b76c2211061a419b62ccd

SHA256
9ceca99136729c7e0fc32700ab4bc1cb20999a62723282a51b1f06941546bbde

SHA512
b9cd6dea251eecf58dc02eaab3d33eedb591f1fb2d4f912b7903fe2a5596974dab1566bda49e24bbcb0ccba0e15054a73315ef25c0b9166fc403b161c2c0531f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rjwfazpu.lk3.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fLJpVrEJZ5Kp_tezmp.ps1
Filesize
728B

MD5
62f809b90e81b919d46c08e3299c1cf2

SHA1
aa7cb90041d8366c6d04d693061e59a1f261b156

SHA256
246faa87c11c14b55c7eaf91e3f4c622b03b1eb8f746aa03401cd9d28546662e

SHA512
ab9edd57fdafe86d0d31f0eef77153f2c619e5660c7d93c26d1a44d50be7456fd0f7bd60af6fbc5d30fa432940b1d759586a15e48012c645eafc07be4bf9c06c

Download Submit
\Users\Admin\AppData\Local\Temp\1a524e06-dac6-4a0f-8d74-5d75a4fad7ba.tmp.node
Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
\Users\Admin\AppData\Local\Temp\9123993a-ecf8-42e4-9463-2426b6e0322c.tmp.node
Filesize
151KB

MD5
2ed0b4456880f58db652b89f3a0fd975

SHA1
e6a469d4a501e1fe12a479e11e061a01bb918bfe

SHA256
01167887e86a97e5655d381971bf882e82b464d09dea38d69d2652053e336cf0

SHA512
693694935051f8abf278067eb843c839f3c8469666caf1ac7e81636c3e18c7da346500c7e63cd3a3ad69de561ee65f4e7e20c6ce8396e2235a5310d92715247d

Download Submit
memory/7704-38-0x0000029C65B30000-0x0000029C65BA6000-memory.dmp

Filesize
472KB

Download
memory/7704-35-0x0000029C65980000-0x0000029C659A2000-memory.dmp

Filesize
136KB

Download