088a9f665d0fdc9b2bb050ecd1524b1539010bbe1d9935f72343bb2bc5f98975

Reason

Machine shutdown

General

Target

Launcher.exe
Size

164.9MB
MD5

69297f39ec0be1969de6409a310264d1
SHA1

7c0e7ead5bd451a95cd6062eb0fb4a5c053f7190
SHA256

22117115927d13aee3314c659efe6253692ec3555b2b3e602d512067d71e0b98
SHA512

2c6b82ee7d76d227b35e75aed7521a6d939a1f8abe8a031202ec2c56832a3c131a82b006e53be05e0937b461e3a0cdeff8f1f71f1e4e61fb01bc592cd0ee5b57
SSDEEP

1572864:Ftc2cEGwGrRSREICCr3ka8YrcSAfII01aLadS5sDNd+Ipx9cF3LfxNEK2Ho8jlgY:b+CHrJIgIsV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

Processes:

Launcher.exe

pid process

2560 Launcher.exe
2560 Launcher.exe

pid	process
2560	Launcher.exe
2560	Launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
31	raw.githubusercontent.com
32	raw.githubusercontent.com
33	raw.githubusercontent.com
34	raw.githubusercontent.com
27	raw.githubusercontent.com
28	raw.githubusercontent.com
29	raw.githubusercontent.com
30	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ipinfo.io
25 ipinfo.io

flow	ioc
24	ipinfo.io
25	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Launcher.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Launcher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Launcher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Launcher.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

10948 WMIC.exe

pid	process
10948	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid	process
7308	tasklist.exe
8232	tasklist.exe
7888	tasklist.exe
7724	tasklist.exe
7684	tasklist.exe
7676	tasklist.exe
7632	tasklist.exe
7104	tasklist.exe
7404	tasklist.exe
8212	tasklist.exe
7896	tasklist.exe
8220	tasklist.exe
8140	tasklist.exe
8044	tasklist.exe
7844	tasklist.exe
7336	tasklist.exe
7472	tasklist.exe
7464	tasklist.exe
8264	tasklist.exe
7828	tasklist.exe
7512	tasklist.exe
8368	tasklist.exe
8016	tasklist.exe
7920	tasklist.exe
7480	tasklist.exe
7380	tasklist.exe
8240	tasklist.exe
7072	tasklist.exe
8256	tasklist.exe
7956	tasklist.exe
7708	tasklist.exe
7300	tasklist.exe
8576	tasklist.exe
7652	tasklist.exe
8032	tasklist.exe
7948	tasklist.exe
7880	tasklist.exe
7788	tasklist.exe
7528	tasklist.exe
8524	tasklist.exe
8464	tasklist.exe
8052	tasklist.exe
7612	tasklist.exe
7264	tasklist.exe
8160	tasklist.exe
7912	tasklist.exe
7292	tasklist.exe
8204	tasklist.exe
8168	tasklist.exe
8072	tasklist.exe
7536	tasklist.exe
7396	tasklist.exe
7388	tasklist.exe
7372	tasklist.exe
7964	tasklist.exe
5612	tasklist.exe
7504	tasklist.exe
7240	tasklist.exe
8124	tasklist.exe
8088	tasklist.exe
7692	tasklist.exe
8768	tasklist.exe
7804	tasklist.exe
8288	tasklist.exe

Kills process with taskkill 49 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
9304	taskkill.exe
6104	taskkill.exe
8816	taskkill.exe
9164	taskkill.exe
6012	taskkill.exe
5472	taskkill.exe
4608	taskkill.exe
1500	taskkill.exe
7080	taskkill.exe
8932	taskkill.exe
9720	taskkill.exe
8408	taskkill.exe
2860	taskkill.exe
8140	taskkill.exe
8720	taskkill.exe
8904	taskkill.exe
9456	taskkill.exe
4532	taskkill.exe
7892	taskkill.exe
7772	taskkill.exe
10016	taskkill.exe
11220	taskkill.exe
6008	taskkill.exe
6740	taskkill.exe
7304	taskkill.exe
8780	taskkill.exe
5752	taskkill.exe
9368	taskkill.exe
2964	taskkill.exe
8612	taskkill.exe
7496	taskkill.exe
4152	taskkill.exe
4436	taskkill.exe
7532	taskkill.exe
5092	taskkill.exe
6904	taskkill.exe
6200	taskkill.exe
4972	taskkill.exe
11208	taskkill.exe
6840	taskkill.exe
1700	taskkill.exe
8308	taskkill.exe
8004	taskkill.exe
9788	taskkill.exe
6628	taskkill.exe
4776	taskkill.exe
9588	taskkill.exe
9684	taskkill.exe
4172	taskkill.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Launcher.exe

pid process

2560 Launcher.exe
2560 Launcher.exe
2560 Launcher.exe
2560 Launcher.exe
2560 Launcher.exe
2560 Launcher.exe

pid	process
2560	Launcher.exe
2560	Launcher.exe
2560	Launcher.exe
2560	Launcher.exe
2560	Launcher.exe
2560	Launcher.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

tasklist.exeWMIC.exeLauncher.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	3632	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2792	WMIC.exe
Token: SeSecurityPrivilege	2792	WMIC.exe
Token: SeTakeOwnershipPrivilege	2792	WMIC.exe
Token: SeLoadDriverPrivilege	2792	WMIC.exe
Token: SeSystemProfilePrivilege	2792	WMIC.exe
Token: SeSystemtimePrivilege	2792	WMIC.exe
Token: SeProfSingleProcessPrivilege	2792	WMIC.exe
Token: SeIncBasePriorityPrivilege	2792	WMIC.exe
Token: SeCreatePagefilePrivilege	2792	WMIC.exe
Token: SeBackupPrivilege	2792	WMIC.exe
Token: SeRestorePrivilege	2792	WMIC.exe
Token: SeShutdownPrivilege	2792	WMIC.exe
Token: SeDebugPrivilege	2792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2792	WMIC.exe
Token: SeRemoteShutdownPrivilege	2792	WMIC.exe
Token: SeUndockPrivilege	2792	WMIC.exe
Token: SeManageVolumePrivilege	2792	WMIC.exe
Token: 33	2792	WMIC.exe
Token: 34	2792	WMIC.exe
Token: 35	2792	WMIC.exe
Token: 36	2792	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2792	WMIC.exe
Token: SeSecurityPrivilege	2792	WMIC.exe
Token: SeTakeOwnershipPrivilege	2792	WMIC.exe
Token: SeLoadDriverPrivilege	2792	WMIC.exe
Token: SeSystemProfilePrivilege	2792	WMIC.exe
Token: SeSystemtimePrivilege	2792	WMIC.exe
Token: SeProfSingleProcessPrivilege	2792	WMIC.exe
Token: SeIncBasePriorityPrivilege	2792	WMIC.exe
Token: SeCreatePagefilePrivilege	2792	WMIC.exe
Token: SeBackupPrivilege	2792	WMIC.exe
Token: SeRestorePrivilege	2792	WMIC.exe
Token: SeShutdownPrivilege	2792	WMIC.exe
Token: SeDebugPrivilege	2792	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2792	WMIC.exe
Token: SeRemoteShutdownPrivilege	2792	WMIC.exe
Token: SeUndockPrivilege	2792	WMIC.exe
Token: SeManageVolumePrivilege	2792	WMIC.exe
Token: 33	2792	WMIC.exe
Token: 34	2792	WMIC.exe
Token: 35	2792	WMIC.exe
Token: 36	2792	WMIC.exe
Token: SeShutdownPrivilege	2560	Launcher.exe
Token: SeCreatePagefilePrivilege	2560	Launcher.exe
Token: SeDebugPrivilege	7104	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.execmd.execmd.exe

description	pid	process	target process
PID 2560 wrote to memory of 4600	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4600	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 4600 wrote to memory of 3632	4600	cmd.exe	tasklist.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 4600 wrote to memory of 3632	4600	cmd.exe	tasklist.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 780	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 4584	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 4584	2560	Launcher.exe	Launcher.exe
PID 2560 wrote to memory of 1612	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 1612	2560	Launcher.exe	cmd.exe
PID 1612 wrote to memory of 2792	1612	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 2792	1612	cmd.exe	WMIC.exe
PID 2560 wrote to memory of 1380	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 1380	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4528	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4528	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 3304	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 3304	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4736	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4736	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4468	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4468	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4928	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4928	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 1668	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 1668	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2020	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2020	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2696	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2696	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2192	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2192	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2404	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 2404	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4072	2560	Launcher.exe	cmd.exe
PID 2560 wrote to memory of 4072	2560	Launcher.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1732 --field-trial-handle=1736,i,6175878047330355632,6762845836481979627,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
PID:780

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\theonlyscript" --mojo-platform-channel-handle=1876 --field-trial-handle=1736,i,6175878047330355632,6762845836481979627,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2560 get ExecutablePath"
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2560 get ExecutablePath
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1380

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4528

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3304

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4736

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4468

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4928

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1668

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2020

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2696

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2192

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2404

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4072

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2128

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1904

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:752

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3856

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4832

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:708

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4264

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1264

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5072

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:832

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3380

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1436

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2284

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3184

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3244

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3840

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1312

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4240

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3040

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3492

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4900

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:672

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2252

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3892

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2440

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4912

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4624

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2580

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:932

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2736

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4784

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1772

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2408

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1440

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3884

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4364

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2848

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2592

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:436

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4084

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2364

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2672

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1488

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3560

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4404

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2660

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1492

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4192

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2828

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5060

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2324

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1828

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3732

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2524

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3232

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:884

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2900

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:696

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4840

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4252

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2860

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3160

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4436

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3276

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2068

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4320

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3384

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1700

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2796

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4260

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4796

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:6648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:4384

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:3968

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1660

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:532

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2544

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:7308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:2856

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:8464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1856

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:8600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:5124

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "net session"
2⤵
PID:5132

C:\Windows\system32\net.exe
net session
3⤵
PID:7864

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:8788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
2⤵
PID:5140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
2⤵
PID:5160

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:7928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
PID:5180

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
PID:7700

C:\Windows\system32\more.com
more +1
3⤵
PID:7940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
PID:10812

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:10852

C:\Windows\system32\more.com
more +1
3⤵
PID:10860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
PID:10908

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:10948

C:\Windows\system32\more.com
more +1
3⤵
PID:10956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
2⤵
PID:11004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
3⤵
PID:11044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
2⤵
PID:11192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
3⤵
PID:11232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:1640

C:\Windows\system32\tasklist.exe
tasklist
3⤵
- Enumerates processes with tasklist
PID:5612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=2560 get ExecutablePath"
2⤵
PID:10848

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=2560 get ExecutablePath
3⤵
PID:10828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:10972

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:10936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
2⤵
PID:11100

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
3⤵
PID:11048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tasklist"
2⤵
PID:11092

C:\Windows\system32\tasklist.exe
tasklist
3⤵
PID:11096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
2⤵
PID:11188

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
3⤵
PID:9916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
2⤵
PID:5844

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
3⤵
PID:11236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
2⤵
PID:9288

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
3⤵
PID:11240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
2⤵
PID:11224

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
3⤵
PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
2⤵
PID:10336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
3⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
2⤵
PID:8664

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
2⤵
PID:8656

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
3⤵
PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
2⤵
PID:4636

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
3⤵
PID:7600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
2⤵
PID:5904

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
3⤵
PID:5996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
2⤵
PID:6712

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
3⤵
PID:8908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
2⤵
PID:8332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
3⤵
PID:10988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)""
2⤵
PID:10968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 110.0 (x64 en-US)"
3⤵
PID:10836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
2⤵
PID:4620

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
3⤵
PID:10908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
2⤵
PID:11064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
3⤵
PID:9080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
2⤵
PID:7112

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
3⤵
PID:6660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
2⤵
PID:6204

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
3⤵
PID:6188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
2⤵
PID:11128

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
3⤵
PID:11204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2692

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10160

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8664

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10200

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10192

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:368

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9996

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9612

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:11208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7356

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9344

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4508

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5036

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:5752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9420

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:11220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4260

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5604

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6796

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8756

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5420

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5756

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5408

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5664

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8820

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7592

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:1640

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4024

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8824

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:1368

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6792

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2020

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:3800

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6440

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10820

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10832

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10960

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10848

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10940

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10924

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:7480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9080

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:5472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:11064

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6064

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:11024

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9104

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:10016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5388

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:9788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5860

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:7080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:4320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:5852

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:10124

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:8408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:9108

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:6204

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:4436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:11036

C:\Windows\system32\taskkill.exe
taskkill /F /IM cmd.exe
3⤵
- Kills process with taskkill
PID:6008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM cmd.exe"
2⤵
PID:8160

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Process Discovery

1

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\15d4233b-43d8-4088-9a79-74aee9825887.tmp.node
Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1pbs3owi.kzw.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8c7aca1-02c6-4ca4-8928-de815bb9fb70.tmp.node
Filesize
151KB

MD5
bec0df3a37e6681b7eb29bd15904147a

SHA1
82a0869313ad7dcd86de3b5fa0e516d160c17013

SHA256
3d185f516d23d8c98a17e304b00b405b74dd7f3f6fb7d750bb7471deb1a9689f

SHA512
ae0639566f24e65a6a381862e020e39a32bec408b88eba60d3b01400c49535f09c6c67f424af406db78af2f197d79c3e262050ff5e17910c1ac1453561fffcd1

Download Submit
memory/11044-24-0x000002791D220000-0x000002791D242000-memory.dmp

Filesize
136KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads